Companies face a variety of obstacles in their attempts to manage and ensure the privacy of their customer and user data, according to survey results released Wednesday by data privacy provider Integris Software.

Among the 258 businesses and IT decision makers surveyed, 45% admitted that they have to access at least 50 different data sources to determine where sensitive data resides. Further, an inventory of personal data is taken just once a year by 27% of respondents, every two years by 1%, in response to an audit or other event by 10%, and not at all by 6%. Of those that perform real-time inventories, 81% said they were very or extremely confident about their company’s ability to understand where personal data is held. But of those who don’t inventory their data in real time, only 40% expressed the same levels of confidence.

“If you’re not taking a real-time inventory of personal data across all data source types, then you’re going to have huge blind spots when it comes to knowing what sensitive data is sitting in your organization,” Integris CEO Kristina Bergman said in a press release. “Point-in-time knowledge is obsolete within a day due to the constantly changing nature of data in a hyper-connected world.”

Many companies use a hodgepodge of methods to inventory personal data. A full 81% of respondents said they use data loss prevention or other data security tools to keep track of personal information. But 77% said they still use manually-updated spreadsheets and surveys to track personal information, while 61% rely on custom scripts.

Only 17% of respondents said they include all five common data types in their privacy practices: Structured data (Oracle, SQL, other databases), unstructured data (Google Drive, email, etc.), semi-structured data (XML and JSON), cloud-based applications (Salesforce, Workday, etc.), and data in-motion (data flowing into a data lake, out of a Hadoop cluster, etc.).

The risks and fallibilities of data sharing agreements were brought to light by the fiasco with Facebook and Cambridge Analytica. Some 40% of respondents said they had 50 or more data sharing agreements with other entities. Of those, 66% said they were very or extremely confident in their own company’s ability to comply with the agreements. But only 46% expressed confidence in the ability of their partners to maintain compliance.

Given the challenges involved in data privacy, 81% of respondents said they believe companies risk losing customers due to inadequate data privacy practices, while 55% said that companies risk losing their own employees for the same reason. Some 79% said they believe a federal privacy law should be enacted.

There were some bright spots culled from the survey. A full 80% of respondents said they have a dedicated budget to manage data privacy, with most reporting an increase in those budgets pegged for 2019. Some 90% said their company has a data privacy awareness program, while 93% said their company has a process to identify and address data privacy risks.

Sent to top business executives and IT decision makers in February, the survey elicited responses from 258 people, all of whom said they were at least “somewhat knowledgeable” about how data privacy and data security are managed at their company. To be included in the study, the respondents had to have roles in IT, general management, or risk and compliance, and be mid-level professionals or higher. More than a third of respondents said that privacy management was part of their primary role.