ICO data breach complaints double after GDPR
Written by Peter Walker
Complaints to the Information Commissioner’s Office (ICO) about potential data breaches have more than doubled since the General Data Protection Regulation (GDPR) came into effect.
Information released under a Freedom of Information Request from law firm EMW showed that there were 6,281 complaints between 25 May, when GDPR came into force, and 3 July, a 160 per cent rise from just 2,417 complaints over the same period in 2017.
Increasing numbers of individuals are making complaints over potential data breaches, including some more disgruntled consumers making several, repeated complaints.
Greater media publicity and government advertising means there is a heightened awareness of individuals’ new data rights under GDPR, according to EMW’s analysis, with a greater public focus on the accountability of businesses of all sizes in handling personal data.
Individuals are most likely to make complaints when their sensitive personal and financial data is at risk. The financial services sector received over 10 per cent (660) of all complaints, with businesses in the education and health sectors receiving a combined 1,112 complaints.
Under the new regulations, the cap on each fine will be raised to £16.5 million - or 4 per cent of worldwide turnover of the entity being fined - 33 times more than the current maximum £500,000 fine.
James Geary, principal in the law firm’s commercial contracts team, said a huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed.
“There are some disgruntled consumers prepared to use the full extent of GDPR that will create a significant workload for businesses,” he commented.
“We have seen many businesses are currently struggling to manage the burden created by the GDPR, whether or not an incident even needs to be reported – the reality of implementation may have taken many businesses by surprise.”
Geary explained that emails represent one of the biggest challenges for GDPR compliance, as failing to respond promptly to subject access or right to be forgotten requests could result in a fine. “The more data a business has, the harder it is to respond quickly and in the correct compliant manner.”
An ICO spokesperson responded that it’s early days and official statistics will be collated, analysed and published in due course. "But generally, as anticipated, we have seen a rise in personal data breach reports from organisations.
"Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”
Research completed in June found that a month after the GDPR deadline, only 20 per cent of companies surveyed believe they are compliant with the regulation, while 53 per cent are in the implementation phase and 27 per cent have not yet started their implementation.
In the few months since its implementation, some well-known brands have already fallen foul due to data breaches.
Luxury retailer Fortnum & Mason admitted the loss of some 23,000 customer records - which included emails, telephone numbers and delivery addresses of customers who filled out a survey - due to the use of third-party survey provider Typeform.
In a similar breach to that of digital-only bank Monzo, which also used Typeform, an unknown hacker gained access to its server and downloaded the data contained in survey forms. Meanwhile, Travelodge was also forced to announce that 180,000 personal details of its clients were taken, including date of birth, passport numbers and billing information.