New DataGrail research finds companies could spend upwards of $400K/year complying with data privacy laws, doubling the 2020 cost

It’s time to get real about data privacy management. Consumers are demanding more insight into how their personal information is being used, which is causing tremendous headaches and expense for a wide range of businesses.

For some context, the landmark California Consumer Privacy Act (CCPA) went into effect in January 2020. This was the first law of its kind on the books in the United States that gave consumers very basic options for data privacy through data subject requests (DSRs), which allow consumers to access, modify or delete their personal information from a company’s systems, as well as to make do not sell (DNS) requests to prevent companies from selling their information to third-parties. Now, we have two years’ worth of data to draw upon to see how consumers are exercising their rights and how the law has impacted the organizations tasked with fulfilling these requests. 

This is really important data, given that CCPA is about to get an upgrade with the passage of the California Privacy Rights Act (CPRA), which adds another layer of complexity — the “do not share” component. Additionally, Colorado and Virginia recently enacted their own data privacy laws, and other states are expected to follow. As these new pieces of legislation are rolled out, we can expect an amplification of what’s happening with CCPA, especially if companies don’t get their privacy management strategies nailed down.

Diving into data

To get a sense of CCPA’s impact on businesses, DataGrail analyzed how many DSRs were processed throughout 2021 and 2020 across its customer base. DataGrail researchers examined what’s happened across a broad data set to spot key privacy trends. At a high level, here’s what we found:

• Businesses are being asked to process nearly double the number of privacy rights they processed in 2020. Total data privacy requests — access, modify, and delete requests —  jumped from 137 to 266 requests per 1 million identities. This is expected to increase as more states enact privacy laws, as companies are now seeing DSRs from every state — not just California residents

• The cost of processing DSRs jumped from $192,000 per one million identities to roughly $400,000 per one million identities year-over-year. To put this in perspective, there are approximately 39 million residents of California alone.

• The volume of deletion requests specifically, where businesses are asked to permanently and completely erase user information from their systems, nearly doubled as well, going from approximately 43 deletion requests per one million identities in 2020 to 84 per one million identities in 2021, further increasing companies’ costs.

• In addition to the rapidly increasing number of requests, companies are struggling with where to find all of their consumers’ data. Because so many organizations have integrated numerous third-party SaaS apps with their systems, they are frequently missing data. in up to 50% of shadow SaaS apps (i.e. third-party consumer apps accessed by the Internet or software not supported by the company’s IT department that was perhaps downloaded by an employee).

The big picture: What it means for your business

Our researchers learned that as active as consumers were in the first year of CCPA, they were even more engaged with how they wanted their data handled in year two. Not only did the number of data subject requests soar, but people went to great lengths to delete their data — and anyone who has ever completed a deletion request can attest to it being much harder to complete than a simple data subject request. This trend is only expected to continue as consumers become more aware of data privacy issues and their rights. It’s a big deal for companies because of the costs and human power associated with completing privacy requests.

For example, Gartner research suggests that businesses spend approximately $1,524 dollars to process a single data subject request. Multiply this number by the number of requests received and that becomes a very big line item on the budget. 

Our research team also found that the employee(s) tasked with executing data subject requests spent 2-4 months (60-130 hours) sustaining CCPA compliance when processing requests manually. At a time when talent is in short supply, do companies really want to devote that much employee time and energy to privacy management? Right now they kind of have to because their systems are ill-equipped to handle such requests; and executing them across the entire spectrum of applications can feel like looking for a needle in a haystack.

Which hints at the larger problem. If companies are already spending millions of dollars and hundreds of personnel hours to fulfill data privacy requests for California residents, and they are having significant difficulties identifying and untangling their user information from all of the applications they leverage, what’s going to happen when more states roll out privacy laws, California laws get stricter, and even larger numbers of consumers opt to exercise their data privacy rights? Companies are facing a data privacy tsunami and they need to find religion on data privacy management very quickly. Otherwise the cost and resource drain will be overwhelming.

Where do you go from here?

This is a new world, where data privacy has to be integrated at every level of the business. A quality data privacy management program requires cross-functional teams hashing through the details of what’s collected, why and how it’s used. From there, it is much easier to get your tech stack in order. Know what data each application stores and how it connects to the massive web of each user’s profile. It is well worth taking the next several months before CPRA and additional legislation goes into effect. Companies don’t want to be caught unprepared.

Automation will also be key. With technology in place that can provide a holistic view of data and where it lives, that can automate repetitive processes — like DSR management — DSRs can be processed more completely and in a fraction of the time without tying up human resources. Building a quality privacy operations center that can scale to meet the evolving demands of new regulations can save millions of dollars and countless hours every year.

The companies that embrace privacy rights and prioritize developing functional privacy management systems will be the undisputed winners of this new era. Those that don’t plan accordingly and fail to pay attention to the changing landscape will be left behind, stuck with a big fat bill and the loss of consumer trust as the only things to show for it.

Daniel Barber is CEO and cofounder of DataGrail.