Only 2% of Workers Can Access Company Data Within a Week – But Why?

Why Trust Techopedia

A new report shows that less than 2% of workers can access sensitive and classified data in less than a week — with 69% having to wait more than a month.

Even more shockingly, some workers reported having to wait three to six months to get the data they needed, according to a report by Protegrity, which has been focused on data collection for nearly 30 years.

Techopedia sat with experts to understand the figures, how they fit into the current data-driven revolution, and whether there is a problem accessing ‘need to know’ information.

Key Takeaways

  • A vast majority of organizations struggle to access sensitive data within a reasonable timeframe – with some workers waiting months.
  • Fragmented data storage and complex regulations create access hurdles, especially when data has not been anonymized.
  • Compliance, while necessary, put huge costs around distributing or analyzing data.
  • Techniques like de-identification and pseudonymization can facilitate secure data access without compromising privacy.

The State of the Data-Driven World

The concept of creating a data-driven culture is not new, gaining force during the global cloud migration and transformation of working across the COVID-19 pandemic years.

But the Protegrity report, “The State of Data Security Optimization and Monetization”, revealed a large percentage of workers find it incredibly difficult and time-consuming to access data from their organization.

600 CIOs, CTOs, CISOs, heads of data and data managers were surveyed from organizations employing 1,000+ people across the U.S. and the UK, from sectors including airlines, banking, retail, pharmaceutical, insurance, and telecommunications.

Exploding costs and compliance complexities were considered factors in why businesses struggle to keep up with the pace of innovation.


Deploying generative AI is also problematic as it takes time to effectively train, customize, or develop AI applications that can scour through data on behalf of companies and working.

Techopedia asked Nathan Vega, Vice President of Solutions Strategy at Protegrity, to elaborate on the specific reasons why only 2% of organizations can access sensitive data in less than a week.

“The reason that it takes so long for sensitive data access to be granted is that businesses are using a legacy data strategy that results in processes driven by ticketing systems and delivered through manual intervention.”

Vega explained that businesses have deployed a “Fort Knox” data security strategy that is outdated for today’s modern enterprises.

“Fort Knox is surrounded by a perimeter, sensors, guard stations, guards, gates, doors, and locked vaults. All designed to keep the gold safe, but data isn’t like the gold in Fort Knox.

“Data, unlike gold, needs to move inside and outside of the business, going to the public cloud, third-party platforms, customers, and data consumers.”

According to Vega, in a Fort Knox setup, workers who need valuable business data must put in an IT ticket that in turn kickstarts a manual process. Often, sensitive information then needs to be redacted to prevent risks.

“This process is repeated over and over again. This is a strategy and process issue,” Vega said.

Data Hold Back: Root Problems and Consequences

Techopedia spoke with Davi Ottenheimer, VP of Trust and Digital Ethics for Inrupt — an enterprise software company founded by Sir Tim Berners-Lee, the inventor of the World Wide Web.

“The limited accessibility to sensitive data within organizations, with only 2% able to achieve it within a week, stems from a combination of technological constraints, inefficient processes, stringent compliance requirements, and organizational culture.”

Ottenheimer explained that data silos, legacy systems, centralized architectures, authorization procedures, and regulatory compliance obligations all contribute to delays in accessing critical information.

“Real-world examples in industries like healthcare, finance, and government highlight the impact on productivity, missed opportunities, and compliance risks for workers and leaders,” Ottenheimer added.

“Resolving this challenge demands a holistic approach that integrates technological innovation, streamlined processes, compliance adherence, and a cultural shift toward prioritizing data accessibility and security.”

Inverting the Model: De-Identified Data and Compliance

According to Vega from Protegrity, the solution is to invert the model. Companies should start by de-identifying sensitive data using pseudonymization as recommended by the European Data Protection Board and approved by The Court of Justice of the European Union.

Additionally, de-identified data retains data utility for analytical operations but ensures that Personally Identifiable Information (PII) is not viewable.

Vega added:

“When implemented, access to sensitive data can be automated because the data is not considered to contain PII unless reidentified.”

Following this process not only allows for automation, but also gives organizations the ability to safely move sovereign citizen data out of the E.U. to central processing to third parties and a wider audience of data consumers who want to generate business value from it.

Vega said that de-identifying sensitive data allows for data analysis to be outsourced to cheaper data developers, data engineers, and data scientist resources.

“Our large insurance customer saved $100 million using this model.”

Vega added that systems containing payment card information (PCI) data that have been tokenized are considered out-of-scope for a PCI-DSS audit, which saves a large credit rating organization $40 million a year.

“A top five bank in the U.S. established self-service data protection that deidentified customer data, allowing it to be sent to third-party processors for optimizing marketing offers. This saved them $20 million in costs for replicating IT infrastructure in local data centers.”

Balancing Data Security and Innovation: Encryption and Tokenization

Arti Raman, CEO and founder of Portal26 — working to help organizations adopt GenAI — spoke to Techopedia about the balance between data security and innovation.

“Rather than stagnating innovation, organizations can take important steps to secure their AI training data pipelines via encryption and tokenization and invest in AI visibility solutions that provide in-depth monitoring for AI usage.”

Raman explained that both of these steps would ensure that data across internal networks are secure even in the age of AI.

Additionally, Raman warned that large language models (LLMs) like ChatGPT are widely available to the public, and even if a company does not embrace it, its workers might be using it anyway, effectively as Shadow AI.

“By empowering data security through AI governance and employee education and training, organizations suddenly gain the ability to audit AI usage across the company, identify where security policies may not have stopped data leakage, and ensure employees are equipped with the tools necessary to harness GenAI tools responsibly.”

“Balancing data security and AI isn’t hard — it’s the future,” she added.

The Greatest Global Compliance Roadblocks

It is no secret that regulations have finally caught up with technology companies and today affect almost every organization in some way around the world.

For example, the Global AI Law and Policy Tracker of the International Association of Privacy Professionals is currently tracking new AI laws developing in Europe, China, Canada, Australia, Bangladesh, Indonesia, Israel, the U.K., the U.S., and many other countries.

However, these new AI laws are nothing but the tip of the iceberg, with new data laws and existing regulations becoming an overwhelming total.

Techopedia spoke to Steve Leeper, VP of Product Marketing at Datadobi —  a data management company — about the specific compliance regulations that are causing the biggest bottlenecks for organizations trying to access and utilize sensitive data.

“The main reason for delays will likely be internal Governance, Risk, and Compliance (GRC) policies. These are structured to ensure that sensitive information is only available to those that need it and that there is a lineage trail meaning a trail showing what the data was used for and why.”

Leeper added that externally, laws such as the E.U. GDPR can also require significant resources and time for compliance.

“In the case of the right to be forgotten those requests must be processed within one month with either confirmation of the data deletion or a request refusal (which of course, must have a supporting reason),” Leeper said.

Vega from Protegrity said the dimension of the problem is severe, with nearly 75% of the world’s population under a privacy law — many of which emulate the GDPR’s data sovereignty requirements.

To make matters worse, Vega explained that data security responsibility usually falls on one of the business’s smallest teams, slowing application teams down to a crawl and putting them in endless security review cycles.

“This increases costs and complexity by making businesses duplicate their infrastructure or pay for in-country data processing to comply.

“We had a prospect who spent $3 million a year paying a third-party processor to send dividend payments to Canadian citizens because their data cannot be brought into a US data center for processing [unless de-identified].”

A Different Perspective: Factoring Compliance Benefits

Ottenheimer from Inrupt shared a different view of the matter and warned that compliance benefits are not being factored in.

“The greater bottleneck risk for organizations ends up being found in areas with an absence of robust compliance regulations to prevent data misuse, abuse, and exposure, which can lead to severe consequences, including breaches, identity theft, financial fraud, and reputational damage,” Ottenheimer said.

“We can’t just optimize for availability without also recognizing bottlenecks that are caused by failing at privacy.”

Ottenheimer explained that while compliance regulations may introduce certain bottlenecks in availability, they ultimately play the opposite role in removing even greater bottlenecks by safeguarding data privacy, security, and integrity.

“If you think of security as integrity, then data-driven decision-making without integrity sounds crazy. It’s more a question of how we balance privacy against knowledge.


“The world builds its best systems when it is directed towards values that constrain it against optimizing in dangerous and unhealthy directions. In that sense, compliance is the mother of innovation.”

The Bottom Line

Our data-driven world thrives on accessible, actionable information. Yet, a critical gap exists between the desire for data-fueled decision-making and the reality for many businesses. The challenges organizations face in accessing and leveraging valuable data are serious.

Studies reveal a troubling truth. A vast majority of workers grapple with obtaining sensitive data within a reasonable timeframe. This sluggish access creates a bottleneck, hindering productivity and innovation.

Fragmented data storage, existing in isolated silos, creates access hurdles. Additionally, complex compliance regulations add another layer of difficulty, further impeding data utilization.

While solutions exist, restricted access to critical information has a ripple effect. Businesses miss out on opportunities, and the development of essential technologies, like AI, grinds to a halt.

To overcome challenges and bridge the data accessibility gap techniques like pseudonymization can anonymize sensitive data, facilitating secure access without compromising privacy. Furthermore, encryption and tokenization offer a powerful one-two punch. They ensure data security in the age of AI, allowing businesses to leverage this transformative technology with confidence.

The path forward is clear. By embracing modern security practices, streamlining compliance procedures, and fostering a data-driven culture, businesses can unlock the true potential of their information assets. This will allow them to navigate the data-driven future with confidence, leaving the days of data inaccessibility behind.


Related Reading

Related Terms

Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.