GDPR: One year on. Lenders account for 6% of UK data protection complaints
From May 25, 2018 to May 1, 2019, the UK Information Commissioner’s Office received over 41,000 data protection concerns from the public.
Last May saw a serious shift in privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
The UK Information Commissioner’s Office (ICO) has published an update on the matter: “GDPR: One year on”. The purpose of this update is to reflect on the regulator’s experiences over the past year and share what it has learnt about the GDPR and its impact a year after its implementation.
The ICO received around 14,000 personal data breaches (PDB) reports from May 25, 2018 to May 1, 2019. For comparison, the regulator received around 3,300 PDB reports in the year from April 1, 2017.
The ICO closed over 12,000 of these cases during the year. Of these, only around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or civil monetary penalty. While this means that over 82% of cases required no action from the organisation, it demonstrates that businesses are taking the requirements of the GDPR seriously.
Greater awareness of individual rights has had a significant impact on the numbers of concerns raised with the regulator by the public. From May 25, 2018 to May 1, 2019, the ICO received over 41,000 data protection concerns from the public. The figure for 2017/18 was around 21,000.
Subject access requests remain the most frequent complaint category, representing around 38% of data protection complaints the ICO received. This is similar to the proportion before the GDPR (39%). In fact, the general trend is that all categories of complaint have risen in proportion with the overall increased number of complaints since the implementation of the GDPR.
The regulator notes that some sectors are responsible for higher numbers of breach reports and data protection concerns. The health sector, for example, accounts for over 16% of PDBs and 7% of data protection complaints. Local government accounted for 8% of PDBs and 9% of data protection complaints. Lenders accounted for 6% of data protection complaints.
EU Data Protection Board figures indicated that from May 25, 2018 to May 1, 2019, there were around 240,000 cases across the EU (data protection complaints, data breaches, proactive investigations or other similar issues). The ICO received over 55,000 of these (roughly 23%).
Where the data protection cases reported have cross-border implications throughout the EU, these are reported to a lead EU data protection authority. The UK is currently the lead supervisory authority on 93 of these cases.
In addition, the UK is working on behalf of UK citizens to uphold their information rights in 58 other cases where other EU data protection authorities are the lead supervisory authority, and the UK is a concerned supervisory authority.
