In 2023, more than 364,121,588 people were affected by data breaches. One of the biggest breaches affected social media platform X, which saw an alleged 235 million emails leaked. The United Kingdom’s biggest data breach of last year exposed the details of 40 million voters. Considering the number of companies and organisations that collect and/or have access to individuals’ personal data around the world, data subject access rights (DSAR) is a hot topic.
To gain greater insights into DSAR, we surveyed the responses of 133,667 data privacy officers (DPOs) worldwide on social media platforms such as X, Reddit, and TikTok in the 12 months to 6 July 2024. This is what we found.
Index
- Data Protection Regulations Compliance The Biggest Perceived Response Challenge
- Employees Make More Than 66% of DSAR Requests
- Data Breaches The Biggest Risk Arising From DSAR Requests
- Hiring Data Protection Consultants Accounts For Biggest DSAR Spend
- 2,262 Admit to Receiving Complaints About Their DSAR Response
- 2,470 of data privacy officers use technology to Handle DSARs
- 3,070 Saw an Increase in DSARs Over the Past Year
- Other DSAR Statistics
- Nearly Half of DPOs Surveyed Are In The US
- Almost 70% of Women Surveyed Affected By DSARs
- Highest Number Of Respondents Earn US$200,000 to $500,000
- About The Data
Data Protection Regulations Compliance The Biggest Perceived Response Challenge
Our analysis of responses found that 41% of DPOs thought that data protection regulations compliance was the biggest perceived DSAR response challenge. Find out what the other perceived response challenges were below.
27.2% of respondents said that stakeholder communication and coordination was the biggest response challenge, followed by 24.9%, who named maintaining data privacy and security. 3.9% said that handling sensitive or confidential information was the top response challenge, while 2.9% said it was managing large volumes of data. Only 0.1% said the biggest response challenge was the proper storage of data and data retention.
The more than 40% of responses that named data protection regulations compliance as the biggest response challenge are echoed by recent research in the EU. According to a nyob survey, 74% of respondents said that data protection authorities would find relevant violations at most companies. Additionally, 70% of respondents said that authorities should enforce data protection regulations and issue clear decisions to ensure compliance.
Employees Make More Than 66% of DSAR Requests
When it comes to DSAR requests, it’s clear that employees are responsible for well over half. The graph below reveals the origins of DSAR requests overall.
Our data revealed that 66.8% of DSAR requests are made by employees, far outpacing requests from other sources. While there are exceptions, employees typically submit a DSAR request when they are involved in a dispute with their employer. A DSAR can give an employee access to performance reviews, emails, and other documents and internal communications that provide insights into their employer’s motivations or actions. This can strengthen their case against their employer and make it more difficult for the employer to defend themselves at a tribunal or court case.
According to our data, 19.5% of respondents said that DSAR requests came from other sources, while 13.8% said that DSAR requests were submitted by their customers.
Interestingly, these findings are different from those of an EY Law survey on DSAR requests, which found that 83% of respondents said that customers were their biggest source of these requests. One of the respondents, the DPO of a global financial services provider, said that his organisation receives approximately 1,000 DSARs per month, with more than half of those DSARs not being linked to actual customers and raising concerns about the use of the data.
Data Breaches The Biggest Risk Arising From DSAR Requests
87.4% of DPOs’ responses on social media indicated that data breaches were the biggest risk arising from DSAR requests. Take a closer look at the other risks mentioned in the responses below.
The next biggest risk named by DPOs was non-compliance with data protection regulations (5.9%), followed by data loss or corruption (2.1%). These were followed by 1.9% of respondents, who said that lack of employee awareness and training was a risk of DSAR requests, and 1.3% who named inadequate data security measures as a risk. 1.1% of DPOs said that unauthorised access to personal data was the biggest risk arising from these requests, followed by 0.1% who named third-party data sharing and processing risks.
These concerns are not unfounded. According to Drata’s research, 74% of organisations are not able to properly address cybersecurity vulnerabilities due to budget and resource constraints. Garner’s research found that 73% of efforts aimed at risk identification were allocated to due diligence and recertification, while only 27% of effort was focused on identifying risks over the course of a relationship.
Hiring Data Protection Consultants Accounts For Biggest DSAR Spend
The graph below illustrates where the greatest amount of money is spent on DSAR, with hiring data protection consultants topping the list. We’ve unpacked these details further.
According to our research, 69.5% of DPOs said that their biggest DSAR spending was on hiring data protection consultants. Find out what else was responsible for DSAR spending below.
19.1% of respondents said their DSAR spend included data protection training, while 7.6% said their spend included legal fees associated with data protection. 2% said data protection audit expenses were part of their DSAR spend.
The DPOs’ responses we analysed focused on data protection, rather than on the costs of fulfilling DSAR requests, which can be hefty. The Data Privacy Group found that UK businesses spend between £70,000 and £330,000 on DSARs, while Gartner estimated that the average cost of manually fulfilling DSAR requests was approximately $1,524 per request.
2,262 Admit to Receiving Complaints About Their DSAR Response
2,262 (less than 2%) of the DPOs whose responses we analysed admitted to receiving complaints about their DSAR response. This result was far lower than what other research has found about DSAR response complaints.
The EY Law survey mentioned above found that 51% of DPOs had received complaints from individuals about their DSAR request responses. However, given the association of many DSARs with existing grievances and disputes, aggrieved data subjects are more likely to complain if they believe that their requests did not receive a proper response. Additionally, the Information Commissioner’s Office received more than 15,300 complaints about organisations’ failure to comply with their obligations when faced with DSAR requests in 2023, representing a 13.5% increase in the number of complaints received in 2022.
2,470 of Data Privacy Officers Use Technology to Handle DSARs
2,470 DPOs (approximately 1.8%) said they used technology to handle DSAR requests. While these DPOs’ responses might make it look like technology has taken a back seat to manual processing, the reality might be vastly different, depending on the organisation’s size and location.
The EY Law survey found that 46% of respondents admitted to using technology to handle DSAR requests, while 58% said they processed DSARs manually. 1% of respondents did not know how their organisations processed these requests.
3,070 Data Privacy Officers saw an Increase in DSARs Over the Past Year
According to our data, 3,070 (2.3%) of DPOs whose social media responses we surveyed said they had seen an increase in DSARs over the past year. This is slightly lower than what other research found about the rise in DSAR requests.
The EY Law survey found that 60% of respondents reported an increase in DSARs over the past year. According to Statista, 28% of internet users around the world submitted a DSAR, which represents an increase from 24% in 2022.
Other DSAR Statistics
The rise in DSAR requests and complaints about requests has as much to do with an increase in data breaches and other cyber security risks as it does with attitudes toward personal data and privacy. According to Cisco research, 84% of respondents said they care about data privacy, protecting others, and wanting more control over their data stored by various organisations.
Cisco also found that 80% of respondents were willing to spend time and money to protect their data, while 48% had switched companies or providers due to their data policies or data-sharing practices. 91% of respondents said they would not buy from companies if they did not trust how their data would be used. 87% of companies who responded said that they had experienced delays in their sales cycles due to customers’ data privacy concerns.
45-54 Age Group Most Engaged On The Topic Of DSARs
At 26.7%, respondents aged 45 to 54 were the most engaged on the topic of DSARs. Find out about other age groups’ engagement levels below.
The 55-64 age group was the next most-engaged group (25.9%), followed by those aged 65 and older (18.4%). Trailing behind these groups were those aged 25 or younger (14.9%), 35 to 44 (12.7%), and 25 to 34 (1.4%).
These figures are slightly different from those of the Cisco survey, which found that 61% of people who were most concerned about data privacy were aged 45 or younger and did most of their shopping online.
Nearly Half of DPOs Surveyed Are In The US
44.3% of DPOs whose responses we surveyed were based in the USA. Here’s how the other countries stacked up:
While the USA leads the way in terms of engagement on DSARs, Australia is in second place at 13.3%. This is followed by Italy (12.5%), France (10%), UK (9%), Germany (5.9%), and Canada (5%).
Pew Research data paints a fuller picture of data privacy awareness around the world. In 2023, 71% of American adults were concerned about how their government uses their data. In the same year, only slightly more than 20% of Australians were aware of their country’s data privacy laws, compared to more than 30% of Germans, 40% of French people, more than 50% of Italians, more than 60% of people in the UK, and 67% of Indians.
Almost 70% of Women Surveyed Affected By DSARs
60.9% of respondents who engaged on the topic of DSARs were women. Take a closer look at data privacy concerns and gender here.
Our research found that only 39.1% of respondents who engaged on the topic of DSARs were men.
This is in keeping with research by Deloitte, which found that women were more concerned than men about how their personal data is used and protected. A survey found that 42% of women knew what data devices, applications, and services collect about them and how it’s used, compared to 49% of men. 45% of women said they knew what measures they could take to limit or control what personal data is collected, compared to 53% of men. 36% of women said they trusted online services to protect their data now more than a year ago, compared to 40% of men.
Highest Number Of Respondents Earn US$200,000 to $500,000
65.6% of DPOs who responded about DSARs on social media earned between US$200,000 and $500,000 per year. Take a look at the engagement rate of other income groups:
28.3% of respondents earned between $500,000 and $1 million per year, while 4.1% were in the $80,000 to $120,000 income group. 1.2% of respondents earned between $120,000 and $200,000 per year, while 0.9% earned less than $40,000 per year.
However, World Risk Poll data points to a different reality when it comes to concerns and engagement around personal data. Among internet users worldwide who said they were living comfortably on their current income, only 35% said they were worried about personal data theft, compared with 56% of internet users who said they were finding it difficult to live on their current income. 82% of Malaysians who said they were struggling financially said they were worried about data theft, compared to 80% of Indonesians, 69% of Poles, and 65% of Brazilians.
People have a right to know who is collecting their data and how it will be used, including whether it is to be shared with other organisations. They also have the right to access the data gathered about them, correct any inaccuracies, and request that their data be deleted or not used for certain purposes. In most countries today, gathering, processing, storing, and using personal data is regulated by data protection laws. As businesses and the public become more aware of this and their rights, DSAR will become even more of a talking point globally, not just with data privacy officers but with everyone who shares their data worldwide.
About the Data
The data used in this article is based on the responses of 133,667 data privacy officers on social media platforms such as X, TikTok, and Reddit. The responses span one year, ending on July 6, 2024, and were collected and analyzed to produce outcomes within a 90% confidence interval and 5% margin of error. The engagement estimated the number of people participating in the study globally.
The demographics were determined using multiple factors, including name, location, and self-disclosed description. Privacy was preserved using k-anonymity and differential privacy. The results are based on what data privacy officers describe online—the questions are not posed to a sample group.