Methodology
DataGrail analyzed the Data Subject Requests (DSRs) it helped process on behalf of customers from January 1 - December 31, 2023. The customer set has more than 700 million records, where a record is defined as a single, individual record associated with a unique identifier within a customer's database. To determine the cost of processing requests, we used Gartner’s manual processing estimate of $1,524 per DSR. This statistic comes from Gartner’s 2023 report, Market Guide for Subject Rights Request Automation.
The dataset includes information from companies of all sizes, from startups to publicly traded household names. To normalize the data across various company sizes, we calculated DSRs per one million identities. For example, the data shows the average business in 2023 received 578 Access & Deletion requests per 1M identities per year. Using 578 as a benchmark, an organization with 3M identities can expect 1,734 Access and Deletion requests per year.
If we include California-specific Do Not Sell requests, the numbers rise to 859 requests per 1M identities per year. Following the example above, if the organization holds 3M identities, the industry benchmark would be 2,577 DSRs per year.
We found the number of DSRs a business receives varies greatly due to multiple factors, including whether the company is B2B or B2C, how often company privacy policies change, and several other factors. To account for variability, we used a 10% trim mean calculation to determine our benchmarks. A 10% trim mean calculation excludes the 10% largest and 10% smallest values and takes the mean of the remaining 80%.
The dataset includes DSRs submitted under CCPA and GDPR, along with DSRs received in the US and globally that don’t fall under those regulatory umbrellas. As a United States-based company, with primarily US-based customers, our dataset may skew toward DSRs from the US.
To calculate the percentage of organizations not complying with the GPC standard, we audited more that 5,000 websites.
What’s a DSR?
A Data Subject Request (DSR) allows an individual to request that an organization takes certain action over the individual’s personal data. There are several types of DSRs, but this report focuses on requests to access personal data, requests to delete personal data, and requests that a company does not sell or share personal data (“Do Not Sell” requests).
What do we mean by identity?
Mentions of an “identity” refer to information associated with a unique record of a single customer or employee at a company. A single “identity” accounts for one customer’s personal data within multiple systems across an organization.