Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

GDPR prompts UK data protection complaints to double

The number of data protection complaints received by the UK's data protection watchdog has doubled since the General Data Protection Regulation (GDPR) took effect.27 Aug 2018

The Information Commissioner's Office (ICO) said that it received 4,214 data protection complaints in July, up from 3,098 in June, 2,310 in May and 2,165 in April, according to media reports. The GDPR took effect on 25 May this year.

 The ICO has also seen an increase in the number of personal data breaches reported to it since the new EU data protection laws began to apply.

A spokesperson for the ICO said: "It is early days and we will collate, analyse and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organisations. Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too."

The GDPR mandates the reporting of certain data breaches to data protection authorities and affected individuals.

Data controllers are required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

A higher threshold for notifying affected members of the public of data breaches applies. Data breaches must be "likely to result in a high risk to the rights and freedoms of natural persons" before notification would be required, but there are further conditions set out in the legislation to restrict the circumstances in which notification would need to be made.

A personal data breach is defined under the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Data protection authorities elsewhere in Europe, including in France and Austria, have also reported seeing an increase in data protection complaints and data breach notifications since the GDPR took effect.

Dublin-based data protection law expert Ann Henry of Pinsent Masons, the law firm behind Out-Law.com, said: "This increase in reported data breaches and in complaints from data subjects is a trend we expect to see continuing as the public become increasingly aware of their rights under GDPR and the value of protecting their personal data from a privacy perspective. This is particularly so as it becomes more and more clear that there is a material commercial value for third parties in exploiting personal data and that GDPR increases the legal safeguards for data subjects that must be adhered to."