New DataGrail research finds companies could spend upwards of $400K/year complying with data privacy laws, doubling the 2020 cost

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


This is the time to get real about data privacy management. Consumers are demanding more understanding of how their personal information is used, which causes tremendous headaches and costs for a wide range of businesses.

For some references, the landmark California Consumer Privacy Act (CCPA) came into force in January 2020. It was the first law of its kind on books in the United States that gave consumers very basic options for data privacy through data subject requests (DSRs). )), Which allows customers to access, modify or delete their personal information from the company’s systems as well as make non-sales (DNS) requests to prevent companies from selling their information to third-parties. Now, we have two years of data to look at how consumers are exercising their rights and how the law has affected the entities entrusted with the responsibility of fulfilling these requests.

Given that the CCPA is about to be upgraded with the passage of the California Privacy Act (CPRA), this is really important data, which adds another layer of complexity – the “do not share” component. In addition, Colorado and Virginia have recently enacted their own data privacy laws, and other states are expected to comply. As these new pieces of legislation are released, we can expect an extension of what is happening with the CCPA, especially if companies do not bring down their privacy management strategies.

Diving into the data

To gain an understanding of CCPA’s impact on businesses, DataGrail analyzed how many DSRs were processed on its customer base between 2021 and 2020. DataGrail researchers examined what happened in the comprehensive data set to find out the main privacy trends. At the highest level, here’s what we found:

  • Businesses are asked to process almost twice as many privacy rights as they did in 2020. Total data privacy requests – access, modify and delete requests – increased from 137 per 1 million identities to 266 requests. This is expected to increase as more states enact privacy laws, as companies now view DSRs from each state – not just California residents.
  • The cost of DSR processing increased from $ 192,000 per million identities per year to about $ 400,000 per million identities. To put this in perspective, California alone has approximately 39 million inhabitants.
  • The rate of deletion requests, especially where businesses are asked to permanently and completely erase user information from their systems, has almost doubled, from an estimated 43 deletion requests per million identities in 2020 to 84 per million identity identities in 2021. , Which is growing more and more. Costs of companies.
  • In addition to the rapidly growing number of requests, companies are struggling to figure out where to get all of their customer data. Because many organizations have integrated numerous third-party SaaS apps into their systems, they often lose data. Up to 50% of Shadow SaaS apps (i.e. third-party consumer applications accessed via the Internet or software not supported by the company’s IT department that may have been downloaded by an employee).

The big picture: what it means for your business

Our researchers found that the more active customers were in the first year of CCPA, the more engaged they were in how they wanted to handle their data in the second year. Not only did the number of data subject requests increase, but people went to great lengths remove it Their data – and anyone who has ever completed a delete request – can prove that it is more difficult to complete than a simple data subject request. This trend is expected to continue as consumers become more aware of data privacy issues and their rights. This is a big deal for companies because of the costs and manpower involved in fulfilling privacy requests.

For example, Gartner research suggests that businesses spend approximately 1,524 to process a data subject request. Multiply this number by the number of requests received and it becomes a very large line item in the budget.

Our research team also found that the employee (s) assigned to execute data subject requests spent 2-4 months (60-130 hours) maintaining CCPA compliance while requests are processed manually. At a time when the supply of talent is low, do companies really want to devote so much time and energy to managing privacy management? They have to do something right now because their system is not equipped to handle such requests; And running them across the spectrum of application feels like finding a needle in a haystack.

Which points to a bigger problem. If companies are already spending millions of dollars and hundreds of employee hours to complete data privacy requests for California residents, and they are having significant difficulty identifying and resolving their user information from the application they take advantage of, more states will roll over. What will happen then? After the privacy laws are passed, California laws become stricter, and even more consumers choose to exercise their data privacy rights? Companies are facing a data privacy tsunami and they need to find a religion on data privacy management very quickly. Otherwise the cost and source drain will be overwhelming.

Where do you go from here

This is a new world, where data privacy needs to be integrated at every level of business. For quality data privacy management programs, cross-functional teams need to hash the details of what is collected, why and how it is used. From there, it’s very easy to get your tech stack in order. Learn what data each app stores and how it connects to the vast web of each user’s profile. It is advisable to take CPRA and additional months before the law comes into force. Companies don’t want to get caught without preparation.

Automation will also be key. With technology that can provide a holistic view of data and where it resides, which can automate repetitive processes – such as DSR management – DSRs can be processed more fully and in a fraction of time without constraining human resources. Building a quality privacy operations center that can scale to meet the evolving demand for new regulations can save millions of dollars and countless hours each year.

Companies that embrace privacy rights and prioritize developing functional privacy management systems will be the undisputed winners of this new era. Those who do not plan wisely and fail to pay attention to the changing landscape will be left behind, stuck with big fat bills and losing the trust of customers is the only thing.

Daniel Barber is the CEO and co-founder of DataGrail.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including tech people working on data, can share data-related insights and innovations.

If you would like to read about the latest ideas and latest information, best practices and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing to your own article!

Read more from DataDecisionMakers

Similar Posts

Leave a Reply

Your email address will not be published.