Fines for data mismanagement could exceed $1 billion

A photo of a silhouette of a hand holding a gavel is in the foreground, with a futuristic mesh of blue lines in the background
(Image credit: Getty Images)

Financial penalties issued for mismanaging subject rights are set to rise above $1 billion worldwide in 2026, according to Gartner forecasts.

Researchers say the figure represents a tenfold increase from 2022’s levels. 

In this context, subject rights requests (SRRs) are a set of legal rights that enable individuals to demand clarity – and occasionally request changes – regarding the use of their data.

Nader Henein, VP Analyst at Gartner, described the management of SRRs as a basic requirement for security and risk management leaders. 

He said: “Data subject rights should not be treated exclusively as a legal requirement.

“To support positive customer sentiment, the organization’s privacy UX should be developed with the same care as any customer-facing service.”

Researchers also noted that data held on staff, regardless of employment status, was worthy of the same care as that given to customers. The report noted: “The highest cost per request is often attributed to employees’ SRRs rather than those coming from customers due to the complexity and the volume of data”.

Automation is key to avoiding substantial fines, and sticking with a manual process for responding to SRRs is likely to increase the risk of an organization facing regulatory fines and possible reputational damage. Henein noted that demands around SRRs would not go away and said that adopting a zero-touch model would allow users to self-serve via a privacy portal.


Black whitepaper cover with strapline and image of man's face overlaid looking in different directions

(Image credit: Mimecast)

The state of email security 2023

Download this report to get the latest insights from 1,700 CISOs and other IT professionals as they present a realistic picture of the steps they are taking to protect their organizations from increasing threats


The same portal should be transparent about the data being held and ensure users understand how it is used and by whom.

Organizations are faced with multiple potential costs from both regulators and attacks by threat actors.

The former have been adopting a stronger stance in recent years. For example, the EU has rolled out GDPR rules to give citizens more control over their data. Although SSRs are only part of the rules, penalties possible under the wider regulatory framework can be severe.

Meta has incurred more than €1 billion in fines alone from European regulators over a 12 month period over its GDPR violations.

The UK’s Information Commissioner’s Office (ICO) has similarly been increasing the fines it levies, with its current average of £14.7 million per year in fines representing a tenfold increase when compared to fines imposed in the 12 months prior to GDPR rules coming into effect. 

The rise of generative AI has also resulted in lawmakers giving consideration to how data is used in training models, as well as a number of lawsuits leveled at AI vendors.

Organizations are also facing increasing costs from attacks. One recent report noted that public companies experience an average net income drop of 73% within the first year of a data breach’s disclosure.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.