Today, we’re excited to release a free online calculator and template for the privacy community to help determine the ROI of your organization’s current privacy program.
We know one of the most common challenges for privacy teams in securing resources to automate data access and deletion requests is calculating and communicating the hidden costs of manual intervention.
You can access the calculator here.
Three approaches to privacy requests
Current options for operationalizing data access and deletion requests typically fall into one of three categories:
- Manual workflows that are reliant on humans at every stage of the process from emailing third parties to manually querying internal systems, then packaging and returning the data requested by the data subject. In the context of a data deletion request, similar steps must be followed to locate the data, loop in the appropriate data team to delete it, and then confirm completion of the request back to the user. Manual workflows typically involve a privacy@ email alias for users to submit their request, a manual review of the alias inbox, sorting through the veracity of each request, and location-based triaging. These processes are often incomplete due to the manual effort required to scrape and check every system for relevant data.
- Semi-automated processes that may leverage request intake or workflow management software and scripts to query a subset of personal data stores but still rely on human actions to collate, deliver, and delete a user’s data. Web forms are often used to capture user requests which triggers workflow management software to help automate traditional “shoulder-tapping” communications and track action follow-up and completion. Members of the privacy team must do the rest manually.
- Fully automated privacy requests systems that can complete a request end-to-end without any human intervention through zero-trust API-based integrations and other hookups. Common features of this approach include a self-serve Privacy Center where users can select the appropriate data action (erasure, access, opt-out, etc,), view the status of their request, and view their data in the context of an accessible dashboard. Authentication is also integrated with an organization’s existing methods such as account credentials or one-time-passwords (OTP).
Our calculator focuses on the costs of human intervention to help teams decide which approach is best for them. Whether your organization receives 1, 100, or 1,000 privacy requests per month, manual efforts require resources and must be understood in the context of team priorities, human-error failure points, and hidden costs.
The calculator is also designed to drive more strategic, cost-based conversations at the highest level on privacy investments for practitioners, whether it be your next quarterly business review, process optimization assessments, or partner vetting conversations.
The cost of a single privacy request
Developing the calculator with input from privacy professionals, we found that the cost of a privacy request can be broken down into three categories:
- Variable, or “per request” costs are direct costs that are incurred with each request and are variable based on volume. Think of these as the time invested by each team member during every step of the process to ensure a request is handled correctly from submission to return.
- Fixed program upkeep and maintenance costs generally don’t increase or decrease once you’re required to comply with data access legislation, so long as they’re automated. This includes things like integrating new data stores into existing queries, adding new external systems, auditing tickets for quality control, and other miscellaneous items. We also factored an allowance for reactive intervention into your program if a PR storm or slipup requires executive-level involvement, or crisis mitigation.
- Non-calculated program risks are trickier to calculate on a per-request basis due to individual programs (and aren’t included in our calculators) but nonetheless are ever-present risks in a privacy request workflow that is reliant on human involvement, including penalties for non-compliance, human error, and more.
How to use the calculator
As we mentioned, with the help of the calculator, your findings can be used in a number of scenarios:
- Your next quarterly business review: Leverage the results of the Privacy Request Cost Calculator to anchor your strategic initiatives and investments in tangible modeling.
- Process optimization assessments: Using the spreadsheet template, you can see which parts of your manual or semi-automated process may be incurring the biggest time sucks and focus on quick-win improvements. Is one particular data processor taking an above-average time to respond to deletion requests? Is a particular internal stakeholder slowing the process down or increasing risk through unnecessary back-and-forth containing personal data?
- Partner assessment conversations: Leverage the calculator as a cost-benefit analysis tool for assessing privacy partners. Look for how much of the manual workflow or internally-built pieces of automation can be eliminated (don’t accept just partial solutions here!), and compare this against licensing or platform costs.
Tell us what you think!
We’d love to hear your feedback as you explore the calculator, and the spreadsheet template, or any suggestions on areas to include in future iterations. You can email us at email@example.com.