As businesses continue to weather the ever-expanding wave of data privacy regulatory red tape, new policies, procedures, and business models are arising out of granular compliance needs. In particular, many businesses are finding it difficult to comply with “data subject access requests,” a measure implemented by GDPR that has since been grounded in legislation for privacy bills across the globe.
According to Article 15 of the GDPR, data subjects have the right to request “whether or not personal data concerning him or her are being processed.” Under GDPR guidelines, businesses have to supply data subjects with any of the following information:
- What categories of personal data is being processed
- The reason the data is being processed
- Recipients of processed data
- How long their personal data will be stored
- The right of erasure
- The existence of, and logical information about, AI used to process their data
In a nutshell, data subject access requests (or DSARs) require you to spill the beans on what, when, where, and how data subjects’ personal data is being consumed. And, like many data regulatory guidelines in today’s hyper-scattered regulatory landscape, complying with GDPR alone isn’t enough. CCPA (California) and LGPD (Brazil), along with thousands of other local legislations also call for data subject access requests, although the nature of those requests varies slightly between each regulatory body.
The initial reaction for most businesses is to initiate a manual cross-functional workflow process to comply with data subject requests. Of course, this isn’t completely surprising. The idea is simple: when a data subject asks for a request, you simply provide the information, right? That seems simple on the surface. However, data is messy and only 33% of businesses are compliant with GDPR as we write this post.
Here’s the question: How much is manually complying with these requests costing businesses in the long run? Both operationally in tracking down data stored all over the place and from a compliance risk perspective in potentially missing blind spots.
Not so fast. The question begs to be asked: What are the long-term costs of manual fulfillment of DSARs?
Understanding the DSAR Workflow
Pinning down a common framework for DSAR isn’t easy. With so many regulatory buckets to pay attention to, discovering the right timeframe, information types, and delivery methods requires heightened senses and a regulatory-agnostic mindset. In an ideal setting, DSAR workflows would be automated to comply with highest-possible-standard (i.e., comply with the strictest regulatory framework to ensure broad compliance across regulatory dimensions.)
But in a manual setting, workflows become more ad-hoc. In other words, you’ll need to implement policies for every unique data privacy standard your business is required to follow. To get a sense of just how insurmountable of a task simply discovering which regulations you need to follow can be, check out our post on local data privacy laws (hint: there are a lot!)
For the sake of argument, we’re going to use a GDPR-oriented manual DSAR workflow as our example. Again, there are almost certainly other standards you’ll need to follow, but we’ll try to keep this as digestible as possible.
Let’s break this down into 8 steps:
- Data subject access intake request is received (web form, email, phone, etc.).
- Verify the identity of the data subject to prevent unauthorized private data from reaching threat actors.
- Identify which rights they are requesting (i.e., access, deletion, retention, etc.)
- Send the request to the right business functions that can supply that information.
- Search for each DSAR request across all the various data sets – On-premise, cloud, structured, unstructured, semi-structured, etc. (ie. Typically assigned to application & data owner business functions)
- Next, you need to package this data for delivery (or deletion, etc.)
- You’ll have to also send the data subject additional information to inform them of all of their data rights.
- Finally, you’ll deliver the request to the data subject.
Did we mention that you have 30 days to do all of that? Yes, you read that right. That’s 30 days. Plus, if you don’t get everything accomplished within that time frame, you’ll be hit with a fine. Sure, you can likely handle a data subject request within 30 days. However, imagine 5,000 of those requests flooding in at once. If one slips through the cracks, you’d be found in non-compliance with the law.
At this point, you can probably guess at the diverse set of issues that would accompany the manual fulfillment of DSARs. However, let’s dive in and discuss them in detail.
4 Operational Friction Costs Associated With the Manual Fulfillment of DSARs
1. Error Rates
Manual processes and the word “error” are synonyms. It’s impossible to perform manual functions without errors. Across industries, the average benchmark for solid manual processes is a 1% error rate. That means that out of every 100 fields you fill out manually, one of them will contain an error. For DSAR fulfillment, “errors” will almost certainly include overlooked data. Data has proliferated everywhere, and the risk of missing data is perhaps the highest in complex data environments. Think legacy systems, 3rd party data sharing, multiple data formats and owners, retention policies not followed, bad ETL jobs, etc.
And in the world of data privacy, errors spell trouble. You can get hit with fines from multiple directions. For starters, if you accidentally supply a data subject with the incorrect information, you can incur GDPR fines, which are steep. However, if you also unintentionally supply a data subject with another data subject’s personal data, you’re in for a world of hurt. That’s a breach. And breaches cost the average company a minimum of $2 million to rectify.
2. Time is Expensive
How long can it really take to respond to and comply with a data subject access request? According to two-thirds of companies Gartner surveyed, the answer is two weeks. Why? Because it’s time-consuming! Between identifying, compiling, and delivering DSARs, you need to interface with multiple departments, systems, and employees. And each of them will spend their precious work hours assisting with the subject request.
This is hard to quantify. But if we had to take a guess, the average company will be looking at (at least) $300 in labor alone, but a business could easily see this rise into the thousands. The average salary for experienced IT pros is around $100,000. If we consider vacation days, that lands at around $50 an hour (without even factoring in benefits costs). This cost can be higher for more niche tech positions (ie. DBAs). Given that multiple people will touch the DSAR, six hours is very optimistic. We’ve heard an early process example of three technical resources taking three days to fulfill one DSAR (~72 hours) and they received 500 DSARs in first week CCPA went into effect. But it will depend on each business’s unique policy framework, especially the complexity and variety of the back-end data stores.
3. Purchasing the Ad-hoc Tech to Comply With DSAR Needs
Privacy automation, data governance, and data protection technology to address individual rights compliance requirements like DSAR is relatively new. The space is fragmented to focus on specific use cases and usually requires multiple solutions, not unlike PCI for example. Privacy teams led the charge by implementing cloud hosted SaaS privacy management software which include features like cookie preference management, regulation guidance, and DSAR intake workflow.
As Privacy teams involved their IT and InfoSec peers, organizations quickly realized that the back-end technical processes would also need to be automated with secure on-prem and private cloud software to provide an accurate data picture and to keep up with anticipated DSAR volumes. Automated data discovery and classification, PI and PII data inventory mapping, and DSAR deep search free up data owners and help orchestrate many other otherwise manual processes. Look for solutions built on modern architecture with open APIs for easy integration.
4. Fines, Fines, and More Fines
Combine a 1% error rate with time-frictions created by manual processes, and you may be looking at some hefty fines. GDPR fines can reach $20 million dollars or up to 4% of annual gross revenue. If you have an onslaught of DSARs at once, you may be swamped, frustrated, and confused, which could lead to errors and missed timeframes. Unfortunately, that may not be an “if.” According to data compiled by ICO, DSAR complaints have been doubling annually since GDPR was enacted — which almost certainly signifies an increase in the number of consumers requesting information.
Currently in the US there is no federal equivalent to GDPR, however over 30 states are contemplating privacy laws and California’s CCPA went into effect January 1, 2020 with enforcement beginning July 1st, 2020.
So, What’s the Average Cost of the Manual Fulfillment of DSARs?
According to Gartner, it stands around $1,400 per DSAR. But, there’s a good chance that the real number is higher. Those costs don’t include fines accused due to processing errors, any accidental breaches, reputation damage, employee happiness, workplace fatigue, salary mix, and many of the other unique “hidden” costs associated with manually compiling these reports.
There Is a Better Way
In today’s privacy landscape, trying to comply with DSAR requests manually is a headache waiting to happen. Integris can help. Our best-in-class, regulatory-agnostic DSAR automation solution can help you fulfill thousands of DSAR requests automatically. Not only does Integris automate the discovery and classification of sensitive data as a key first step and inventory baseline, but it also orchestrates complex end-to-end workflows for deletion, and creates an easily discoverable and trackable audit trail for each report.
Are you ready to cut costs and operational frictions? Contact us.