Fines for mismanagement of data expected to reach $1Bn
By 2026, fines due to mismanagement of subject rights will have increased tenfold from 2022, to total over $1 billion, according to Gartner.
Gartner defines subject rights requests (SRRs) as a set of legal rights that enable individuals to make demands and, in some instances, changes for clarity regarding the uses of their data.
Nader Henein, VP Analyst at Gartner, says, "For security and risk management (SRM) leaders in B2C organisations, automating subject rights or consumer privacy rights management has become a basic requirement and a prerequisite for building trust. The management of SRRs can enhance customer trust levels by providing a positive privacy user experience (UX)."
However, inefficient handling of SRRs and an immature privacy UX can erode the benefit from millions of dollars spent on developing positive customer sentiment.
Business impact of poor or inefficient handling of SRRs
Organisations handling data must address SRRs in a defined time frame, Gartner states. Poor or delayed responses to SRRs can negatively impact an organisation's trust with its customers.
As a result of long waits for a response, customer experience (CX) and sentiment are also negatively impacted. In addition, regulators regularly impose fines for failure to comply. These rulings also mandate prompt execution of requests.
SRM leaders should take the opportunity when they receive an SRR to engage with privacy-aware customers. Henein says, "Data subject rights should not be treated exclusively as a legal requirement. To support positive customer sentiment, the organisation's privacy UX should be developed with the same care as any customer-facing service."
In addition, many jurisdictions require digital organisations to address the privacy rights of their employees. Data held on incoming, current, or past employees is worthy of the same care as data pertaining to customers. The highest cost per request is often attributed to employees' SRRs rather than those coming from customers due to the complexity and the volume of data.
Henein says, "To ensure data subjects receive responses within acceptable time, cost, and scale limits, SRM leaders should consider establishing a foundation of metrics around SRRs."
The evolution of SSRs
Henein says, "While the need for scalable subject rights delivery and fulfillment will not go away, the demand for more automation will lead to a faster move toward a zero-touch model."
"This model will enable users to self-serve informative rights through a privacy portal where individuals will be able to browse their information in detail and understand how it is being used and by whom."
Maintaining a manual SRR process renders an organisation more likely to face regulatory fines and suffer associated reputational damage. It also entails maintenance costs. By contrast, being transparent about, and involving customers in the SRR process and implementing a more automated approach to SRR fulfillment offers clear benefits to organisations.