GRI 418 Customer Privacy (Updated)
GRI 418 requires disclosure of substantiated complaints regarding customer privacy breaches and losses of customer data. With GDPR enforcement accelerating and data breaches increasingly headline news, customer privacy has become one of the most material social topics for technology, financial services, healthcare, and retail companies.
GRI 418 requires disclosure of substantiated complaints regarding customer privacy breaches and losses of customer data. GRI 418-1 requires disclosure of: total number of substantiated complaints received concerning breaches of customer privacy — broken down by complaints from outside parties substantiated by the organisation, and complaints from regulatory bodies; and total number of identified leaks, thefts, or losses of customer data.
What GRI 418-1 requires
GRI 418-1 requires disclosure of: total number of substantiated complaints received concerning breaches of customer privacy — broken down by complaints from outside parties substantiated by the organisation, and complaints from regulatory bodies; and total number of identified leaks, thefts, or losses of customer data.
Substantiated complaint: a complaint that has been investigated internally and determined to have merit — not every privacy complaint received, only those validated as involving an actual privacy breach.
Regulatory body complaints: data protection authority investigations and enforcement actions — GDPR breach notifications to supervisory authorities, national data protection regulator investigations, and equivalent regulatory actions in non-EU jurisdictions. These are often more material than customer complaints because they carry legal consequences including fines.
Data leaks, thefts, and losses: separate from complaints — these are identified incidents where customer data was exposed, regardless of whether affected customers have complained. GDPR breach notifications to data protection authorities are the primary source for this metric.
GDPR as the primary data source for GRI 418
For GDPR-subject companies (all companies processing EU personal data regardless of location), mandatory GDPR breach notifications provide the primary data for GRI 418-1.
GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals' rights and freedoms. These mandatory notifications are the regulatory complaints component of GRI 418-1.
GDPR Article 34 requires notification to affected data subjects where the breach is likely to result in high risk to their rights and freedoms. Where affected customers then file complaints, these become the substantiated customer complaint component.
For GRI 418-1 data collection: maintain a privacy incident register throughout the year — logging all privacy incidents, their severity assessment, the regulatory notification decision, and the resolution outcome. The annual summary of this register provides the GRI 418-1 data with minimal additional collection effort.
Fines: GDPR fines (up to €20M or 4% of global annual turnover) for serious violations are potentially very large. ESRS G1-4 requires disclosure of significant fines for non-compliance — major GDPR fines are a mandatory CSRD disclosure. GRI 418-1 and ESRS G1-4 together provide comprehensive privacy compliance disclosure for CSRD companies also using GRI.
Building privacy governance for GRI 418
A mature privacy governance programme produces GRI 418-1 data as a by-product of compliance operations rather than requiring separate data collection.
DPO annual report: Companies required to appoint a Data Protection Officer (DPO) under GDPR should receive an annual DPO report to the board covering: incidents notified to supervisory authorities; subject access requests handled; privacy impact assessments conducted; training completion rates; and significant findings from privacy audits. This DPO report is the governance document connecting privacy compliance to GRI 418-1 disclosure.
Privacy incident register: A centralised log of all privacy incidents — minor and major — with categorisation by: type (unauthorised access, data loss, accidental disclosure, system breach); severity (low, medium, high based on number of data subjects affected and sensitivity of data); regulatory notification status (not notified, notified to authority, notified to data subjects); and resolution status.
Data subject request tracking: GDPR requires response to subject access requests within one month. Tracking request volumes and response times — reported to the board quarterly — demonstrates effective privacy governance and provides data for GRI 418 context.
For first-time GRI 418 reporters: if your DPO or legal team has not been maintaining a privacy incident register, reconstruct the annual figure from: GDPR breach notification records (regulatory complaints and data losses); formal customer privacy complaints handled by customer service or legal; and insurance notification records if you have cyber liability insurance.
Frequently asked questions
Do we include privacy incidents involving employee data in GRI 418-1?
GRI 418 focuses on customer privacy — the standard title is 'Customer Privacy'. Employee data breaches are not typically included in GRI 418-1. However, where your business model involves processing customer data that is inextricably linked to employee data (healthcare providers, HR technology companies), include all personal data incidents and note the scope in your methodology.
What if privacy incident details are legally privileged?
Disclose aggregate numbers without case-specific details. The count of substantiated complaints and regulatory notifications is not itself privileged. The existence of incidents can be disclosed — it is the investigation details, legal assessments, and settlement terms that may be privileged. Legal review before publication is recommended for the accompanying narrative.
Does GRI 418 cover cybersecurity incidents that do not involve personal data?
No — GRI 418 is specifically about customer privacy (personal data). Cybersecurity incidents involving no personal data — for example, operational technology attacks that disrupt manufacturing without exposing customer data — are covered under GRI 2 risk management disclosures and ESRS 2 risk management, not GRI 418.