Trend: Are We Forgetting the Data Subjects in GRC?

I have a confession to make: I don’t really know what data subjects actually want. And if I had to guess – neither do you.

Published: 
April 27, 2025
Jacob Høedt Larsen
PR & PA

Read more from the author

It’s a bit mad, really. Because we should know.

There’s a lot we do have a handle on:

✅ GDPR, NIS2, and all the other regulatory requirements
✅ ISO 27001 and 27701 – and all that framework business
✅ The demands from our B2B clients and contractual partners

But what about the people all of this is actually meant to protect – the data subjects?

A small challenge

You might be thinking: “Of course I know them.”

Then try answering this: What are the three most important expectations or wishes data subjects have of you?

I can’t answer that. Can you?

Many of us instinctively fall back on the law:

They expect us to have a lawful basis for processing!
 But deep down, we know that’s not something most people actually worry about.

They want us to carry out a DPIA!
 Unlikely.

They’re dying to read our privacy policy!
 That’s why it’s at the top of the website traffic stats, right?

The truth is, we don’t know what they want. But it might be things like:

  • Reassurance that we’ll support them if their personal data ends up in the wrong hands

  • Confidence that we’ll delete their data once we no longer need it

  • Trust that decisions made about them are based on accurate, informed information – not on flawed data

But the point is: we don’t know.
And why don’t we?

Because we’ve never actually asked them.

Start by listening

Here’s a radical idea: What if we started talking – in a structured way – to the people we so abstractly refer to as “data subjects”?

They’re not just legal terms – they’re people we care about. Our employees. Our customers. Fellow citizens.

So let’s make listening to them part of our GRC processes – to understand what they think is reasonable and fair.

We gain value from their data.
They deserve to have a voice in how we manage it.

To me, it really is that simple.

Take action:

It doesn’t have to be complicated.

Why not invite four to six data subjects to a conversation once a month?

Start with your employees. Listen. Ask open questions. Reflect.

I think we’ll discover two things:

1️⃣ What we can do to better serve our customers and colleagues.
2️⃣ That we might even find more joy in our work in data protection.

Because for most of us, it’s all about the same thing:Making things better for people.

You might also like

Trend: Want a Seat at the Table? Then GRC Needs to Understand the Business

Trend: Why You're Never Involved When New Systems Are Bought – And What You Can Do About It

Keeping NIS2 alive – 5 tips for sustainable information security