• by Ray Schultz , Columnist, May 18, 2020

Email marketers better have their systems in place for dealing with the data subject access requests (DSAR) required under the CCPA and GDPR.

The problems start with inability to access the data internally, judging by DSARs and the impact of COVID-19, a study from compliance firm Guardum, conducted by Sapio Research. 

And of the companies polled, 30% believe there will be a massive increase in DSAR requests when the pandemic lockdown ends. 

Sapio surveyed 100 DSAR managers in the UK at businesses with 250 employees or more. 

U.S. firms will be facing similar issues when the CCPA and other possible state bills take hold. In short, companies have to provide consumers with access to the data held on them on demand.

It sounds like a doable task, but most of these survey respondents acknowledge they are having problems keeping up with it. Only 25% are meeting data compliance obligations with ease, and 72% are partially handling them and expect a backlog when they return to the office.

What’s more, 48% of DSARs take longer than the standard 30 days to complete . 

Do the math: The average cost of completing each request is £4,884.53, or almost $6,000 in U.S. dollars. And here’s a stat that should alarm anyone in our lawsuit-happy society: 33% of DSARs come through legal representation. 

When requests do come in, 63% handle them with both manual and automated processes.

How big a problem is this? DSAR managers receive an average of 28 requests per month, and 15% get more than 50. Of these, 48% come from customers, and 46% from employees or contractors.

In addition, DSAR average spend an average 30% of their day dealing with these requests. 

They face these hurdles:

• Difficulty in obtaining data from multiple departments — 48%
• Difficulty in obtaining data held in both digital and paper formats — 40%
• Judging which data should be categorized as personal data — 40%
• Difficulty/time in redacting Personally Identifiable Information of others — 37% 
• Lack of sufficient resources — i.e., people and budget to complete requests internally —33%
• Difficulty in obtaining data stored both on-premise and in the cloud — 33% 

Despite Brexit, the UK is adhering to the requirements contained in the GDPR. 

Finally, 29% believe data compliance is trumping commercial interests on their boards and at senior levels in their companies. And 40% believe there is a trade-off to be made between collective good and a person’s right to data privacy.