[BreachExchange] GDPR sparks rise in data protection complaints

Fri Jun 29 15:01:12 EDT 2018

https://www.out-law.com/en/articles/2018/june/gdpr-rise-
data-protection-complaints/

Data protection law experts Ian Birdsey and Laura Gillespie of Pinsent
Masons, the law firm behind Out-Law.com, said a combination of consumers'
increased awareness of privacy issues and greater transparency around
personal data breaches are likely factors behind the increase.

According to the Guardian, the UK's Information Commissioner's Office (ICO)
has "seen a rise in personal data breach reports from organisations" as
well as a rise in "complaints relating to data protection issues" since the
GDPR took effect on 25 May this year.

Politico also reported that the Commission Nationale de l’information et
des Liberties (CNIL), the data protection authority in France, has already
seen the volume of complaints increase by more than 50% compared to the
same period last year.

Politico further reported that the Austrian watchdog has received 128
complaints and 59 data breach notifications since the GDPR took effect. The
watchdog said that the volume of notifications it has received in the past
month equates to the number of notifications it received in an eight month
period before the GDPR began to apply, according to the report.

The GDPR mandates the reporting of certain data breaches to data protection
authorities and affected individuals.

Data controllers are required to notify local data protection authorities
of personal data breaches they have experienced "without undue delay and,
where feasible, not later than 72 hours after having become aware of it …
unless the personal data breach is unlikely to result in a risk to the
rights and freedoms of natural persons".

A higher threshold for notifying affected members of the public of data
breaches applies. Data breaches must be "likely to result in a high risk to
the rights and freedoms of natural persons" before notification would be
required, but there are further conditions set out in the legislation to
restrict the circumstances in which notification would need to be made.

A personal data breach is defined under the GDPR as "a breach of security
leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored
or otherwise processed".

Birdsey said: "While all organisations were previously encouraged to
voluntarily disclose when they had suffered a data breach, not least to
avoid potentially stiffer regulatory fines should they later come to light,
the notification of data breaches was only previously mandated in certain
sectors of the economy, such as financial services and telecoms – the GDPR
has changed all that by introducing mandatory data breach notification for
all data controllers."

"In addition, the concept of a 'personal data breach' has been expanded by
the GDPR, meaning more incidents are likely to be subject to disclosure
than previously, particularly given the growing cyber risk organisations
face. Allied to the greater understanding of data privacy rights that the
public now has, these factors will all be contributing to the increase in
data protection complaints," he said.

Gillespie said: "With the deluge of emails people were receiving in their
inboxes concerning consent and updated privacy notices, it is not
surprising that people have become more acutely aware of their individual
privacy rights and this has led to an increase in complaints."

"Whilst the regulators will investigate complaints and have the power to
issue fines for breaches of the GDPR of up to €20 million or 4% of global
turnover, whichever is higher, individuals also have the right to
compensation. This right is not limited to cases where material damage has
occurred - it includes 'non-material damage' too, which the new Data
Protection Act in the UK makes clear includes where individuals have
experienced 'distress' as a result of a breach. It is therefore clear that
investing in robust compliance systems now to prevent any breach could
avoid a substantial cost down the track," she said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180629/f1d18524/attachment.html>