New DataGrail research shows companies could spend more than $400K/year complying with privacy laws, doubling costs for 2020

We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!

It’s time to get real about data privacy management. Consumers are demanding greater insight into how their personal information is being used, which is a huge headache and expense for many businesses.

For some context, the landmark California Consumer Privacy Act (CCPA) went into effect in January 2020. This was the first law of its kind in the United States to give consumers very basic data privacy options through Data Subject Requests (DSRs). ), which allows consumers to access, modify, or delete their personal information from a company’s systems, and submit non-sales requests (DNS) to prevent companies from selling their information to third parties. Now we have two years of data to draw on to see how consumers exercise their rights and how the law affects the organizations required to comply with those requests.

This is really important data, as CCPA is about to get an upgrade with the passage of the California Privacy Rights Act (CPRA), which adds another layer of complexity – the “don’t share” component. In addition, Colorado and Virginia recently passed their own data privacy laws, with other states expected to follow. As this new legislation rolls out, we can expect a strengthening of what’s happening with CCPA, especially if companies fail to master their privacy management strategies.

Dive into data

To get an idea of ​​CCPA’s impact on businesses, DataGrail analyzed how many DSRs were processed in its customer base in 2021 and 2020. DataGrail researchers examined what happened in a broad dataset to uncover key privacy trends. At a high level we found this:

Companies are being asked to process almost double the number of privacy rights they processed in 2020. The total number of data privacy requests – requests for access, modification and deletion – increased from 137 to 266 requests per 1 million identities. This is expected to increase as more states enact privacy laws, as businesses now see response requests from every state — not just California residents. To put this into perspective, there are approximately 39 million residents in California alone. Specifically, the number of takedown requests, asking companies to permanently and completely erase user information from their systems, has also nearly doubled, going from about 43 takedown requests per one million identities in 2020 to 84 per million identities in 2021, further increasing costs for businesses. to rise. In addition to the rapidly increasing number of requests, companies are struggling with where to find all of their consumers’ data. Because so many organizations have integrated countless third-party SaaS apps with their systems, they often lack data. in up to 50% of the shadow SaaS apps (ie, third-party consumer apps that are accessible over the Internet or software not supported by the company’s IT department and may have been downloaded by an employee).

The big picture: what it means for your business

Our researchers found that no matter how active consumers were in CCPA’s first year, they were even more engaged in how they wanted their data handled in the second year. Not only has the number of data subject requests skyrocketed, but people have gone to great lengths to have their data deleted – and anyone who has ever made a deletion request can attest that it is much harder to fill than a simple request from a data subject. person concerned. This trend is only expected to continue as consumers become more aware of data privacy issues and their rights. It’s a major problem for businesses because of the cost and human resources involved in completing privacy requests.

For example, research from Gartner suggests that companies spend about $1,524 dollars to process a single request from a data subject. Multiply this number by the number of requests received and that becomes a very large line item on the budget.

Our research team also found that the employee(s) charged with executing data subject requests spent 2-4 months (60-130 hours) maintaining CCPA compliance when manually processing requests. At a time when talent is scarce, do companies really want to spend so much employee time and energy on privacy management? At the moment they have to, as their systems are ill-equipped to handle such requests; and running it across the spectrum of applications can feel like looking for a needle in a haystack.

Which points to the bigger problem. If companies already spend millions of dollars and hundreds of staff hours to fulfill data privacy requests for California residents, and they have major problems identifying and untangling their user information from all the applications they use, what will happen when more states enact privacy laws? , California laws become stricter and even greater numbers of consumers choose to exercise their data privacy rights? Companies are facing a tsunami of data privacy and they need to find religion very quickly about managing data privacy. Otherwise, the cost and run-off of resources will be overwhelming.

Where are you going from here?

This is a new world where data privacy must be integrated at every level of the business. A quality data privacy management program requires cross-functional teams to go through the details of what is collected, why and how it is used. From there, it’s much easier to get your tech stack in order. Know what data each application stores and how it connects to the vast web of each user’s profile. It pays to take the next few months before CPRA and additional legislation come into effect. Companies don’t want to be caught unprepared.

Automation will also be key. With technology that can provide a holistic view of data and where it resides, that can automate repetitive processes such as query request management, response requests can be processed more completely and in a fraction of the time without consuming human resources. Building a quality privacy operations center that can scale to meet the evolving demands of new regulations can save millions of dollars and countless hours each year.

The companies that embrace privacy rights and prioritize developing functional privacy management systems will be the undisputed winners of this new era. Those who don’t plan accordingly and pay attention to the changing landscape will be left behind, with a big bill and the loss of consumer confidence being the only things to show for that.

Daniel Barber is CEO and co-founder of DataGrail.

DataDecision makers

Welcome to the VentureBeat Community!

DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.

If you want to read about the very latest ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.

You might even consider contributing an article yourself!

Read more from DataDecisionMakers

This post New DataGrail research shows companies could spend more than $400K/year complying with privacy laws, doubling costs for 2020

was original published at “”