Commentary
Pricey Protection: Data Privacy Compliance Costs Doubled In 2021
- by Ray Schultz , Columnist, March 9, 2022
The cost of privacy compliance has more than doubled.
It cost brands $398,320 per 1 million identities to fulfill data subject requests (DSRs) in 2021 -- up from $192,622 in 2020, according to 2022 Data Privacy Trends, a study by privacy platform DataGrail.
The number of data subject requests has also nearly doubled, from 137 to 266 per million identities.
Data Grail defines DSRs as the umbrella term that covers three core privacy rights consumers have under the California Consumer Privacy Act (CCPA): The right to access their data, delete their data and stop the selling of their personal data for advertising purposes.
Identities are defined as “the information associated with a unique record of a single customer or employee at a company.”
Of the requests seen, 63% were do-not-sell, (DNS), 31% were for deletion and 6% were for access.
advertisement
advertisement
Deletion requests jumped from 42 to 84 per million identities YoY. The number will probably double in 2023 due to the CCPA.
DNS requests
leaped from 63 to 167 per million identities in the same time frame.
The whole process is complicated by “shadow” third-party SaaS apps.
“Organizations miss between 10 - 50% of shadow SaaS apps when running data mapping exercises manually,” the study says.
DataGrail’s data shows that 10-50% of third-party systems go undetected by the person in charge of privacy. Moreover, data from workplace identity firm Okta "suggests the average organization uses upwards of 190 different enterprise applications to conduct business, many of which contain personal data,” it says.
California had the most DSRs overall, closely followed by Washington, Colorado, Illinois, and Virginia, the study says.
Only three states have passed privacy laws to date, it says. But many others have bills in the hopper, raising the prospect of a patchwork of requirements that may differ slightly from state to state, it adds.
DataGrail analyzed the data subject requests it helped process for clients from January 1 to December 31, 2021.
