By 2026, fines due to mismanagement of subject rights will have increased tenfold from 2022, to total over $1 billion, according to Gartner, Inc.
Gartner defines subject rights requests (SRRs) as a set of legal rights that enable individuals to make demands and, in some instances, changes for clarity regarding the uses of their data.
“For security and risk management (SRM) leaders in B2C organizations, automating subject rights or consumer privacy rights management has become a basic requirement and a prerequisite for building trust,” said Nader Henein, VP Analyst at Gartner. “The management of SRRs can enhance customer trust levels by providing a positive privacy user experience (UX).”
However, inefficient handling of SRRs and an immature privacy UX can erode the benefit from millions of dollars spent on developing positive customer sentiment.
Business Impact of Poor or Inefficient Handling of SRRs
Organizations handling data must address SRRs in a defined time frame. Poor or delayed responses to SRRs can negatively impact an organization's trust with its customers. As a result of long waits for a response, customer experience (CX) and sentiment are also negatively impacted. In addition, regulators regularly impose fines for failure to comply. These rulings also mandate prompt execution of requests.
SRM leaders should take the opportunity when they receive an SRR to engage with privacy-aware customers. “Data subject rights should not be treated exclusively as a legal requirement,” said Henein. “To support positive customer sentiment, the organization’s privacy UX should be developed with the same care as any customer-facing service.”
In addition, many jurisdictions require digital organizations to address the privacy rights of their employees. Data held on incoming, current, or past employees is worthy of the same care as data pertaining to customers. The highest cost per request is often attributed to employees’ SRRs rather than those coming from customers due to the complexity and the volume of data.
“To ensure data subjects receive responses within acceptable time, cost, and scale limits, SRM leaders should consider establishing a foundation of metrics around SRRs,” said Henein.
The Evolution of SSRs
“While the need for scalable subject rights delivery and fulfillment will not go away, the demand for more automation will lead to a faster move toward a zero-touch model,” said Henein. “This model will enable users to self-serve informative rights through a privacy portal where individuals will be able to browse their information in detail and understand how it is being used and by whom.”
Maintaining a manual SRR process renders an organization more likely to face regulatory fines and suffer associated reputational damage. It also entails maintenance costs. By contrast, being transparent about, and involving customers in the SRR process and implementing a more automated approach to SRR fulfillment offers clear benefits to organizations.
Gartner clients can read more in “Hype Cycle for Privacy, 2023” and “Market Guide for Subject Rights Request Automation.”
Learn how to manage human risk to build a security-conscious organization in the complimentary Gartner ebook 4 Ways to Achieve Secure Employee Behaviors.
About Gartner IT Symposium/Xpo
Additional analysis on security and privacy trends will be presented during Gartner IT Symposium/Xpo, the world's most important conferences for CIOs and other IT executives. Gartner analysts and attendees will explore the technology, insights and trends shaping the future of IT and business, including how to unleash the possibility of generative AI, business transformation, cybersecurity, customer experience, data analytics, executive leadership and more. Follow news and updates from the conferences on X using #GartnerSYM
Upcoming dates and locations for Gartner IT Symposium/Xpo™ include: