Financial sanctions imposed for mismanagement of subjects’ rights are expected to exceed $1 billion worldwide in 2026, according to Gartner forecasts.
Researchers say this figure represents a tenfold increase compared to 2022 levels.
In this context, Subject Rights Requests (SRRs) are a set of legal rights that allow individuals to request clarification – and sometimes request changes – regarding the use of their data.
Nader Henein, vice president analyst at Gartner, described SRR management as a basic requirement for security and risk management leaders.
He said: “The rights of data subjects should not be treated exclusively as a legal requirement.
“To support positive customer sentiment, the organization’s privacy UX must be developed with the same care as any customer-facing service. »
The researchers also noted that data held on staff, regardless of their employment status, deserved the same care as that given to customers. The report notes: “The highest cost per request is often attributed to employee SRRs rather than those from customers due to the complexity and volume of the data.”
Automation is key to avoiding substantial fines, and sticking to a manual process for responding to SRRs is likely to increase the risk of an organization facing regulatory fines and possible reputational damage . Henein noted that inquiries about SRRs would not go away and said adopting a contactless model would allow users to self-serve through a privacy portal.
RELATED RESOURCE
The State of Email Security 2023
Download this report to get the latest insights from 1,700 CISOs and other IT professionals, providing a realistic picture of the steps they’re taking to protect their organizations against growing threats.
The same portal must be transparent about the data held and ensure that users understand how it is used and by whom.
Organizations face multiple potential costs from both regulators and attacks from bad actors.
The former have adopted a firmer stance in recent years. For example, the EU has deployed GDPR rules to give citizens more control over their data. Even though RSS is only part of the rules, the possible sanctions within the broader regulatory framework can be severe.
Meta a incurred more than a billion euros in fines alone from European regulators over a 12-month period for its GDPR violations.
The United Kingdom’s Information Commissioner’s Office (ICO) was also increase the fines it imposeswith a current average of £14.7 million in fines per year, representing a tenfold increase on fines imposed in the 12 months before the GDPR rules came into force.
The rise of generative AI has also caused lawmakers to think about how data is used in training models, as well as a number of other factors. lawsuits filed against AI providers.
Organizations also face increasing costs related to attacks. A recent report noted that public companies experience an average drop in net profit of 73% in the first year following the disclosure of a data breach.
