GDPR sparks rise in data protection complaints

Data protection law experts Ian Birdsey and Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said a combination of consumers' increased awareness of privacy issues and greater transparency around personal data breaches are likely factors behind the increase.

According to the Guardian, the UK's Information Commissioner's Office (ICO) has "seen a rise in personal data breach reports from organisations" as well as a rise in "complaints relating to data protection issues" since the GDPR took effect on 25 May this year.

Politico also reported that the Commission Nationale de l’information et des Liberties (CNIL), the data protection authority in France, has already seen the volume of complaints increase by more than 50% compared to the same period last year.

Politico further reported that the Austrian watchdog has received 128 complaints and 59 data breach notifications since the GDPR took effect. The watchdog said that the volume of notifications it has received in the past month equates to the number of notifications it received in an eight month period before the GDPR began to apply, according to the report.

The GDPR mandates the reporting of certain data breaches to data protection authorities and affected individuals.

Data controllers are required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

A higher threshold for notifying affected members of the public of data breaches applies. Data breaches must be "likely to result in a high risk to the rights and freedoms of natural persons" before notification would be required, but there are further conditions set out in the legislation to restrict the circumstances in which notification would need to be made.

A personal data breach is defined under the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Birdsey said: "While all organisations were previously encouraged to voluntarily disclose when they had suffered a data breach, not least to avoid potentially stiffer regulatory fines should they later come to light, the notification of data breaches was only previously mandated in certain sectors of the economy, such as financial services and telecoms – the GDPR has changed all that by introducing mandatory data breach notification for all data controllers."

"In addition, the concept of a 'personal data breach' has been expanded by the GDPR, meaning more incidents are likely to be subject to disclosure than previously, particularly given the growing cyber risk organisations face. Allied to the greater understanding of data privacy rights that the public now has, these factors will all be contributing to the increase in data protection complaints," he said.

Gillespie said: "With the deluge of emails people were receiving in their inboxes concerning consent and updated privacy notices, it is not surprising that people have become more acutely aware of their individual privacy rights and this has led to an increase in complaints."

"Whilst the regulators will investigate complaints and have the power to issue fines for breaches of the GDPR of up to €20 million or 4% of global turnover, whichever is higher, individuals also have the right to compensation. This right is not limited to cases where material damage has occurred - it includes 'non-material damage' too, which the new Data Protection Act in the UK makes clear includes where individuals have experienced 'distress' as a result of a breach. It is therefore clear that investing in robust compliance systems now to prevent any breach could avoid a substantial cost down the track," she said.