{"id":108918,"date":"2022-03-16T09:00:00","date_gmt":"2022-03-16T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=108918"},"modified":"2023-05-15T23:04:55","modified_gmt":"2023-05-16T06:04:55","slug":"manage-subject-rights-requests-at-scale-with-microsoft-priva","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/03\/16\/manage-subject-rights-requests-at-scale-with-microsoft-priva\/","title":{"rendered":"Manage subject rights requests at scale with Microsoft Priva"},"content":{"rendered":"\n
Privacy is of increasing importance to our customers. In addition to the well-known European General Data Protection Regulation (GDPR), privacy regulations are emerging in nearly every region with more than 70 percent of countries now having data protection and privacy legislation.1<\/sup> <\/p>\n\n\n\n As the number and scope of privacy standards have proliferated, privacy becomes an expectation of customers and stakeholders to enable a trusted business. Many of the large organizations I work with are mature in their privacy compliance processes. Some have had to be GDPR compliant since 2018. Even those without GDPR compliance obligations saw GDPR as a watershed event, recognizing that broader privacy regulation was coming. Organizations have now shifted their focus from privacy compliance to privacy leadership in order to provide value to their customers and their brands. To assist organizations on their privacy journey, we introduced Microsoft Priva<\/a> in October 2021 to help customers safeguard personal data and respect privacy rights.<\/p>\n\n\n\n The concept of respecting an individual\u2019s privacy rights has been emphasized by the Organization for Economic Cooperation and Development (OECD) as \u201cThe Individual Participation Principle\u201d in the Fair Information Practice Principles (FIPPs) since 1980.2<\/sup> The principle includes an individual\u2019s right to access and control their own data. In some cases, they have the right to have this data corrected or deleted. Since GDPR went into effect, the concept has become more mainstream, known as data subject requests or subject rights requests. In the United States, 12 states have laws passed or active bills that mandate a subject\u2019s right to data access.3<\/sup><\/p>\n\n\n\n Responding to subject rights requests (SRRs) can be resource-intensive, costly, and difficult to manage. There are challenging time frames for a response, with GDPR mandating a response time of 30 days and California Privacy Rights Act (CPRA) allowing 45 days. More than half of organizations handle SRRs manually, while one in three has automated the process.4<\/sup> According to Gartner\u00ae, most organizations process between 51 and 100 SRRs per month at a cost of more than USD1,500 per request.5<\/sup> As more privacy regulations come into force and the public becomes more informed about their rights, the volume of SRRs is expected to grow substantially, impacting organizations\u2019 resources even further.<\/p>\n\n\n\nSubject rights requests (SRRs) management is time-consuming and costly<\/h2>\n\n\n\n