Complaints to the Information Commissioner’s Office (ICO) about potential data breaches have more than doubled since the General Data Protection Regulation (GDPR) came into effect, with financial services companies in the firing line for potential large fines, according to research by law firm EMW.
Its freedom of information request to the ICO has revealed there were 6,281 complaints between 25 May 2018, when GDPR came into force, and 3 July 2018. This marks a 160% rise from just 2,417 complaints over the same period in 2017.
The firm’s analysis suggests increasing numbers of individuals are making complaints over potential data breaches, including some consumers making several, repeated complaints. Greater media publicity and government advertising means there is a heightened awareness of individuals’ new data rights under GDPR. There is now a greater public focus on the accountability of businesses of all sizes in handling personal data.
EMW says individuals are most likely to make complaints when their sensitive personal and financial data is at risk. The financial services sector received over 10% of all complaints (660), with businesses in the education and health sectors receiving a combined 1,112 complaints.
It points out that businesses should be concerned about the significant increase in complaints and the size of potential fines that can be levied under GDPR.
Under the new regulations the cap on each fine will be raised to €20m(£18m), or 4% of worldwide turnover of the entity being fined, which is 33 times more than the current maximum £500,000 fine.
James Geary, principal in EMW’s commercial contracts team, said: “A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed. There are some disgruntled consumers prepared to use the full extent of GDPR that will create a significant workload for businesses.
“We have seen many businesses are currently struggling to manage the burden created by the GDPR, whether or not an incident even needs to be reported. The reality of implementation may have taken many businesses by surprise.
“For example, emails represent one of the biggest challenges for GDPR compliance as failing to respond promptly to subject access requests or right to be forgotten requests could result in a fine. The more data a business has, the harder it is to respond quickly and in the correct compliant manner.”