Claims that companies would be inundated with data deletion requests once GDPR came in to force might appear to have been wide of the mark, but two months into the new regime and privacy regulators and major brands are groaning under the weight of requests from consumers wanting to know what data is held on them.
Earlier this week, the Information Commissioner’s Office warned companies that the public is growing increasingly aware of its privacy rights, and there had been a significant increase in data protection complaints (up 15%), even before GDPR came into force on May 25.
The ICO said it received 1,106 data protection complaints in the three weeks after GDPR was introduced and said reports of data breaches had risen.
Meanwhile Ireland’s Data Protection Commission – which predicted a “tsunami” of GDPR data requests as far back as March last year – received 1,124 complaints in the first month, according to research by the International Association of Privacy Professionals. Data protection watchdogs in the Poland received nearly 800, while those in the Czech Republic and France each received more than 400 complaints.
Facebook has not escaped either, witnessing a fourfold increase in user queries after the introduction of GDPR, with data protection officer Stephen Deadman admitting “we’ll see whether it continues or stabilises”.
Privacy groups have also gone into overdrive, launching tools to help users to ask for data. One smartphone app, One Thing Less, has created a list of companies ranging from Acxiom to Samsung which consumers can use to make requests for information in three clicks.
Some companies, such as Netflix, Net-a-Porter and Marriott have not yet responded to users who requested information through the app in back in May, despite a requirement under GDPR to respond within a month.
Netflix said it would not work with the app unless it had an “appropriate authentication or legal process”.“If members cannot find the information they are looking for by logging in and going to their account page, we are happy to work with them directly.”
Net-a-Porter said: “Unfortunately we cannot recognise requests made via non-proprietary apps, such as One Thing Less, that do not allow us to verify the customer’s identity.”
Ruth Boardman, joint head of international privacy at law firm Bird & Bird, told the FT: “There have been a lot of requests asking for copies of the data, some of that has come through the companies’ own portals and some have been standard-format letters – there are a number of standard-format letters out there. If you’re a consumer-facing company you may get 200 or 300 of these in a go, so there’s a real overhead from it.”
ICO takes no prisoners as complaints and fines rocket
Only a fifth of UK companies are compliant with GDPR
GDPR one month on: Google admits that it’s clueless
Crisis? What crisis? GDPR fuels more potent marketing
‘Firms more worried about World Cup effect than GDPR’
Let battle commence: first GDPR complaints are filed
GDPR zero hour: Now the hard work begins say experts
Data deletion tsunami claims blown out of the water
Fears grow as ‘millions plan to delete data under GDPR’
Firms face bombardment of data requests under GDPR
Up to 10 million eye GDPR data compensation pay-out