5 hidden costs of your company's privacy request approach

We recently released a first-of-its-kind Privacy Request Cost Calculator, to help privacy leaders like yourself determine the ROI of your organization’s privacy program—a crucial tactic in making a case for smart and cost-effective improvements for your organization.

In doing so, our Calculator uncovered areas ripe for ROI optimization when it comes to fulfilling consumer privacy requests, as mandated by laws like CCPA, GDPR, LGPD, and others ahead!

In this post, we’ll cover off 5 of those areas that often go missed—yet through strategic optimization, can yield real savings.

The reality of most privacy programs—unless you possess the budget and teams of a Facebook, Apple, or Google—is that it’s been gradually built and iterated upon as privacy legislation has quickly evolved, and new data rights requirements needed to be addressed.

When it comes to acting on personal data for access, deletion, or consent requests across both internal and external data , most companies will take one of three approaches to solving the challenge:

1. Manual workflow: Reliant on humans at each stage of the process, from email-blasting vendors to manually querying internal systems. Lawyers or program managers are tasked with manually authenticating user requests, collecting, deleting or changing the data request and returning the results to the user. Companies relying on a manual workflow often use a “Privacy @” email address for users to request the kick-off of a highly manual “shoulder tap” process across a company.

2. Semi-automated: May leverage request intake or workflow management software and scripts or code that query a subset of data stores where personal data is held, but still rely on internal team actions to collate a user’s data. These companies often use a web form to ingest user requests, and pair that system with workflow management software that helps to “automate” shoulder-taps where action is required. As mentioned, there may be some use of automated scripts, APIs, or webhooks to connect priority sources of personal data.

3. Fully automated: Privacy request systems that can operate on a request start-to-finish without any human intervention (unless mandated or desired) through zero-trust API-based integrations and other system hookups. Companies that are fully automated have a fully self-serve privacy dashboard for consumers, authentication integrated with an organization’s existing user authentication methods, and data orchestration through no- or low-code integrations across all external and internal systems.

Which system does your company leverage?

Check out the calculator to learn more about the costs of manual and semi-automated structures, and clear ways to optimize your program’s ROI.

Why? Because as our full Cost Calculator Guide explains, there are a number of hidden costs that are unavoidable when humans are involved in the processing of consumer privacy requests. Our Privacy Request Cost Calculator arms you with the business case for why an investment in automation is ultimately a more cost-efficient solution.

Download and read our full Cost Calculator guide for a line-by-look at the hidden costs areas we found from analysing processes at large companies.

In this post, we’ll spotlight a few ones you may not expect—a mix of fixed costs (regardless of how many consumer requests you get), variable (adds up as requests spike), and more immeasurable costs that are highly dependent on the risk tolerance of your organization:

This takes our number one spot of the greatest variable time sucks when your privacy request program involves coordinating the orchestration of consumer data from the systems in which it’s held. We see this as 2-3 distinct buckets of work when not automated:

1. One team member (often an engineer) running a script to return or remove data from internal data stores or systems,

2. Another team member putting together an email blast for a subset of external SaaS vendors for deletion, including any unique identifiers for each (e.g. a User ID), and triaging and processing responses, and

3. The “shoulder taps” sent to various team members across sales, marketing, HR, and other departments, to log in and return or remove data from the systems they oversee.

Our calculator spreadsheet template allows you to specify the precise time spent at each of these steps based on your organization’s circumstances and number of SaaS data processors, but our conservative estimate predicts that even with a low number of 100 monthly average requests, you could easily be looking at over $120,000 annually in time costs just in manually completing these steps.

For companies that choose to honor erasure and access requests based on state requirements, this is one of the first steps when a consumer privacy request is received.

In this step, you’re checking the user’s address on record, to either continue, or to reject the request and send a reply to the requestor.

If you do choose to process the request based on this first step, then comes verification of the consumer’s identity. If you’re not able to rely on user login verification, this is where you might request additional information from the subject, such as a proof of address.

Our model predicts that this is one of the top 3 time-consuming steps of a manual or semi-automated process, especially if your customer response teams need to go back and forth to confirm information (let alone the data trail this creates!) We estimate that, conservatively, you can easily spend 11 minutes per request at this stage. That may not sound like much, but a controversial privacy policy change or a high volume of monthly requests can quickly push this line item above $75,000 per year (based on an average of 550 requests per month).

Next we move into the fixed costs that our calculator estimates, which don’t vary based on requests received, but still need to be accounted for in a manual or semi-automated internal system.

The first of these is one of the largest buckets in this category—essentially, the time per month your engineering team spends tweaking or updating queries to integrate new internal data stores, and adjusting code to account for any number of external variances. This could include API updates from an external email provider, or changes to your internal codebase to account for a new data right.

As anyone who works in privacy, not everything goes to plan all of the time. While a rare occurrence, we’ve put an allowance in for an amount of time per month, for moments when a CPO or DPO may need to get directly involved to reactively review or message on how a request was handled, due to a user complaint or press query.

We see this need only increasing as the waves of updated data privacy legislation drive heightened awareness of consumer rights, putting increasing pressure on non-automated systems to honor requests.With humans involved in the process, this means the unavoidable of a slip up or error at some point in the request fulfillment process.

If your organization is manually requesting deletion from a vendor over email, one slipup in an email address could be enough to cause a data leak from your system. Worse, if a non-trustless vendor requires your system keys to be stored, a breach of their system could expose your entire data store. According to IBM’s Cost of a Data Breach Report 2020, a data breach can cost an organization an average of $3.86 million U.S. per incident.

In this post, we’ve highlighted just a few areas where manual or semi-automated privacy request programs can quickly accrue costs—from lost time verifying a data subject’s identity, to manually orchestrating data, and ensuring internally-built systems keep up with a barrage of new privacy laws.

For the full list, download our Privacy Request Cost Calculator spreadsheet and guide. It was built with one goal in mind—to help privacy pros like you become data-driven advocates for laser-focused strategic investments and improvements in your organization’s privacy program—for your internal teams, for security’s sake, and at the end of the day, for better privacy for those whose data your company holds.

We’d love to hear how you’re using the calculator, too—did it help you understand hidden costs of your own program? Share your feedback at privacycalculator@transcend.io

Interested in learning more about how to use Transcend’s Cost Calculator to study your own privacy request program? Schedule a free 30-minute walkthrough with our team that built it, to learn how it can help you optimize your company’s approach.