Disclosure LibraryPractitioner guidance for every reporting disclosure
GRI 418: Customer Privacy 2016 · Topic Standard · Cross-sectoral
Disclosure GRI 418-1

Substantiated complaints concerning breaches of customer privacy and losses of customer data

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
Disclosure focus

This disclosure asks an organisation to report how many customer privacy complaints were found to be valid, and how many incidents involved customer data being lost, exposed or otherwise compromised. The focus is on confirmed issues, not every allegation or concern raised, so the organisation should distinguish between complaints received and those that were substantiated after review.

In practice, the reporting should cover the organisation’s relevant operations and data-handling activities, not just a few visible sites or flagship locations. The key question is whether the organisation can show the scale of confirmed privacy and data-loss problems across the period, and explain the basis used to identify and count them consistently.

* This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation
Key datapoints to prepare
DatapointWhat to captureEvidence hintOwner
Prior-year breach shareWhether a meaningful share of the confirmed breaches being reported can be traced to incidents that happened in earlier reporting periods.Case log with incident dates, investigation outcomes, and the reporting-period cut used to classify each confirmed breach.Privacy / compliance
Complaint typeThe category used to group the complaints being reported, using the organisation’s agreed complaint taxonomy.Complaint register, triage rules, and the category list used by customer service or compliance.Customer service / compliance
Confirmed privacy complaintsThe count of complaints about customer privacy that were investigated and confirmed as valid within the reporting period.Privacy complaints log, investigation records, and substantiation status from the case management system.Privacy / legal
Customer data incidentsThe count of identified incidents where customer data was leaked, stolen, or lost during the reporting period.Data incident register, security incident reports, and breach notifications or forensic findings where applicable.Information security / privacy
No confirmed complaints statementA short statement confirming that no substantiated customer privacy complaints were identified, if that is the case.Final complaint review summary showing zero confirmed cases for the period and sign-off from the responsible team.Privacy / compliance
Show GRI 418-1 sub-elements (LRA working checklist)
  • If there were no substantiated complaints, say so briefly, where this applies.
  • Group the complaints by type.
  • Check whether a significant share of the breaches came from earlier reporting periods.
  • State the total count of confirmed customer-data leaks, thefts, or losses.
  • State the total count of confirmed complaints about customer privacy breaches.

LRA working checklist - paraphrased; see official source

How to prepare
  1. Set the reporting boundary first: decide which parts of the business, products, services and customer records are in scope for this disclosure, and keep that scope consistent across the figures and narrative.
  2. Define the event types you will count before gathering data: separate privacy complaints from data incidents, and make sure your internal definitions match the way you will report the category, the complaint count and the incident count.
  3. Pull together the underlying records that support each figure: complaint logs, investigation outcomes, incident registers and any case notes showing whether a complaint was upheld or not.
  4. Prepare the reported outputs in the required form: state the complaint category, give the number of upheld privacy complaints, give the number of data leaks, thefts or losses, and include a short statement if there were no upheld complaints to report.
  5. Check whether any of the reported matters relate to earlier reporting periods, and note that point clearly where it affects the current-year disclosure.
  6. Record any exclusions, reclassifications or changes in how the data was gathered or counted, then compare the final disclosure back to the official source material to confirm nothing has been missed or misstated.
Want to do this on a real report? Practise GRI social disclosures live with Dr. Kurinko — GRI Standards Certified Training. Explore →
Request the privacy complaints and customer data incident figures

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

How many customer privacy complaints were upheld, how many customer data loss or leak incidents were identified, and is there any note needed about whether a material share links back to earlier years?

Use your organisation’s own labels first, then map them to the reporting fields. For example, ask for the team’s case categories, incident log terms, and breach register wording rather than using framework language in the request.

Weak request

Please provide the GRI 418-1 data for the year, including substantiated complaints, losses of customer data, and whether any relate to prior years.

Why it fails: It uses framework wording that many operational teams do not track day to day, so the owner may not know which cases to pull. It also does not specify the local register, the counting basis, or the internal labels needed to reconcile the figures.
Better request

Please pull the customer privacy complaint and data incident figures from your case tracker for [period] and [boundary]. Use your own labels, and include upheld/confirmed complaints, customer data leak/theft/loss incidents, any cases linked to earlier years, plus the source register and a contact who can confirm the numbers.

Formal email template
Subject: Request for customer privacy complaint and data incident figures for [reporting period]

Dear [name/team],

I am preparing the sustainability reporting pack and need your help with the customer privacy and data incident figures for [reporting period] and [reporting boundary].

Please share, using your own case and incident terms:
- the number of customer privacy complaints that were upheld or otherwise confirmed as valid in the period;
- the number of customer data leak, theft, or loss incidents identified in the period;
- whether any of the confirmed cases relate to events from earlier years;
- the category labels you used and any short notes needed to explain the counts.

Please also include the source system or register, the date extracted, and the person who can confirm the figures.

A possible LRA training template is attached below; please adapt this to your organisation and check the official source before sign-off.

Many thanks,
[preparer name]
Short Teams / Slack version
Hi [name] — could you send the customer privacy complaint and data incident counts for [period] / [boundary]?

Please use your own tracker terms and include:
- upheld/confirmed customer privacy complaints;
- customer data leak/theft/loss incidents;
- any cases linked to earlier years;
- the source register and a contact who can confirm.

Please adapt this to your organisation and check the official source before sign-off. Thanks.
Industry examples
Retail / E-commerce

Context. The customer care team logs complaints separately from the information security incident register.

Adapted request. Please provide the counts from the customer complaints log and the security incident register for [period] / [boundary]. Use your own labels for upheld privacy complaints and customer data loss events, and flag any cases that started in an earlier year.

Example response. Complaints log: 7 upheld customer privacy complaints. Security register: 2 customer data loss incidents. One complaint related to a case first raised in the prior year. Source systems: CRM complaints queue and incident register.

Financial services

Context. The privacy office manages customer rights complaints, while operational risk tracks data incidents.

Adapted request. Please share the confirmed customer privacy complaint count from the privacy case system and the number of customer data leak or loss events from the operational risk log for [period]. Please also note whether any confirmed matters stem from earlier periods.

Example response. Privacy case system: 4 confirmed customer privacy complaints. Operational risk log: 1 customer data loss event. No current-period cases were linked to earlier years. Reviewed by the privacy lead and operational risk manager.

The full request pack — response form, data table, evidence metadata and sign-off — is in the Download Centre.

Draft your disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain how the organisation defines a privacy complaint, how it decides whether a case is confirmed, and whether the figures cover only the current period or also include matters first raised earlier but resolved now.

Context note

Set out what the numbers indicate about customer-data protection performance, including the volume of confirmed complaints and any identified data leaks, thefts, or losses, and note when there were no confirmed complaints to report.

Fluctuation statement

If the figures move materially, describe the main operational or case-handling reasons behind the change, including whether any confirmed matters were linked to events from earlier periods.

Content index entry

GRI 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data — [location / page] / [notes]

Assurance readiness
For each claim, check the evidence
ClaimRiskEvidence to check
I checked whether a meaningful share of the reported cases came from earlier periods, so the figure reflects when the underlying issue happened as well as when it was logged.The assurer will test whether we have mixed up the reporting year with the year the incident occurred, or whether older cases have been counted inconsistently.Case register with incident dates and report dates; ageing analysis; reconciliation between the current-period count and any prior-period cases included; review notes explaining how older matters were treated.
I grouped the complaints using a consistent internal category set, and I kept the mapping used to place each case into the disclosed category.The assurer will probe whether the category labels were applied consistently, whether cases were double-counted or misclassified, and whether the grouping matches the source records.Complaint taxonomy or coding guide; source complaint logs; sample of cases showing category assignment; reviewer sign-off on the final grouping; change log if categories were updated.
I derived the privacy-related complaint count from the underlying case files and only included matters that had been confirmed through our review process.The assurer will check whether the count is complete, whether unconfirmed matters were excluded, and whether the confirmation test was applied in the same way across the population.Substantiation records; complaint investigation files; final count calculation; evidence of inclusion/exclusion criteria; reconciliation to the complaints register and legal or compliance review notes.
I compiled the data-breach total from the incident log, using the same definition and cut-off across the period, and I kept support for each event counted.The assurer will look for missed incidents, duplicate entries, inconsistent cut-off treatment, or weak support for why each event was included.Security or incident register; incident tickets; duplicate-check or reconciliation worksheet; period cut-off memo; evidence pack for each counted event; management review of the final tally.
Where no confirmed privacy complaints were found, I used the underlying records to support that statement and checked that the wording matched the evidence.The assurer will test whether the zero-claim statement is backed by a complete search of the relevant records and whether any unresolved matters were overlooked.Search results from complaint, legal, and incident records; confirmation from relevant teams; close-out or nil-return sign-off; evidence of the review period and scope used for the search.
Evidence pack to prepare
  • The governing policy or written commitment behind this disclosure
  • A methodology / definition note setting out how the disclosure was scoped and prepared
  • Source-system exports the figures or facts were drawn from
  • The internal approval / sign-off record for the disclosure before publication
  • Minutes or records evidencing the relevant engagement or consultation
Common reporting gaps
  • Figures are stated without the supporting narrative, or narrative without figures.
  • Scope is inconsistent between the text and the numbers.
  • The reporting boundary is left undefined.
  • Material changes since the previous period are not disclosed.
  • Estimates and measured values are not distinguished.
  • Source records for the figures are not identified.
Examples
Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Retail banking · synthetic · written by LRA
Illustrative breakdown of customer privacy complaints and data incidents (cases)
CategoryUpheld complaintsEarlier-period linkData incidentsTotal
Account access4127
Marketing contact3115
Online service handling2125

Synthetic example: we recorded 12 privacy complaints in the year, and 9 were upheld after review. Of those upheld cases, 3 were linked to earlier reporting periods, and we also identified 5 separate incidents involving customer data being exposed, taken, or misplaced. The complaints were mainly about account access, marketing contact, and online service handling; because we did identify substantiated cases, no statement of zero upheld complaints applies here.

Illustrative only. This example shows how to report the mix of complaint topics, the number upheld, how many relate to earlier years, and the count of data-loss incidents, while making clear that a zero-upheld-complaints statement is not used when substantiated cases exist.
Healthcare services · synthetic · written by LRA
Illustrative breakdown of privacy complaints and data incidents (cases)
CategoryComplaints receivedUpheld complaintsData incidentsTotal
Appointment and records handling3014
Access and identity checks2013
Digital messaging and portals2002

Synthetic example: during the period we received 7 complaints about patient-data handling, and 0 were upheld after investigation. We found 2 incidents where records were leaked, stolen, or lost, and none of the complaints category totals resulted in a substantiated case; as a result, we can state that we identified no upheld privacy complaints in this example.

Illustrative only. This example shows a case where complaints were received but none were upheld, alongside the number of data-security incidents and a clear zero-upheld-complaints statement.
Draft output & visualisation ideas

How to turn the collected data into a draft disclosure. The charts below are drawn from the illustrative figures above — swap in your own data.

Retail banking — Illustrative breakdown of customer privacy complaints and data incidents
Illustrative breakdown of customer privacy complaints and data incidents (cases)0510Upheld complaints: 4Earlier-period link: 1Data incidents: 27Account accessUpheld complaints: 3Earlier-period link: 1Data incidents: 15Marketing contactUpheld complaints: 2Earlier-period link: 1Data incidents: 25Online service handli…Upheld complaintsEarlier-period li…Data incidents
Healthcare services — Illustrative breakdown of privacy complaints and data incidents
Illustrative breakdown of privacy complaints and data incidents (cases)02.55Complaints received: 3Data incidents: 14Appointment and recor…Complaints received: 2Data incidents: 13Access and identity c…Complaints received: 22Digital messaging and…Complaints receiv…Upheld complaintsData incidents

Other views you could build

  • Customer privacy complaints by category — table: A simple listing of complaint types alongside the number of cases substantiated in each category, so readers can see which issues were confirmed.
  • Confirmed complaints versus data loss incidents — bar: A side-by-side comparison of the count of upheld privacy complaints and the count of customer-data leaks, thefts, or losses identified during the period.
  • Breakdown of customer data incidents — stacked bar: How identified customer-data leaks, thefts, or losses are split across incident types or reporting periods, if the reporter groups them that way.
  • Trend in confirmed privacy issues over time — line: How the number of upheld customer privacy complaints changes across reporting periods, including any visible rise or fall.
  • Where incidents were identified — map: The locations linked to confirmed privacy complaints or customer-data incidents, if the organisation tracks them by place.
  • Share of privacy-related matters with no confirmed cases — donut: The proportion of reported privacy-related matters that did not result in any upheld complaint, where the organisation wants to show the balance between reported and confirmed cases.
From a number to a disclosure

What separates a figure from a disclosure.

Basic

We confirmed 3 privacy complaints and 2 customer-data loss incidents.

Better

We confirmed 3 privacy complaints and 2 customer-data loss incidents, with 1 of the 5 linked to an earlier year.

Best

We confirmed 3 privacy complaints and 2 customer-data loss incidents this year, and 1 of the 5 related to an earlier period because one case stayed open across reporting dates.

From company reports
Real published reports Compare side by side →Get it free

Real reports where this topic is disclosed. The confidence label shows how closely each match maps to GRI 418-1 — these are report practice, not exact disclosure examples.

CompanySector · CountryYearMatchPageReportAssurance
Transportadora de Gas Internacional S.A. E.S.P. Oil and Gas · Colombia 2025 Partial p. 141 →p. 158 →p. 142 → Integrated Sustainability Report 2025 → Deloitte; EY; BSI
Evidence in Transportadora de Gas Internacional S.A. E.S.P.’s report

What the report shows

Transportadora de Gas Internacional S.A. E.S.P.'s Integrated Sustainability Report 2025 includes detailed narrative and numeric data on ethics and compliance activities, reporting 202 such activities monitored through internal indicators (p.43), and provides figures on substantiated complaints related to customer privacy breaches for 2024 and 2025 (p.158). The report also addresses indirect emissions from purchased goods and services under Category 4 (p.179). However, it lacks a clear headline value for natural gas leaks from flaring, fugitive emissions, venting, and pneumatic sources, with only partial supporting context provided (p.123), and no narrative evidence was found for some expected disclosures.

Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict.

Datapoint coverage

DatapointStatusPage
Prior-year breach shareA reported value was found on this page. covered p. 43
Complaint typeA reported value was found on this page. covered p. 179
Confirmed privacy complaintsA reported value was found on this page. covered p. 158
Customer data incidentsSupporting context was found, but no headline value. partial p. 123
No confirmed complaints statementNo quotable evidence was found in this report. not found

Source trail

  • p. 43During 2025, we carried out 202 activities associated with the prevention, detection, and response pillars of the Ethics and Compliance Program, all of which were monitored through internal indicators that enable the assessment of progress, identification of gaps, and strengthening of decision-making. In addition,…
  • p. 48Events Number of confirmed violations in 2025 Acts of corruption or bribery 0 Violations of personal data privacy 0 Acts
  • p. 198years, projections and future goals, or any other items included in the Integrated Sustainability Report 2025 for the year
  • p. 179Category 4: Purchased goods and services This category includes indirect emissions associated with the acquisition of goods and services
  • p. 158substantiated complaints received concerning breaches of customer privacy, categorized as follows: 2024 2025 I. Complaints
  • p. 158total compensation ratio (GRI 418-1) Substantiated complaints concerning breaches of customer privacy and losses of customer data Ratio
  • p. 82As a complement to this policy, we have a Workplace and Sexual Harassment Prevention Protocol, which includes confidential reporting channels, as well as a Manual for the Management of Alleged Workplace and Sexual Harassment Cases, which clearly and transparently defines the procedures for the…
  • p. 142events, ensuring early and timely detection Consolidate integrated analysis of events generated by security tools to identify patterns, anomalies, and emerging
  • p. 142events related to cyberattacks were recorded in the following categories: confidentiality, integrity, and availability of information; cybersecurity breaches; data
  • p. 33events. Proactive management reduces contingency costs and prevents market loss; at the same time, it enables the capture of opportunities
  • p. 197The procedures we performed were based on our professional judgment and included inquiries, observation of the processes performed, inspection of documents, analytical procedures, assessment of the adequacy of quantification methods and reporting policies, and agreement or reconciliation with underlying records.…
  • p. 158Substantiated complaints concerning breaches of customer privacy and losses of customer data Ratio of the CEO’s annual
  • p. 141substantiated complaints were received regarding violations of customer privacy. Through the Information Security function, and within the framework
  • p. 142leaks; customer privacy-related complaints; or cyberattacks in general. Human talent management is considered a key line of defense
  • p. 123leaks in natural gas transportation (specify leaks from flaring, fugitive emissions, venting, and pneumatic sources).  Meter
  • p. 123Percentage of leaks in natural gas transportation (specify leaks from flaring, fugitive emissions, venting, and pneumatic sources).
O-Bank Co., Ltd. Banks / Diverse Financials / Insurance · Taiwan 2024 Exact p. 23 →p. 311 →p. 35 → 2024 Sustainability Report → Deloitte
Evidence in O-Bank Co., Ltd.’s report

What the report shows

O-Bank Co., Ltd.'s 2024 Sustainability Report provides quantitative data on information security, including the number of breaches (2), the percentage that are personal data breaches, and the number of account holders affected, as noted on page 313. The report also states on page 311 that no substantiated complaints concerning breaches of customer privacy or losses of customer data were received. However, there is no quotable evidence found regarding monetary losses from legal proceedings or other narrative details related to data security breaches beyond these points.

Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict.

Datapoint coverage

DatapointStatusPage
Prior-year breach shareA reported value was found on this page. covered p. 313
Complaint typeNo quotable evidence was found in this report. not found
Confirmed privacy complaintsEvidence was found on this page. covered p. 311
Customer data incidentsA reported value was found on this page. covered p. 313
No confirmed complaints statementNo quotable evidence was found in this report. not found

Source trail

  • p. 313breaches (2) percentage that are personal data breaches (3) number of account holders affected Quantitative 3.5.3 Information Security
  • p. 312Category Chapter Data Security FN-CB-230a.1 (1) Number of data breaches (2) Percentage that are personal
  • p. 7170 Type of Case From Outside Informant From Inside Informant Number of Cases Named Informant Anonymous Informant Named Informant Anonymous Informant Found True Found Untrue Found True Found Untrue Found True Found Untrue Found True Found Untrue Whistleblower Cases Accepted Document forgery that causes…
  • p. 315breaches, percentage involving personally identifiable information, and number of account holders affected. 3.5.3 Information Security Drills Number and amount
  • p. 125years; also, as of the end of 2024, the average seniority was 4.67 years among female employees and 4.43 years
  • p. 32 8.
  • p. 311Substantiated complaints concerning breaches of customer privacy and losses of customer data No related substantiated complaints received
  • p. 314customer complaints filed, (2) percentage with monetary or nonmonetary relief Quantitative 4.2.3 Handling and Tracking of Customer Complaints
  • p. 110total of 63 cases of customer complaints, including 62 cases referred from competent authorities (including the Financial Supervisory Commission
  • p. 311Customer Experience 100 GRI 418: Customer Privacy 2016 418-1# Substantiated complaints concerning breaches of customer privacy and losses
  • p. 313Customer Privacy FN-CF-220a.2 Total amount of monetary losses as a result of legal proceedings associated with customer
  • p. 109Customer Complaints 1. 24-hour Customer Service O-Bank set an industry first by launching a 24-hour, year
  • p. 313Category Chapter Business Ethics FN-CB-510a.1 Total amount of monetary losses as a result of legal proceedings
  • p. 23Substantiated complaints concerning breaches of customer privacy and losses of customer data Information Security Potential negative impact (risk
  • p. 23complaints concerning breaches of customer privacy and losses of customer data Information Security Potential negative impact (risk): A financial
First Financial Holding Co., Ltd. Banks / Diverse Financials / Insurance · Taiwan 2024 Partial p. 33 →p. 97 →p. 232 → 2024 Sustainability Report → PwC
Evidence in First Financial Holding Co., Ltd.’s report

What the report shows

First Financial Holding Co., Ltd.'s 2024 Sustainability Report provides detailed information on data breaches, reporting one breach in 2024 with a 100% rate of personal data breaches affecting 592 account holders (p.218, p.226). The report also includes numeric values on substantiated complaints concerning breaches of customer privacy and losses of customer data (p.232), as well as financial losses related to litigation exceeding NT$5 million where authorities intervened (p.218). However, the report offers limited clarity on the specifics of whistleblowing reports and their relation to business execution, with only a brief mention on page 224, and lacks detailed contextual information on supplier categories beyond a brief note on page 151.

Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict.

Datapoint coverage

DatapointStatusPage
Prior-year breach shareA reported value was found on this page. covered p. 218
Complaint typeA reported value was found on this page. covered p. 224
Confirmed privacy complaintsA reported value was found on this page. covered p. 232
Customer data incidentsA reported value was found on this page. covered p. 218
No confirmed complaints statementA reported value was found on this page. covered p. 218

Source trail

  • p. 218breaches in 2024 in accordance with the FFHC Information Security Incident Management Regulations. ・Percentage of personal data breaches
  • p. 222In particu- lar, we were notified of 208 of these cases via competent authorities (please refer to the appendix for more details: sustainable operation indicators) … *:The information sources of the competent authority hereunder are mainly based on the filing records of the complaint cases archived by the FFHC,…
  • p. 218breaches: 1; percentage of personal data breaches: 100; number of account holders affected: 592 Appendix A: Summary of Subject
  • p. 226breaches: 1; percentage of personal data breaches: 100; number of account holders affected: 592 No. 20 P.99 Applicable
  • p. 224category of the implementation rules or is unrelat- ed to the execution of business. 3. The whistleblowing report is obviously
  • p. 151category, 100 suppliers in the renovation category, 25 suppliers in the air conditioning category, 59 suppliers in the plumbing
  • p. 232Substantiated complaints concerning breaches of customer privacy and losses of customer data 415-1 Requirements for product
  • p. 244Total loss amount Incident description and improvement measure Punishment of the Competent Authority Litigation 1 NT$20,000 Employees' failure
  • p. 244customer complaints counted by the competent authority 2024 Cases failed after mediation (%) Cases entering the review process (%) Cases established after
  • p. 218losses arising from legal proceedings due to customer privacy disputes in 2024 were compiled in accordance with the first point
  • p. 222total loss was NT$600,000 (please refer to the appendix: sustainable operation indicators). The Group has remedied the relevant
  • p. 218losses. No companies were subject to regulatory penalties, either. As stated on p.243, financial losses as a result of litigation
  • p. 218has exceeded NT$5 million, where the competent authorities have intervened for investigation, and where reputational damage has been incurred
  • p. 226has exceeded NT$5 million, where the competent authorities have intervened for investigation, and where reputational damage has been incurred
  • p. 33Substantiated complaints concerning breaches of customer privacy and losses of customer data FS1:Related policies applicable to specific environments
  • p. 79customer, claiming that it has already helped notify the police to ensure the safety of customer property. Afterwards, the syndicate
Check your understanding
A retailer’s privacy team closed 7 customer complaints this year after checking the facts; 5 were linked to incidents that first happened last year, and 2 arose from this year’s activity. The same review also logged 3 separate customer-data losses.How should you decide what to include for the year, and how should you treat the older incidents when describing the complaints?
Model answer. Count the 7 closed complaints in the year’s figure, because they were confirmed in the reporting period. Then note, in the separate year-on-year point, that 5 of those cases relate to events from earlier years, while 2 do not. Also report the 3 data-loss events as a separate number, using the same reporting period basis.
Why this matters. Keep the complaint total and the data-loss total separate, and flag whether a meaningful share of the confirmed cases comes from earlier periods.
A services company received 4 customer privacy complaints, but only 2 were upheld after investigation. It also had 1 incident where customer records were stolen from a contractor’s laptop.Which figures belong in the disclosure, and do the unconfirmed complaints get counted with the upheld ones?
Model answer. Use only the 2 complaints that were confirmed after review for the privacy-complaint count. The 2 unconfirmed complaints stay out of that figure. Separately, include the 1 theft of customer data in the data-loss count, because it is a distinct measure from the complaint total.
Why this matters. Only confirmed complaints are counted in the complaint figure; unproven allegations are not mixed in.
A utility has no confirmed customer privacy complaints for the year, but it did record 2 losses of customer data. The reporting team is unsure whether it can leave the privacy-complaint line blank.What should be shown for the privacy-complaint part of the disclosure when there are none?
Model answer. State plainly that no confirmed customer privacy complaints were identified. Do not leave the item empty. The separate count for the 2 data-loss events still needs to be shown as its own figure.
Why this matters. If there were no confirmed privacy complaints, say so clearly rather than omitting the point.
A bank’s incident log shows 6 customer-data losses in total, but 4 were discovered this year and 2 were found during a review of an older system failure. The privacy team also has a category label used internally for all customer-facing complaints.How should you present the category label and the data-loss count so the disclosure is usable and consistent with the source records?
Model answer. Use a clear complaint category label that matches the nature of the issue, then report the 6 data-loss events as the total identified in the period. If you also need to explain timing, note that 2 of the 6 were tied to an earlier system failure, while 4 were found this year. Keep the category wording understandable to readers and aligned with the underlying records.
Why this matters. Describe the complaint type in plain language and make the data-loss total match the incident log, with timing explained where relevant.
Analyse this disclosure across real reports

See how companies actually report GRI 418-1 — drawn from their own published reports, with the exact pages, and an LRA AI-assistant that works through it with you. Available to LRA Community members and to students throughout their platform access.

Related framework references

How this disclosure maps across the major reporting frameworks.

GRIPrimary
GRI 418-1
within GRI 418: Customer Privacy 2016
Open official source →
ESRSRelated
ESRS S4
Consumers and End-users — closest topical match (post-Omnibus ESRS catalogue).
IFRSNo equivalent
No direct IFRS S1/S2 topical equivalent.
Related & explore
Questions this page answers
What data do I need to gather for GRI 418-1 Customer Privacy before I start drafting the disclosure?

The page says to prepare five datapoints: prior-year breach share, complaint type, confirmed privacy complaints, customer data incidents, and a no confirmed complaints statement. Use those as the starting checklist before you draft anything. ↑ section

How should I decide the scope for GRI 418-1 Customer Privacy in practice?

Use the page’s step-by-step preparation section to work out what sits in scope, then align the datapoints and evidence pack to that scope. The page is designed to help you turn the disclosure into a workable data request rather than a last-minute write-up. ↑ section

Who should own the GRI 418-1 Customer Privacy data collection and sign-off?

The page is aimed at sustainability/ESG managers, HR or data owners, and assurance reviewers, so ownership should sit with the people who can confirm the underlying complaint and incident data. The workbook is there to help organise that handoff and make the evidence pack easier to review. ↑ section

What evidence should I put in the pack for GRI 418-1 Customer Privacy assurance?

The page includes an evidence pack with five items for assurance readiness, plus five assurance claims to verify using claim, risk and evidence. Build the pack around the datapoints and the supporting records that show how each figure or statement was prepared. ↑ section

How do I use the five assurance claims on the page when checking GRI 418-1 Customer Privacy?

Treat them as a review checklist: each claim should be matched to the related risk and the evidence that supports it. That helps you spot gaps before assurance rather than after the draft is already final. ↑ section

What are the common mistakes people make when reporting GRI 418-1 Customer Privacy?

The page has a section on common reporting gaps and mistakes, so it is meant to help you avoid missing the required datapoints or mixing up the scope. It is also useful for checking that your draft is backed by evidence rather than just narrative. ↑ section

How do I turn the GRI 418-1 Customer Privacy data into a draft disclosure?

Use the draft-output section for visualisation ideas, narrative starters and a GRI content-index line. The page also includes a synthetic illustrative example, which can help you see how the datapoints might be presented in a finished draft. ↑ section

Can I use the Prep & Assurance workbook for GRI 418-1 Customer Privacy to build my evidence pack?

Yes — the Download Centre includes a Prep & Assurance workbook (.xlsx) and a printable Library Card (.pdf). The workbook is the practical tool for organising the datapoints, evidence and assurance checks before you draft. ↑ section

Where can I find an example of how a GRI 418-1 Customer Privacy disclosure might look?

The page includes synthetic illustrative example disclosures, including a quantitative data table. It also has a 'From company reports' table that links to real published reports if you want to see how the topic is disclosed in practice. ↑ section

How does the ESRS S4 (Consumers and End-users) reference help me with GRI 418-1 Customer Privacy?

The page says ESRS S4 is the closest correspondence, so it can help you think about whether the same underlying data can be reused across frameworks. It does not say the requirements are identical, so you still need to check the disclosure wording and scope separately. ↑ section

More questions this page can help with
  • GRI 418-1 Customer Privacy checklist for prior-year breach share, complaint type, confirmed privacy complaints and customer data incidents
  • How to prepare GRI 418-1 Customer Privacy using the step-by-step section and workbook
  • What evidence pack items do I need for GRI 418-1 Customer Privacy assurance readiness?
  • GRI 418-1 Customer Privacy common reporting gaps and mistakes to avoid
  • How to write a draft GRI 418-1 Customer Privacy disclosure from the page’s narrative starters
  • GRI 418-1 Customer Privacy content index line example and visualisation ideas
  • Who should own GRI 418-1 Customer Privacy data collection in an ESG reporting process?
  • How to use the Prep & Assurance workbook for GRI 418-1 Customer Privacy
  • GRI 418-1 Customer Privacy synthetic example disclosure table
  • Can GRI 418-1 Customer Privacy data be reused for ESRS S4 Consumers and End-users reporting?
  • What does the From company reports table show for GRI 418-1 Customer Privacy?
  • How do I make GRI 418-1 Customer Privacy assurance-ready before review?
Dr Ross Kurinko
✓ LRA AI Assistant · human-in-the-loop
Ask Study Studio AI assistant about this disclosure

Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.

Try
Sources, status and disclaimer

This LRA assistance tool is designed for educational and internal data-collection purposes. It is not an official interpretation of the GRI Standards, IFRS Sustainability Disclosure Standards or EU CSRD/ESRS requirements. When applying these frameworks in professional practice, users should consult and double-check the official standards, guidance and applicable regulatory sources.