News

Data protection complaints nearly double in three months since GDPR – regulator

The Information Commissioner’s Office said it received more than 4,000 complaints of personal data breaches in July.
The Information Commissioner’s Office said it received more than 4,000 complaints of personal data breaches in July. The Information Commissioner’s Office said it received more than 4,000 complaints of personal data breaches in July.

The number of data protection complaint reported to UK regulators has nearly doubled since the introduction of new data protection laws, the Information Commissioner’s Office (ICO) has said.

Saturday marks three months since the General Data Protection Regulation (GDPR) was introduced across the UK and the rest of the EU on May 25.

The new laws were designed to give people more control and access to the personal data collected from them by organisations, with more transparency and the threat of larger fines to those in breach of the rules also introduced.

According to the ICO, the data watchdog charged with enforcing the new rules in the UK, 3,098 data protection complaints were made in June and 4,214 in July – up from 2,310 made in May, when the laws were introduced.

In April – before the new regulation came into force – only 2,165 complaints were received.

A spokeswoman for the ICO said the increase was expected, as more users became aware of data protection because of publicity around the new rules and following a series of high-profile data scandals involving big technology firms.

“It’s early days and we will collate, analyse and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organisations,” the regulator said.

“Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”

The GDPR requires any company that suffers a data breach to notify its users within 72 hours of first being discovered, and obtain consent before gathering any personal information on users and be transparent about how they collect and use it.

If a breach of GDPR is found regulators are now also able to hand out much larger penalties than under previous rules – up to 4% of annual global turnover or 20 million euro (£17.5 million) – whichever is greater.

The ICO is already investigating several data breaches which have been disclosed since GDPR came into force, including one involving Dixons Carphone that affected 10 million customers.

Many businesses have also struggled to comply with regulations, with hundreds of US-based news sites choosing to cut off access to European users rather than comply in order to avoid breaching the rules.

Before the laws were introduced, the Federation of Small Businesses warned that smaller businesses with limited resources would need time to comply and urged a “light-touch manner” in how the rules were initially enforced.

At the time of their introduction, Information Commissioner Elizabeth Denham said the ICO was not looking for “perfection” from day one but did want to see a commitment from businesses to “move forward with their new obligations”.