Fines relating to mismanagement of data subject rights could hit $1bn

By 2026, fines due to mismanagement of subject rights will have increased tenfold from 2022, to total over $1 billion, according to Gartner.

The analyst defines subject rights requests (SRRs) as a set of legal rights that enable individuals to make demands and, in some instances, changes for clarity regarding the uses of their data.

“For security and risk management (SRM) leaders in B2C organizations, automating subject rights or consumer privacy rights management has become a basic requirement and a prerequisite for building trust,” said Nader Henein, VP Analyst at Gartner. “The management of SRRs can enhance customer trust levels by providing a positive privacy user experience (UX).”

However, inefficient handling of SRRs and an immature privacy UX can erode the benefit from millions of dollars spent on developing positive customer sentiment.

Organizations handling data must address SRRs in a defined time frame. Poor or delayed responses to SRRs can negatively impact an organization’s trust with its customers. As a result of long waits for a response, customer experience (CX) and sentiment are also negatively impacted. In addition, regulators regularly impose fines for failure to comply. These rulings also mandate prompt execution of requests.

SRM leaders should take the opportunity when they receive an SRR to engage with privacy-aware customers. “Data subject rights should not be treated exclusively as a legal requirement,” said Henein. “To support positive customer sentiment, the organization’s privacy UX should be developed with the same care as any customer-facing service.”

In addition, many jurisdictions require digital organizations to address the privacy rights of their employees. Data held on incoming, current, or past employees is worthy of the same care as data pertaining to customers. The highest cost per request is often attributed to employees’ SRRs rather than those coming from customers due to the complexity and the volume of data.

“To ensure data subjects receive responses within acceptable time, cost, and scale limits, SRM leaders should consider establishing a foundation of metrics around SRRs,” said Henein.

“While the need for scalable subject rights delivery and fulfillment will not go away, the demand for more automation will lead to a faster move toward a zero-touch model,” said Henein. “This model will enable users to self-serve informative rights through a privacy portal where individuals will be able to browse their information in detail and understand how it is being used and by whom.”

Maintaining a manual SRR process renders an organization more likely to face regulatory fines and suffer associated reputational damage. It also entails maintenance costs. By contrast, being transparent about, and involving customers in the SRR process and implementing a more automated approach to SRR fulfillment offers clear benefits to organizations.

Image by Gerd Altmann from Pixabay


Stuart O'Brien

All stories by: Stuart O'Brien