GDPR Effect: Data Protection Complaints SpikeIndividuals Report Organizations for Allegedly Failing to Secure Personal Data
Three months after the EU's General Data Protection Regulation went into full effect, the U.K.'s data privacy watchdog says that the number of complaints it has received under GDPR has nearly doubled (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
See Also: The Global State of Online Digital Trust
Under GDPR, as with prior European privacy rules, anyone can file a complaint with the Information Commissioner's Office, or ICO, if they believe that their personal data has been misused.
"If you think your data has been misused or that the organization holding it has not kept it secure, you should contact them and tell them," the official U.K. government website advises. "If you're unhappy with their response or if you need any advice you should contact the Information Commissioner's Office."
The ICO says "data subjects," as they're known under GDPR, are doing just that.
In May, the ICO received 2,310 data protection complaints from individuals. But after GDPR enforcement began on May 25, the ICO notes that complaints rose to 3,098 in June and reached 4,214 in July, as the U.K.'s ITV News first reported.
The ICO says the increase had been expected because a number of high-profile breaches have recently come to light, including such British household names as Currys and Superdrug (see Dixons Carphone: 10 Million Records Exposed in 2017 Breach).
"It's early days and we will collate, analyze and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organizations," an ICO spokeswoman tells Information Security Media Group. "Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too."
France and Ireland See Complaints Rise
Multiple data protection authorities - the independent agencies in each EU country charged with enforcing GDPR - have seen an increase in the number of data protection complaints they were receiving.
The Commission nationale de l'information et des libertés, which is France's DPA, tells ISMG that from Jan. 1 to July 31 this year, it received 4,838 data protection complaints, compared to 3,985 for the same period last year - a 20 percent increase. And from May 25 to July 31 of this year, CNIL received 1,804 complaints, a 37 percent increase compared to 1,132 during the same time period last year.
At Ireland's DPA, the Data Protection Commission, Graham Doyle, its head of communications, tells ISMG that "there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25." Before GDPR enforcement began, the DPC says it was receiving on average about 230 data breach notifications and 220 data protection complaints per month.
Since GDPR enforcement began, by Aug. 24 the DPC had received 1,713 data breach notifications. "Of these, the GDPR applied in 1,422," since they occurred from May 25 onwards, Doyle says.
In the same timeframe, "we have also logged 1,084 complaints, of which the GDPR applied in 495 cases," he says.
Hence since GDPR enforcement began, the DPC saw monthly data breach reports double, while data protection complaints increased by 65 percent.
Greater Privacy Awareness
Legal experts say GDPR is fostering greater privacy awareness, driven in part by more organizations having to reveal when - and often how - they were breached.
"This increase in reported data breaches and in complaints from data subjects is a trend we expect to see continuing as the public become increasingly aware of their rights under GDPR and the value of protecting their personal data from a privacy perspective, says Ann Henry, a Dublin-based attorney who specializes in data protection law, in a blog post.
Henry says the seemingly nonstop stream of data breaches aimed at stealing personal data - often for resale on underground forums, allowing such hack attacks to be monetized - means the world will likely see an ever-increasing number of breaches, and thus data breach reports.
"There is a material commercial value for third parties in exploiting personal data," Henry says.
As Europeans become more aware of the scale of the data breach problem, she says all organizations that handle Europeans' personal data should expect to find their practices under increased scrutiny by consumers.
Organizations that fail to comply with GDPR can face fines of up to 4 percent of an organization's annual global revenue or €20 million ($23 million), whichever is greater. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($12 million) or 2 percent of annual global revenue.
Thus far, however, none of the EU's DPAs have levied any fines. Multiple DPAs, including the ICO, as well as Datainspektionen - Sweden's DPA - and France's CNIL told the International Association of Privacy Professionals Privacy Advisor newsletter that it's simply too soon.
"As of now, CNIL has not yet issued any fines based on the GDPR policy," a spokesman tells ISMG, noting that the ability to impose the new fines under the regulation has only been in effect for three months. "Accordingly, the complaints brought before the CNIL in relation to the GDPR are currently in a trial phase and we do not know yet when the CNIL will deliver its decisions."
Similarly, Doyle at Ireland's DPC tells ISMG: "It is too soon to expect to see any fines levied against organizations that have violated GDPR - given that it's only 3 months after it went into full effect."
Reported UK Data Breaches Quadruple
GDPR imposes a number of new requirements on organizations that handle personal information, including requiring them to track all breaches and report certain types of breaches to authorities.
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons," GDPR requires. "Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
As noted, Ireland's DPC says it has seen the number of breach reports double since GDPR enforcement began.
Last month, meanwhile, the U.K.'s ICO reported that since May 25, it had seen a four-fold increase in the number of breaches that organizations were self-reporting. Experts note that the increase does not mean that the number of data breaches has suddenly gone up, but rather reflects the full scale of the data breach problem becoming better known (see Under GDPR, Data Breach Reports in UK Have Quadrupled).
This story has been updated to include details shared by DPAs in France and Ireland.