If for many companies, the General Data Protection Regulation (GDPR) is an additional regulatory constraint; for individuals, it is a way to regain control of their personal data.
From now on, they can file a complaint themselves or mandate an association to file a complaint with the supervisory authorities. Thus, for example, La Quadrature du Net in France made a collective complaint to the Commission Nationale Informatique et Libertés (CNIL) against Google, Apple, Amazon, Facebook and Microsoft, among others, for non-compliance with the rules of free consent and prior information.
Individuals are indeed more and more aware of their rights. Since May 25th, 2018, the date of entry into force of the GDPR, complaints to the authorities concerning protection of personal data protection have exploded.
For example, the Information Commissioner’s Office in the UK reported that it had received 6281 complaints since May 25th, 2018, an increase of 160% over the same period of 2017.
Similarly, in France, the CNIL has received 3,767 complaints since May 25th,2018 against 2,294 complaints filed in the same period of 2017, an increase of 64%.
As for Luxembourg, the Commission Nationale pour la Protection des Données (CNPD), in its report published on September 13th, noted an increase of 8% in the number of complaints filed between 2016 and 2017. It is likely that this number will have increased in 2018.
This strong increase demonstrates individuals have a strong interest protecting their personal data and it should encourage organisations to be compliant.
Nevertheless, only 27% of European companies (excluding the UK) declare themselves in compliance.
It should be noted that often the authorities checks originate in complaints from consumers or customers. It is therefore imperative for companies to take the subject seriously and to (re-)build trust among their customers. Complying will become a competitive asset to retain or win new customers. As such, like the certification system envisaged by the CNPD (GDPR-CARPA), companies could have an interest in highlighting the fact that their data processing is certified according to the GDPR.