Three reasons why your DSARs are increasing (and how to reduce them)

Privacy offices continue to have to plan for increasing numbers of Data Subject Access Requests (DSARs), with all the human and technology resources required to meet those needs. In fact, one 2024 study shows a 246% increase of DSRs over the last two years. For companies that handle these requests manually, or partially manually, the costs are incremental. The same study suggests that the cost to handle DSRs manually is around $800K for every 1 million identities – which represents a significant cost increase from previous years. On a per-request basis, another source estimates the average cost for a data subject request to be $1524. 

This cost average only accounts for the actual cost for handling each data request. The estimated cost does not include less tangible opportunity costs to the company. For example, organizations pay for personal data all the time, at a cost ranging from US $.03 – $.67 per person, depending on income, age, gender, and race/ethnicity. One source estimates the value for the company to be US $263 per year – every year. Personal data that an organization already has, about people with whom it already has a relationship, is worth much, much more. Losing this information because someone has made a deletion request represents a genuine cost.  

Moreover, more companies are finding ways to monetize personal data beyond just using profile and contact information for direct marketing. Data selling/sharing is a big business. In 2020, LinkedIn made US $3 billion in advertising revenue by providing companies access to their users. Other companies make more, and not just social media giants take advantage of their user base for revenue. Organizations sell and share personal data all the time for mutual benefit. For these organizations, fulfilling a deletion or Do Not Sell/Share request costs go far beyond the actual cost to handle that request.  

Why are Data Subject Requests rising?

As is usual in privacy, the answer to the question “why are the numbers of DSARs rising” is complicated. However, three main (inter-related) factors can account for the bulk of the increase:  

1. More regulations,  
2. Heightened public awareness, and  
3. Changing consumer concern. 

More regulations (and enforcement)

Privacy regulations continue to proliferate around the globe. In some cases, jurisdictions like Chile, with few legacy protections, are bringing on board new laws that provide for additional individual rights. American States continue to pile onto the trend that started with California, multiplying the number of data subjects with DSAR rights and adding to the list of available rights. Still other authorities have increased enforcement of existing laws, including on topics related to DSAR handling.  

Heightened public awareness

Partially due to new laws coming into effect and media attention related to enforcement actions, consumers are more educated about privacy rights. Data breaches, with all the media attention and notification letters they bring, also serve to raise awareness about privacy and privacy risks. Data breaches in 2023 increased over the previous year by 78%. Given that many, if not most jurisdictions provide for some breach notification requirements, more consumers than ever receive startling information about their privacy. The reasonable fear that data breaches generates can lead to an increase in access, deletion, and do not sell/share requests.  

Changing consumer concern

Also related to increased regulatory activity and public awareness, the level of consumer concerns about privacy is increasing. Not only do breaches and enforcement actions/media attention raise the level of concern, but there is also some evidence that younger generations think of privacy and their privacy rights differently. One survey reports that consumers between the ages of 18 and 24 are seven times more likely to have inquired about the personal data organizations hold about them than consumers aged seventy-five or older.  

Moreover, there is some evidence that younger generations consider privacy as table-stakes for online interactions. For example, Generation Alpha (the iPad generation) and Generation Z are both privacy conscious but willing to engage on a per-organization basis to negotiate what data they share for the benefit they receive.   

How to impact DSARs 

When thinking about the complex and interrelated factors influencing the rise in DSARs, it is clear that some factors are outside of an organization’s individual influence. External data breaches and increasing regulations/regulatory focus are broadly scoped trends over which most organizations have little control. However, there are actions any organization can take that can tap the brakes on individual rights.  

• Provide consumer control 
• Communicate well 
• Live up to promises 

Provide consumer control

There are numerous studies that underscore the idea that placing control in a user’s hands increases trust, and trust generates positive impacts to the company. One of those positive impacts is an increased likelihood to share more information and a decreased likelihood to trigger an individual right. In other words, a user who is offered an opportunity to say no is more likely to say yes. Similarly, a user who is offered some granularity in choice is less likely to feel backed into a corner and say no to everything.  

Communicate Well

Even the best privacy practices will not have the desired effect if the business does a poor job communicating them. Effective communication is not just a well-written privacy notice, but also the whole, end-to-end customer experience related to personal data – including an attractive and easy-to-use set of interfaces for notices, consents, and preferences.  

Live up to promises

Especially with today’s savvy consumer, it does not take long for companies that cannot back up their data privacy and protection promises to lose the trust of their customers. One data breach, or even one marketing email received after an opt out request, can erode the all-important trust factor and cause individuals to trigger their data privacy rights. On the other hand, a company with a high do-say ratio will continue to earn trust and so keep data subject requests to a manageable level.  

Fortunately, there are resources available to assist with all these actions. It takes work, of course, but technology in the form of a consent management platform can help an organization provide granular control, communicate well through a united privacy experience, and manage the back-office work to live up to promises.