Complaints to the ICO have spiked since GDPR came into effect in May

Complaints to the Information Commissioner’s Office (ICO) in Europe have skyrocketed since the General Data Protection Regulation (GDPR) went into effect in late May.

GDPR is a sweeping set of new data privacy rules that govern the handling of EU members’ data no matter where it occurs. Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher.

Numerous media outlets have reported that law firm EMW requested data from the ICO that showed that complaints to the supervisory authority rose 160 percent to 6,281 between May 25 and July 3, 2018, compared to the same period last year.

So, what does this mean for marketers?

James Geary, principal, commercial contracts for EMW, wrote in a blog post announcing the data, “A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed. There are some disgruntled consumers prepared to use the full extent of GDPR that will create a significant workload for businesses.”

Geary said:

We have seen many businesses are currently struggling to manage the burden created by the GDPR, whether or not an incident even needs to be reported. The reality of implementation may have taken many businesses by surprise. For example, emails represent one of the biggest challenges for GDPR compliance as failing to respond promptly to subject access requests or right to be forgotten requests could result in a fine. The more data a business has, the harder it is to respond quickly and in the correct compliant manner.

Daniel Jaye, founder and head of product for aqfer, said that US businesses need to get their systems up to date.

He said:

Data breaches are happening all the time in the US, and it’s past time for companies to prioritize the replacement of legacy data platforms, which hold the highest risk due to the data being too far spread. We will see an acceleration of the adoption of data-centric marketing architecture that is supported by CDPs and others that put the data back in the enterprise’s control.

Travis Ruff, chief information security officer for data platform Amperity, said that the report is a warning to US companies that will soon be grappling with their own states’ data privacy laws. California passed a strict GDPR-like law in June and other states are expected to follow suit.

Ruff said:

Individuals have been made aware of their rights, they have been provided an outlet and communications mechanism for reporting potential abuses of the use of their information, and they have been told that there will be real repercussions if those abuses turn out to be true. This is a valuable lesson as the US begins to catch up on our own privacy laws. Besides having a plan for data use, incident response, and all of the other ‘industry standard’ security and risk management capabilities, it is critical that organizations be prepared for a potential onslaught of complaints and they must have a plan to rapidly address them, scale the process if necessary and meet the expectations of their customers and regulators.