Consumers are on the warpath in the wake of GDPR, judging by data pried out of the UK Information Commissioner’s Office (ICO) by the law firm EMW.
The ICO received 6,281 privacy-related complaints from May 25 to July compared with 2,417 during the same period in 2017 — a 160% increase, according to EMW. Most were about use of personal data. GDPR took effect on May 25.
The financial services sector received 660 complaints, roughly a tenth of the total. Firms in the education and health sectors accounted for a combined 1,112.
The total reflected includes gripes from “some more disgruntled consumers making several, repeated complaints,” writes James Geary, a principal in EMW’s commercial contracts team.
Why is this happening now? “Greater media publicity and Government advertising means there is a heightened awareness of individuals’ new data rights under GDPR,” Geary says.
He adds that “emails represent one of the biggest challenges for GDPR compliance as failing to respond promptly to subject access requests or right to be forgotten requests could result in a fine.”
According to media reports, EMW filed a freedom of information request to get the information. It’s not clear why EMW had to go to that length when the ICO usually seems eager to publicize its findings.
But EMW determined that the ICO expects to grow its full-time head count from 530 to 720. This is in line with comments made by Information Commissioner Elizabeth Denham earlier this year.
Speaking at the IAPP Europe Data Protection Intensive 2018 in London, Denman reported that the ICO is recruiting at all levels of staff, including ten nearly created director roles, and expects to have a headcount of 700 by 2020.
She added that Parliament has agreed to a funding increase from £24 million to £38 million in 2018/2019.
The lesson here? That companies have to be prepared for trouble.
“A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed,” Geary says. “There are some disgruntled consumers prepared to use the full extent of GDPR that will create a significant workload for businesses.”
He adds: “We have seen many businesses are currently struggling to manage the burden created by the GDPR, whether or not an incident even needs to be reported. The reality of implementation may have taken many businesses by surprise.”
And in case we need to be reminded, Geary notes that under GDPR, “the cap on each fine will be raised to £16.5 million (or 4% of worldwide turnover of the entity being fined) -- 33 times more than the current maximum £500,000 fine.”