Data breach complaints have more than doubled since GDPR

The ICO has received more than 6,000 data breach complaints since May

Complaints to the Information Commissioner's Office (ICO) about potential data breaches have more than doubled since the GDPR came into force in May.

According to data from law firm EMW, complaints to the ICO rose 160 per cent, to 6,281, between the 25th May and 3rd July this year compared to the same period in 2017.

Under the new regulation, companies that are breached can be fined up to four per cent of their annual worldwide turnover, or €20 million, whichever is higher.

Although several companies have announced breaches since the 25th May, most of them occurred before the GDPR came into force, and so none have been hit with the new penalties.

It looks likely that the first high-profile name to feel the sting of the ICO's new powers will be Superdrug, which this month announced that a hacker had stolen personal details from as many as 20,000 customers.

Superdrug said that the data was taken from ‘other websites' - possibly in an attempt to escape penalties - and that those credentials were used to access its own.

However, the company also did not reset customer passwords - the standard response to a breach - and so cannot have claimed to have done all in its power to mitigate the effects.

Media and government coverage of the GDPR has boosted public awareness of their data rights, and there is now more of a focus on business accountability in this area, EMW said.

The law firm's data shows that companies holding sensitive personal information, such as health records and financial data, were the most complained about, representing more than 25 per cent of the total.

James Geary, principal at EMW, said, "A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed…

"We have seen that many businesses are currently struggling to manage the burden created by the GDPR, whether or not that relates to the implementation of the GDPR or reportable data security breach incidents."

"Governing bodies need to be tighter on the misuse of data and follow through with their word of placing financial sanctions on those who do not adhere to the regulation," said Ian Woolley, chief revenue officer at data privacy company Ensighten.

"Brands need to stop viewing GDPR as just a legal hurdle to jump. Consistent data governance is the only way to ensure that brands aren't putting their customers or reputation at risk."