UK data protection complaints more than double under new GDPR rules

The number of complaints filed with the U.K. data protection watchdog has more than doubled since the introduction of new European regulations.

There were 6,281 complaints filed with the Information Commissioner’s Office between May 25, when the new GDPR rules went into effect, and July 3, a rise of more than double from the 2,417 complaints during the same period a year earlier.

The ICO, which enforces the new rules in the U.K., did not say if the bulk of the new cases are GDPR-related as the watchdog doesn’t separate out its complaints by type, but said that the agency expects the figures will continue to climb.

“Generally, as anticipated, we have seen a rise in personal data breach reports from organizations,” said an ICO spokesperson. “Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”

It follows a similar reported rise in figures from neighboring Ireland, with more than half of new complaints falling under the GDPR umbrella since the law was introduced.

The new EU-wide rules replace long overdue and fragmented data protection and privacy rules across the 28 member state bloc from two decades ago. Under the new regulations, European citizens can request their data from companies, and can ask for their data to be corrected and deleted under the so-called “right to be forgotten” provision.

Companies that fail to abide by the new rules can face steep fines.

Under the new GDPR regulations, each fine is capped at about €20 million (£16.5 million) or four percent of global annual revenue. Previously, the maximum fine was set at £500,000 — a drop in the ocean to some major companies.

Law firm EMW obtained the figures following a Freedom of Information request.

“Despite this being on the horizon for a couple of years, the reality of the work involved in implementation and ongoing compliance may have taken many businesses by surprise,” said James Geary, principal at EMW. “Failing to respond promptly to subject access requests or right to be forgotten requests could result in a fine and the time involved in responding properly should not be underestimated.”

“The more data a business has, the harder it is to respond quickly and in the correct compliant manner,” he said.