Dr. Strangeflood, or How I Learned to Stop Worrying and Love the DSRs

This post was guest written by Frank Serafine (Data Analyst & Data Protection Officer), a member of the DataGrail Contributor program.

Alright, I’ll admit the cute title is for my own satisfaction and what I’m about to say has no relation to any movie. However, I do intend for it to sound just as radical. I hope it has you asking yourself, “What kind of maniac loves data subject requests? DSRs are hard.”

DSRs need to be extensive and thorough, which is neither quick nor easy. Nobody’s supposed to love them unless they’re a consumer. Even then, it’s still work for a consumer that isn’t meant to be enjoyable. Let me get to my point: I am YOU after you’ve admitted that DSR automation is the only way to reclaim your time.

Like many of us who handle DSRs, a trickle of requests on a weekly basis became a “strange flood” of daily requests over the years as regulations came into effect and consumers started flexing their newly-acquired legal muscle. The company I work for manages an ecommerce marketplace used by more than 250,000 unique monthly active users, and, without any sort of privacy automation in place, that flood of DSRs was wiping out 40-45 hours of my time each month at a minimum in manual fulfillment. 

Lowering the risk of legal non-compliance became quite expensive from sheer labor costs, and while idealists can argue that happier customers are also the ROI, the cold truth is that customers who file DSRs are much less likely to be happy paying customers afterward. People don’t read marketing emails and think, “Ooh wow, yeah, I’m gonna buy that sale item. I love this company! But, ew, why do they know who I am? I’ll tell them to delete me so I can buy stuff anonymously.” I was breaking my back running down data for users that we’d already lost or were about to lose. 

Between the analytics systems, the payment processor, the data warehouse, the CRMs, the Customer Service platform, and our service ticketing platform, the personal data we collected was spread out and subject to differing methods of request handling. Our data map didn’t look as convoluted as a map of the coffee shops in Seattle, but it sure wasn’t fun to navigate 6-10 times a day. Customer Service couldn’t help because of the technical knowledge required and the legal deadlines were time-consuming to track in spreadsheets. It was tedious and made me dislike the whole process.

One system only had an email address to receive requests, while another system needed me to log in to it and submit requests through the user interface, while several other systems required that I manually search for and get or delete the data myself. I had to accept the flood of DSRs as a fact of life, but I felt like I shouldn’t have to accept standing in the flood as it demolished my time. That was the tipping point.

Like others in the data privacy space, I didn’t come to data privacy through a legal career. I volunteered to be my company’s Data Protection Officer because I knew our data and our product logic and already had a vested interest in safeguarding and utilizing that data. It helped that I’m also altruistic in my support of data privacy as an essential consumer right. Still, the manual approach to DSR handling was siphoning time from my higher-value tasks. 

I decided to present the time-value of my manual DSR work to my executives alongside the cost of DSR automation software. My company already recognized the value of avoiding legal risk, so the executives understood that automation wouldn’t just save me time – it would improve our compliance posture. Even if you personally face headwinds to adding expense for compliance, I recommend that you approach your decision-makers with the same time-value vs software expense comparison. 

Implementing automation can be a major task in itself, but a short-term one that will airlift you out of the flood while you put in a system of locks to control the flow, so to speak. A lot of data services offer automation-friendly APIs for DSR compliance and the ones that lack them still have other methods with which automation software can still work. In my case, I was able to get my DSR oversight workload to under 1 hour per month and get back to my main tasks. As a Data Analyst embedded in several teams, I have a lot of continuous tasks involved in managing our data governance, analytics engineering, and running reports and KPIs, and I rediscovered how much I actually liked doing them!

At the end of the day, we all just want to do cool things in our dailies, be respectful to others, and spend as little as we have to, right? You don’t have to love compliance, but you should get back to enjoying your work. This was how I did.

Find Frank on Privacy Basecamp, our online community of 1,500+ privacy professionals around the world.