/ 9

What's your privacy problem actually costing you?

Answer 9 questions. Get a brutally honest dollar figure.
Takes about 3 minutes.

DSAR handling cost

Data Subject Access Requests — formal requests to access or delete personal data — are a legal obligation. Every one handled manually is hours of developer time you're not recovering.

Sprint capacity lost

See how many sprints per year your team is burning on reactive privacy work — and how many features that displaces.

Breach liability exposure

A risk-adjusted figure for what a reportable incident would cost based on your data types, encryption posture, and customer scale.

Cost of building it in

Model what you'd recover annually by making privacy a product feature instead of a fire to put out.

Currency:

Question 1 of 9

Is your product primarily B2B or B2C?

This drives how many Data Subject Access Requests you're likely fielding — and how expensive each one is to process.

Question 2 of 9

Which privacy jurisdictions apply to your organisation?

Select all that apply. If you operate under multiple frameworks, the calculator will use the most stringent to determine your DSAR obligations and penalty exposure.

Question 3 of 9

How many end-users have personal data in your systems?

A ballpark is fine. This affects your breach exposure and Data Subject Access Request (DSAR) volume.

Question 4 of 9

How would you describe your current dev backlog?

Be honest. Nobody's watching. This affects how quickly your team can respond to privacy issues.

Question 5 of 9

What types of personal data do you store?

Select all that apply. Higher-sensitivity data = higher breach cost multiplier.

Question 6 of 9

What encryption do you have in place?

Select all that apply. Encryption gaps directly increase your breach probability score.

Question 7 of 9

Which privacy processes do you have?

Select all that exist in some shape or form — they don't need to be fully formalised. Gaps here = compliance overhead hours. Leaving this blank is a valid (and expensive) answer.

Question 8 of 9

How many privacy-related issues in the last 12 months?

Bugs, incidents, near-misses, Data Subject Access Request (DSAR) bottlenecks — anything that touched privacy. Round up if unsure.

Zero? Lucky you. Or you're not counting them yet.

25+ incidents/year is a systemic pattern, not bad luck.

Question 9 of 9

Once identified, how long does a privacy issue typically take to resolve?

Not the time to notice it — the time from "we know about this" to "it's fixed."

Annual privacy pipeline cost

Book a free call

Profile

Business type

B2B: you route DSARs to your client. Lower direct handling cost.

B2C: you're the data controller. Full fulfillment is on you.

Jurisdictions

End users

Backlog health

Affects hidden issue rate — overloaded teams miss more.

Data types stored

Affects liability exposure per incident.

Safeguards

Encryption in place

Affects liability per record via safe harbour eligibility.

Privacy processes

Formal processes reduce DSAR handling time and compliance gaps.

Team

Dev headcount

Composition

Mid

Salaries ()

Junior

Mid

Senior

Utilisation

% of sprint capacity committed to planned work. Higher = less slack for privacy issues.

Cycle

Sprint length

Release cadence

Hrs to resolve issue

Volume

DSARs / month

Incidents / year

Support

Support salary ()

First-line tech support. Avg: CAD $52K / USD $47K.

DSARs via support

% of DSARs arriving through support channels first. 25% of those are missed.

Glossary

B2B: Business-to-Business. You sell to other businesses; DSARs route to your client first, reducing your direct handling cost.
B2C: Business-to-Consumer. You sell directly to individuals; you are the data controller and must fulfil all DSARs yourself.
Backlog: The prioritised list of work your team has yet to complete. Privacy issues that miss the sprint sit here, sometimes for months.
Breach: A security incident where personal data is accessed, disclosed, or lost without authorisation. Triggers mandatory notification and potential fines.
Compliance overhead: Time and cost spent meeting regulatory requirements — privacy reviews, DSARs, audit trails — instead of shipping product.
CPA: Colorado Privacy Act. State-level consumer privacy law with a 45-day DSAR response window.
CPRA: California Privacy Rights Act. California's consumer privacy law (effective 2023) — access, correct, delete, and opt out of data sale.
DSAR: Data Subject Access Request. A formal request from an individual to access, correct, or delete their personal data. 30-day response window under most frameworks.
Law 25: Quebec's Act Respecting the Protection of Personal Information in the Private Sector. Fines up to $25M or 4% of worldwide turnover — Canada's most stringent provincial framework.
Incident response: The documented process a team follows when a privacy or security issue is detected — containment, investigation, notification, remediation.
PII: Personally Identifiable Information. Any data that can identify a specific individual — name, email, IP address, device ID, location, and more.
PIPEDA: Personal Information Protection and Electronic Documents Act. Canada's federal private-sector privacy law.
Privacy debt: The accumulated cost and risk from deferred privacy implementation. Like technical debt, it compounds over time.
ROPA: Record of Processing Activities. A mandatory inventory of what personal data you collect, why, how long you keep it, and who you share it with.
Safe harbour: A legal provision that reduces liability when certain protections exist. Encrypting breached data can lower per-record penalties under PIPEDA and US state laws.
Sprint: A fixed work period (typically 1–4 weeks) where the team completes planned tasks. Privacy issues that land mid-sprint displace features.
Utilisation: The percentage of a developer's available time committed to planned work. High utilisation means less capacity to absorb unplanned privacy fixes.
VCDPA: Virginia Consumer Data Protection Act. State-level consumer privacy law with a 45-day DSAR response window and enforcement by the Attorney General.

Pipeline cost breakdown

Visualisations

Dev capacity lost to privacy

Cost by category

What if you built it in?

Toggle features below to see what you'd recover annually. The chart updates in real time. Individual savings assume each feature is the only one active — combined total accounts for compounding.

Baseline vs optimised annual cost

Total recoverable per year

Let's talk →

Based on IBM Cost of a Data Breach Report (2023), PIPEDA/CPRA frameworks, and industry-standard DSAR benchmarks. These are estimates. Your actual numbers may be worse. How we calculate this → Save your results first to view the methodology. Privacy Notice · About Ross · Terms of Use