Report Spotlights Privacy Access Requests

A study of consumers’ data privacy habits suggests that people are growing more possessive of their privacy rights, which in turn is driving up the compliance costs for businesses trying to meet those privacy demands. 

So says a report released Wednesday by DataGrail, a software firm that helps companies automate their privacy compliance processes. The report found that the pace of “data subject access requests” — that is, people formally requesting that a company do something with the data it has collected about them — soared 246 percent in the last three years, to an average of 859 “DSARs” per 1 million records that a company holds.

Meanwhile, the cost of fulfilling those DSARs is rising too. Research firm Gartner has estimated those costs manually fulfilling a DSAR at $1,400 a few years ago and more than $1,520 today. Do the math, and that implies that a company could easily spend more than $1 million responding to these requests.

Granted, DataGrail sells software to help companies lower those costs through automation, so we should digest these report findings with that commercial interest in mind. Still, the broad conclusions in this report feel right. Namely, as privacy laws proliferate and give more consumers more rights to see the data collected about them, more people will exercise those rights. That means higher compliance costs for companies, and you’ll need to lower those costs somehow.

DSARs first came into vogue in 2018 with the EU General Data Protection Regulation. Then came the California Consumer Privacy Act and privacy laws in several other states, all granting their own versions of DSARs; and now to make matters even more complicated, the recently proposed American Privacy Rights Act allows DSARs too. 

Privacy compliance teams will need to find a sustainable solution to all that.

Who Is Requesting What

The DataGrail report examined the DSARs submitted to 125 companies (all DataGrail customers) that collectively held 700 million customer records. The average company received 859 DSARs per 1 million records last year, up from 349 in 2021.

Figure 1, below, shows exactly what those data subjects were requesting about their data. That’s important to know because the nature of their requests dictates the compliance capabilities your business would need to have. 

Source: DataGrail

For example, to honor a customer’s request for deletion of data, you’ll need strong data mapping capabilities to identify exactly where all their personal data is; scraps of relevant data might reside in various parts of your corporate enterprise. On the other hand, if the customer only wants to add his or her name to a Do Not Sell list, then you’ll need strong processes to assure that the marketing team keeps that customer’s name off-limits.

As a bonus headache, DataGrail also found that many consumers are now automating their Do Not Sell requests, thanks to new services such as Global Privacy Control, which automatically broadcasts your privacy intentions to websites you visit. California already requires companies to honor those automated opt-out requests; Colorado will follow suit with a new data privacy law going into effect on July 1, and presumably other jurisdictions will follow. DataGrail analyzed more than 5,000 websites to check how businesses respond to GPC signals. It found that 75 percent of websites did not honor do-not-sell requests via GPC.

And one quirky finding, to boot: many consumers submitting DSARs come from jurisdictions where privacy laws don’t require such requests — and companies seem to be honoring the DSARs anyway. For example, 46 percent of DSARs in DataGrail’s study arrived from IP addresses located outside the United States, Canada, China, Brazil, Britain, or the EU, which all have strong privacy laws. For U.S.-based requests specifically, 34 percent came from states with no privacy laws. 

We could chalk that up to companies doing the right thing even when they have no obligation to do so (yay!), but actually it demonstrates another important compliance principle for the modern age: sometimes it’s just easier to comply with the strictest standard for everyone, rather than build a patchwork of processes tailored for specific jurisdictions.

Implications for Privacy Compliance

As I mentioned earlier, I don’t know how right DataGrail’s findings are, in the sense of whether the percentages in its report are accurate — but I don’t doubt that the findings are right. Privacy laws are tilting in favor of consumers, who are exercising those rights more vigorously. That means more privacy compliance costs for businesses. 

Clearly you’ll need to automate those DSARs as much as possible. That means capabilities such as data mapping, control mapping, consent acquisition, and clear documentation for audit trails will all become more important.

Any number of vendors out there can help your compliance program at that tactical level. I’m more interested in how companies grapple with this shifting sense of consumer privacy at the strategic level. 

For example, if more and more consumers start demanding that their data be deleted, at what point would it make sense for your company to consider deleting that data automatically, or not even collecting it in the first place? Does the privacy compliance officer get to raise or participate in those conversations? Or is that person stuck on the sidelines, forced to devise compliance solutions for whatever decision other executives make? 

Or let’s say you want to feed consumer data into an artificial intelligence application of some kind — maybe one that would make better product recommendations, or scrutinize consumer buying patterns for fraud. If consumers start demanding that you remove their data from those apps, that’s less data for your AI to study and learn from. How do the IT team and the privacy compliance team reconcile those conflicting pressures? Does the privacy compliance officer get to collaborate with the chief technology officer or the fraud team to find solutions to that headache? 

Those are questions not discussed in the DataGrail report, but they are questions that need to be discussed in the C-suite. The sooner the better. 

Leave a Comment

You must be logged in to post a comment.