Gartner warns that fines related to inadequate management of data subject rights will exceed US$ 1 billion by 2026

By 2026, fines due to inadequate management of data subject rights will have increased tenfold compared to 2022 and could exceed US$1 billion. The warning is from Gartner, a global leader in research and advice for businesses, defines data subject rights requests (SRRs) as a set of legal rights that allow individuals to make demands and, in some cases, request clarifications about use of your data. 

"For security and risk management leaders of companies dealing with end customers (B2C) automating data subject rights or consumer privacy management has become a basic activity, as well as a prerequisite for building trust”, he states Nader Henein, Vice President and Analyst at Gartner. “Managing SRRs can increase customer trust levels while providing a positive privacy experience.” 

However, inefficient handling of SRRs and immature privacy can erode the benefits of millions of dollars invested in developing positive customer sentiment. 

Financial impact of inadequate or inefficient handling of SRRs 

Companies that handle data must respond to SRRs within a defined deadline. Poor or delayed responses to SRRs can negatively impact the company's trust with customers. As a result of long waits for a response, customers' experience and sentiment also suffer. Furthermore, regulatory bodies impose fines for lack of compliance, demanding decisions with immediate execution for requests. 

You security and risk management leaders they should take the opportunity when they receive an SRR to interact with privacy-conscious customers. “The rights of data subjects should not be treated exclusively as a legal requirement”, warns the Gartner analyst. “To support positive customer sentiment, the customer experience privacy of the company must be developed with the same care as any service aimed at customers”, says Henein. 

Additionally, many jurisdictions require digital organizations to address the privacy rights of their employees. Information maintained about incoming, current or former employees deserves the same care as customer-related data. The highest cost per request is often attributed to employee SRRs rather than those coming from customers, due to complexity and high volume of data. 

“To ensure data subjects receive responses within acceptable limits of time, cost and scale, security and risk management leaders should consider establishing a baseline of metrics around SRRs,” says Henein. 

The Evolution of SRRs 

Gartner estimates that while the need for scalable delivery and enforcement of data subject rights will not go away, the demand for more automation will lead to a faster shift toward a zero touch. “This model will allow users to request information rights through a privacy portal, where people can browse their information in detail and understand how it is being used and by whom,” explains the analyst. 

Maintaining a manual SRR process makes companies more likely to face regulatory fines and suffer associated reputational damage. This also implies maintenance costs. In contrast, being transparent and involving customers in the SRR process and implementing a more automated approach to SRR compliance offers clear benefits to companies. 

To learn more about managing human risk to build a security-conscious organization, Gartner offers a free e-book: “4 Ways to Achieve Secure Employee Behaviors“.