UK Data Complaints Double Under GDPR

A data centre, storage, server

New figures show the Information Commissioner’s Office swamped with reports from individuals and companies alike

Data protection complaints have more than doubled in the UK since new rules under the General Data Protection Regulation (GDPR) came into force in May, the data regulator’s figures show.

The Information Commissioner’s Office (ICO) said it received 6,281 complaints from 25 May to 3 July, compared with 2,417 in the same period last year.

The complaints include individuals reporting the use or distribution of their personal data without permission and companies reporting incidents in which data they held was accessed.

Complaints involving the financial services, education and health sectors made up more than a quarter of the total, with financial services alone comprising one in 10 of the complaints.

data breachLarge fines

The figures are likely to reflect a rise in awareness and understanding of data protection laws by businesses and consumers alike, according to law firm EMW, which obtained the information through a freedom of information request.

The new regulations expose firms to fines of 20 million euros (£17m) or 4 percent of global annual turnover in the most serious cases.

Data protection cases have gained increasing visibility in the media, with the ICO in July imposing a penalty of £500,000, the maximum allowed under previous rules, on Facebook for allowing now-defunct political consultancy Cambridge Analytica to use the data of tens of millions of its users and for its lack of transparency about how such data is made use of.

The new regulations represent a significant burden for companies and regulators alike, EMW found, with the ICO saying it is adding staff to cope with GDPR complaints.

The regulator is moving from 530 full-time equivalent staff to 720 in the near future, nearly double its staffing levels in 2015.


The rules also form a “significant workload” for businesses, said EMW principal James Geary.

“We have seen that many businesses are currently struggling to manage the burden created by the GDPR, whether or not that relates to the implementation of the GDPR or reportable data security breach incidents,” he said, adding that the large potential fines are “worrying”.

“Despite (the GDPR) being on the horizon for a couple of years, the reality of the work involved in implementation and ongoing compliance may have taken many businesses by surprise,” he said.

New tasks include providing individuals with the data companies hold on them, an obligation under the GDPR.

The ICO said the rise in reports was due to more people becoming “aware of their individual rights”, and confirmed it is recruiting “all levels of staff, including 10 new director roles… to give us the capacity, capability and resilience to tackle our regulatory brief”.

Its funding is set to increase from £24m to £38m in 2018-19, the agency said.