When the EU General Data Protection Regulation went into effect in 2018, organizations were tasked with handling data subject requests. Ignoring the inquiries could lead to fines for noncompliance and damage to an organization's reputation.
Of course, privacy legislation continues to emerge around the world, and with each new law, a whole new slate of people is granted data subject rights.
This increase will lead to organizations receiving more DSRs, and as the DSR volume goes up, so will the costs to remedy them. Companies may be aware of the amount of inquires they have on their plate; however, Transcend CEO Benjamin Brook said they are likely in the dark when trying to estimate the cost.
Transcend hopes to address this issue through the release of its Privacy Request Cost Calculator, an open-source tool designed to determine the return on investment for a privacy program as it handles DSRs.
The calculator is broken down into three categories. The first category tackles variable costs incurred with each request and is based on the volume of inquires received by an organization. Users are asked to enter both the number of minutes they spend answering each individual request and the total number of hours they spend responding to all inquires they receive each month.
Users also enter the stakeholders that are involved with performing DSR-related tasks, such as verifying a data subject's location and identity, checking to see whether a request has been completed, and answering action requests.
The second category looks at fixed costs for program upkeep and maintenance. Users would enter similar time and stakeholder information regarding monthly audits, training for staff and engaging with outside legal counsel.
Brook said the calculator is primarily centered around these two categories.
The third category focuses on non-calculated program risks, such as the risk of penalty for noncompliance, a data breach, human error and brand damage. Since these are specific for each company, Brook said Transcend could not accurately estimate such costs and thus advises organizations to factor those numbers on their own.
One of the points of pride for Transcend is that the Privacy Request Cost Calculator is open-source under the creative commons license. Users can expand the calculator to factor in the risk costs in the third category and adjust formulas to suit their privacy programs.
The calculator does feature default values Transcend has crafted after conversations with industry professionals. Brook said the defaults Transcend has placed into the calculator are on the more conservative side of estimates.
"We assign these at a default value, and what that does is that it can simplify the calculator to just three inputs, which are the average number of privacy requests you’ll receive in a month, how many internal (software as a service) systems do your teams go to during a request to retrieve this data or delete and lastly, how many vendors do you have that you are actually emailing with," Brook said. "Just on those three inputs, you can get a very good estimation of cost."
Brook said Transcend's past experience with the open-source community was one of the reasons why the company decided to make the calculator publicly available. By making the tool open-source, Brook believes it will help organizations trust it is the right resource for their needs.
"It’s really helpful to have transparency around the underlying inputs. If you just have a calculator with three inputs and a black box and it spits out a number, it’s hard to trust that the calculation is necessarily relevant to your organization," Brook said. "By opening the hood and saying, ‘Here all of the assumptions and underlying formulae,’ you can see if it’s entirely relevant and then kick the tires on the calculation and extend it to match your unique requirements."
While DSRs have been proliferating in the three years since the GDPR became law, Brook said it took the industry time to land on the best workflows to respond to the inquiries, which is why it has been difficult for privacy teams to calculate any form of ROI.
And as privacy laws continue to manifest around the world, Brook said there's a sense of urgency to determine ROI as those costs go up.
By having the ability to put numbers with their work, Brook said the calculator can help privacy professionals find an answer to a previous unknown, as well as provide them figures they can take to the C-suite to properly justify investment in their privacy teams.
"When you’re flying blind, it can be difficult to take your case to the C-suite and say, ‘We should invest in this; there are cost savings to be had,’" Brook said. "We think that by solving that problem and making it easy to present actual costs, privacy professionals can go and make a case increased investment in this to optimize a lot of these workflows."
Brook said the future of the Privacy Request Cost Calculator will primarily be driven by feedback. Transcend has set up an email address where users can share their thoughts on the calculator, which could inform future iterations and updates to the tool.
Photo by Clayton Robbins on Unsplash