Data security and privacy should be the foundation that lets your data programme move faster, not the brake pedal that keeps it cautious. Yet across organisations benchmarked on the Meridian framework, the average Data Security & Privacy score sits at just 3.1 out of 5.0. That's a middling result — enough to pass an audit, but rarely enough to enable confident, large-scale data use. For data leaders and CDOs, the gap between 3.1 and 4.5 is often where competitive advantage lives.
If your security and privacy posture is mature, your teams ship faster, your regulators trust you more, and your business stakeholders stop treating data requests as risk events. If it isn't, the symptoms are usually visible — you just have to know where to look. Here are five signs your data programme is being held back by gaps in security and privacy, and what to do about them.
When data scientists or product teams have to wait six to twelve weeks for a privacy impact assessment on every new project, your controls aren't scaling. Mature organisations pre-classify datasets, pre-approve common patterns, and embed privacy-by-design templates into their delivery process. If your DPO is the bottleneck on every initiative, you're not protecting the business — you're starving it.
Consider Gartner's finding that organisations with automated privacy controls deliver analytics projects up to 40% faster than those relying on manual reviews. The difference isn't risk appetite; it's operational design.
Access governance is the single most common weakness in scoring at the 3.1 level. The symptoms are familiar:
If a regulator, auditor, or board member asked tomorrow which employees can read your customer PII tables, and the answer requires more than a query, your access model is holding you back. Worse, it's almost certainly inhibiting cloud migration, data mesh adoption, and external data sharing.
Organisations stuck around 3.1 typically house privacy entirely within legal or compliance. That's appropriate for interpretation of regulation, but it's the wrong home for operational controls. Mature data programmes treat consent, purpose limitation, retention, and subject rights as product features — owned by engineering, instrumented, and measurable.
Ask yourself: can your team produce, on demand, a report showing how many customer records were processed last month for each documented purpose? If that question generates blank stares, privacy hasn't moved from policy to practice.
A 3.1 organisation typically applies a uniform security baseline across all data — encryption at rest, role-based access, audit logging. That's a floor, not a strategy. Genuinely mature programmes apply tiered controls calibrated to data classification:
Take the free 13-pillar assessment and get a sector benchmark, pillar scores, and a 90-day action plan.
Start Free Assessment →