Gartner defines subject rights requests (SRRs) as a set of legal rights that enable individuals to make demands and, in some instances, changes for clarity regarding the uses of their data.
The analyst predicts that by 2026, fines due to mismanagement of subject rights will have increased tenfold from 2022, to total over US$1 billion.
"For security and risk management (SRM) leaders in B2C organisations, automating subject rights or consumer privacy rights management has become a basic requirement and a prerequisite for building trust," said Nader Henein, VP Analyst at Gartner. "The management of SRRs can enhance customer trust levels by providing a positive privacy user experience (UX)."
However, inefficient handling of SRRs and an immature privacy UX can erode the benefit of millions of dollars spent on developing positive customer sentiment.
Business impact of poor or inefficient handling of SRRs
Organisations handling data must address SRRs in a defined time frame. Poor or delayed responses to SRRs can negatively impact an organisation's trust in its customers. As a result of long waits for a response, customer experience (CX) and sentiment are also negatively impacted. In addition, regulators regularly impose fines for failure to comply. These rulings also mandate prompt execution of requests.
SRM leaders should take the opportunity when they receive an SRR to engage with privacy-aware customers. Henein warns that data subject rights should not be treated exclusively as a legal requirement. "To support positive customer sentiment, the organisation’s privacy UX should be developed with the same care as any customer-facing service," he added.
In addition, many jurisdictions require digital organisations to address the privacy rights of their employees. Data held on incoming, current, or past employees is worthy of the same care as data pertaining to customers. The highest cost per request is often attributed to employees’ SRRs rather than those coming from customers due to the complexity and the volume of data.
"To ensure data subjects receive responses within acceptable time, cost, and scale limits, SRM leaders should consider establishing a foundation of metrics around SRRs," said Henein.
The Evolution of SSRs
Henei opined that while the need for scalable subject rights delivery and fulfilment will not go away, the demand for more automation will lead to a faster move toward a zero-touch model.
"This (zero-touch) model will enable users to self-serve informative rights through a privacy portal where individuals will be able to browse their information in detail and understand how it is being used and by whom."
Nader Henein
Maintaining a manual SRR process renders an organisation more likely to face regulatory fines and suffer associated reputational damage. It also entails maintenance costs. By contrast, being transparent about, and involving customers in the SRR process and implementing a more automated approach to SRR fulfilment offers clear benefits to organisations.