GRI 418 Customer Privacy
GRI 418 covers substantiated complaints regarding customer privacy breaches and losses of customer data. As GDPR enforcement intensifies and data breaches multiply, customer privacy has become a material ESG topic — particularly for technology, financial services, healthcare, and retail companies.
GRI 418 covers substantiated complaints regarding customer privacy breaches and losses of customer data. GRI 418-1 requires disclosure of: total number of substantiated complaints received concerning breaches of customer privacy — broken down by complaints from outside parties and substantiated by the organisation, and complaints from regulatory bodies; and total number of identified leaks, thefts, or losses of customer data.
What GRI 418-1 requires
GRI 418-1 requires disclosure of: total number of substantiated complaints received concerning breaches of customer privacy — broken down by complaints from outside parties and substantiated by the organisation, and complaints from regulatory bodies; and total number of identified leaks, thefts, or losses of customer data.
Substantiated complaint: a complaint that has been investigated and determined to have merit — not every complaint received, only those validated through investigation.
Regulatory body complaints: data protection authority investigations, GDPR breach notifications to regulators, FTC complaints (US), and equivalent national regulator actions. These are often more material than customer complaints because they carry legal consequences.
GDPR as a data source for GRI 418
GDPR (EU General Data Protection Regulation) requires companies to report personal data breaches to the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms. These mandatory breach notifications directly populate GRI 418-1 regulatory complaint data.
For companies subject to GDPR: your DPA (Data Protection Authority) notification log is the primary source for GRI 418-1 regulatory complaints. Your internal privacy incident register covers substantiated customer complaints and data losses not reaching the regulatory notification threshold.
GDPR fines: €20M or 4% of global annual turnover (whichever is higher) for serious violations. ESRS G1 requires disclosure of significant fines — major GDPR fines are a mandatory CSRD disclosure, making privacy governance a material ESRS topic for data-intensive businesses.
Building privacy governance for GRI 418
A mature privacy governance programme produces the data GRI 418-1 requires as a by-product of compliance operations. Key elements: Privacy incident register — log of all privacy incidents, their severity assessment, regulatory notification decisions, and resolution status. Data subject request tracking — GDPR requires response to access, erasure, and rectification requests within 30 days; tracking these generates the complaint data for 418-1.
Data Protection Officer involvement: GDPR requires DPO appointment for companies processing large volumes of personal data. The DPO's annual report to the board is the governance document that connects privacy compliance to sustainability reporting.
For GRI 418 disclosure: work with your DPO and legal team to extract the annual incident count and categorise by substantiated customer complaint vs regulatory complaint vs data loss. Legal review of what can be disclosed vs what is legally privileged is essential before publication.
Frequently asked questions
Do we disclose every data breach in GRI 418-1?
No — only substantiated complaints and identified leaks/thefts/losses. Minor incidents that do not result in risk to individuals (e.g. accidental internal email to wrong colleague) and are resolved without formal complaint are not typically included. Focus on incidents that triggered regulatory notification or formal customer complaints.
What if our privacy incidents are subject to legal confidentiality?
Disclose aggregate numbers without case-specific details. The count of substantiated complaints and regulatory notifications is not itself privileged. Legal advice on what narrative can accompany the numbers should be obtained from your privacy legal team.
How does GRI 418 relate to cybersecurity disclosure?
GRI 418 focuses on privacy — the impact of data breaches on customer rights. Cybersecurity as a business risk (operational disruption, financial losses from cyberattack) is covered more broadly under GRI 2 risk management disclosures and increasingly under ESRS 2 IRO disclosures. For technology companies, both privacy and cybersecurity are typically material GRI topics.