Fines for data mismanagement could exceed $1 billion

Financial penalties issued for mismanaging subject rights are set to rise above $1 billion worldwide in 2026, according to Gartner forecasts.

Researchers say the figure represents a tenfold increase from 2022’s levels. 

In this context, subject rights requests (SRRs) are a set of legal rights that enable individuals to demand clarity – and occasionally request changes – regarding the use of their data.

Nader Henein, VP Analyst at Gartner, described the management of SRRs as a basic requirement for security and risk management leaders. 

He said: “Data subject rights should not be treated exclusively as a legal requirement.

“To support positive customer sentiment, the organization’s privacy UX should be developed with the same care as any customer-facing service.”

Researchers also noted that data held on staff, regardless of employment status, was worthy of the same care as that given to customers. The report noted: “The highest cost per request is often attributed to employees’ SRRs rather than those coming from customers due to the complexity and the volume of data”.

Automation is key to avoiding substantial fines, and sticking with a manual process for responding to SRRs is likely to increase the risk of an organization facing regulatory fines and possible reputational damage. Henein noted that demands around SRRs would not go away and said that adopting a zero-touch model would allow users to self-serve via a privacy portal.

The same portal should be transparent about the data being held and ensure users understand how it is used and by whom.

Organizations are faced with multiple potential costs from both regulators and attacks by threat actors.

The former have been adopting a stronger stance in recent years. For example, the EU has rolled out GDPR rules to give citizens more control over their data. Although SSRs are only part of the rules, penalties possible under the wider regulatory framework can be severe.

Meta has incurred more than €1 billion in fines alone from European regulators over a 12 month period over its GDPR violations.

The UK’s Information Commissioner’s Office (ICO) has similarly been increasing the fines it levies, with its current average of £14.7 million per year in fines representing a tenfold increase when compared to fines imposed in the 12 months prior to GDPR rules coming into effect. 

The rise of generative AI has also resulted in lawmakers giving consideration to how data is used in training models, as well as a number of lawsuits leveled at AI vendors.

Organizations are also facing increasing costs from attacks. One recent report noted that public companies experience an average net income drop of 73% within the first year of a data breach’s disclosure.