Substantiated complaints concerning breaches of customer privacy and losses of customer data
Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.
↗ Share
This disclosure asks an organisation to report how many customer privacy complaints were found to be valid, and how many incidents involved customer data being lost, exposed or otherwise compromised. The focus is on confirmed issues, not every allegation or concern raised, so the organisation should distinguish between complaints received and those that were substantiated after review.
In practice, the reporting should cover the organisation’s relevant operations and data-handling activities, not just a few visible sites or flagship locations. The key question is whether the organisation can show the scale of confirmed privacy and data-loss problems across the period, and explain the basis used to identify and count them consistently.
* This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.
A quick mental checklist before you prepare this disclosure — tick each as you settle it.
| Datapoint | What to capture | Evidence hint | Owner |
|---|---|---|---|
| Prior-year breach share | Whether a meaningful share of the confirmed breaches being reported can be traced to incidents that happened in earlier reporting periods. | Case log with incident dates, investigation outcomes, and the reporting-period cut used to classify each confirmed breach. | Privacy / compliance |
| Complaint type | The category used to group the complaints being reported, using the organisation’s agreed complaint taxonomy. | Complaint register, triage rules, and the category list used by customer service or compliance. | Customer service / compliance |
| Confirmed privacy complaints | The count of complaints about customer privacy that were investigated and confirmed as valid within the reporting period. | Privacy complaints log, investigation records, and substantiation status from the case management system. | Privacy / legal |
| Customer data incidents | The count of identified incidents where customer data was leaked, stolen, or lost during the reporting period. | Data incident register, security incident reports, and breach notifications or forensic findings where applicable. | Information security / privacy |
| No confirmed complaints statement | A short statement confirming that no substantiated customer privacy complaints were identified, if that is the case. | Final complaint review summary showing zero confirmed cases for the period and sign-off from the responsible team. | Privacy / compliance |
Show GRI 418-1 sub-elements (LRA working checklist)
- If there were no substantiated complaints, say so briefly, where this applies.
- Group the complaints by type.
- Check whether a significant share of the breaches came from earlier reporting periods.
- State the total count of confirmed customer-data leaks, thefts, or losses.
- State the total count of confirmed complaints about customer privacy breaches.
LRA working checklist - paraphrased; see official source
- Set the reporting boundary first: decide which parts of the business, products, services and customer records are in scope for this disclosure, and keep that scope consistent across the figures and narrative.
- Define the event types you will count before gathering data: separate privacy complaints from data incidents, and make sure your internal definitions match the way you will report the category, the complaint count and the incident count.
- Pull together the underlying records that support each figure: complaint logs, investigation outcomes, incident registers and any case notes showing whether a complaint was upheld or not.
- Prepare the reported outputs in the required form: state the complaint category, give the number of upheld privacy complaints, give the number of data leaks, thefts or losses, and include a short statement if there were no upheld complaints to report.
- Check whether any of the reported matters relate to earlier reporting periods, and note that point clearly where it affects the current-year disclosure.
- Record any exclusions, reclassifications or changes in how the data was gathered or counted, then compare the final disclosure back to the official source material to confirm nothing has been missed or misstated.
Translate the disclosure into an internal business question — then adapt it to your organisation's own language.
Use your organisation’s own labels first, then map them to the reporting fields. For example, ask for the team’s case categories, incident log terms, and breach register wording rather than using framework language in the request.
Please provide the GRI 418-1 data for the year, including substantiated complaints, losses of customer data, and whether any relate to prior years.
Please pull the customer privacy complaint and data incident figures from your case tracker for [period] and [boundary]. Use your own labels, and include upheld/confirmed complaints, customer data leak/theft/loss incidents, any cases linked to earlier years, plus the source register and a contact who can confirm the numbers.
Formal email template
Subject: Request for customer privacy complaint and data incident figures for [reporting period] Dear [name/team], I am preparing the sustainability reporting pack and need your help with the customer privacy and data incident figures for [reporting period] and [reporting boundary]. Please share, using your own case and incident terms: - the number of customer privacy complaints that were upheld or otherwise confirmed as valid in the period; - the number of customer data leak, theft, or loss incidents identified in the period; - whether any of the confirmed cases relate to events from earlier years; - the category labels you used and any short notes needed to explain the counts. Please also include the source system or register, the date extracted, and the person who can confirm the figures. A possible LRA training template is attached below; please adapt this to your organisation and check the official source before sign-off. Many thanks, [preparer name]
Short Teams / Slack version
Hi [name] — could you send the customer privacy complaint and data incident counts for [period] / [boundary]? Please use your own tracker terms and include: - upheld/confirmed customer privacy complaints; - customer data leak/theft/loss incidents; - any cases linked to earlier years; - the source register and a contact who can confirm. Please adapt this to your organisation and check the official source before sign-off. Thanks.
Retail / E-commerce
Context. The customer care team logs complaints separately from the information security incident register.
Adapted request. Please provide the counts from the customer complaints log and the security incident register for [period] / [boundary]. Use your own labels for upheld privacy complaints and customer data loss events, and flag any cases that started in an earlier year.
Example response. Complaints log: 7 upheld customer privacy complaints. Security register: 2 customer data loss incidents. One complaint related to a case first raised in the prior year. Source systems: CRM complaints queue and incident register.
Financial services
Context. The privacy office manages customer rights complaints, while operational risk tracks data incidents.
Adapted request. Please share the confirmed customer privacy complaint count from the privacy case system and the number of customer data leak or loss events from the operational risk log for [period]. Please also note whether any confirmed matters stem from earlier periods.
Example response. Privacy case system: 4 confirmed customer privacy complaints. Operational risk log: 1 customer data loss event. No current-period cases were linked to earlier years. Reviewed by the privacy lead and operational risk manager.
The full request pack — response form, data table, evidence metadata and sign-off — is in the Download Centre.
LRA training templates — adapt them to your organisation, and check the official source before sign-off.
Explain how the organisation defines a privacy complaint, how it decides whether a case is confirmed, and whether the figures cover only the current period or also include matters first raised earlier but resolved now.
Set out what the numbers indicate about customer-data protection performance, including the volume of confirmed complaints and any identified data leaks, thefts, or losses, and note when there were no confirmed complaints to report.
If the figures move materially, describe the main operational or case-handling reasons behind the change, including whether any confirmed matters were linked to events from earlier periods.
GRI 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data — [location / page] / [notes]
Professional preparation tools and forms for GRI 418-1. Each download includes a concise “How to use” guide.
| Claim | Risk | Evidence to check |
|---|---|---|
| I checked whether a meaningful share of the reported cases came from earlier periods, so the figure reflects when the underlying issue happened as well as when it was logged. | The assurer will test whether we have mixed up the reporting year with the year the incident occurred, or whether older cases have been counted inconsistently. | Case register with incident dates and report dates; ageing analysis; reconciliation between the current-period count and any prior-period cases included; review notes explaining how older matters were treated. |
| I grouped the complaints using a consistent internal category set, and I kept the mapping used to place each case into the disclosed category. | The assurer will probe whether the category labels were applied consistently, whether cases were double-counted or misclassified, and whether the grouping matches the source records. | Complaint taxonomy or coding guide; source complaint logs; sample of cases showing category assignment; reviewer sign-off on the final grouping; change log if categories were updated. |
| I derived the privacy-related complaint count from the underlying case files and only included matters that had been confirmed through our review process. | The assurer will check whether the count is complete, whether unconfirmed matters were excluded, and whether the confirmation test was applied in the same way across the population. | Substantiation records; complaint investigation files; final count calculation; evidence of inclusion/exclusion criteria; reconciliation to the complaints register and legal or compliance review notes. |
| I compiled the data-breach total from the incident log, using the same definition and cut-off across the period, and I kept support for each event counted. | The assurer will look for missed incidents, duplicate entries, inconsistent cut-off treatment, or weak support for why each event was included. | Security or incident register; incident tickets; duplicate-check or reconciliation worksheet; period cut-off memo; evidence pack for each counted event; management review of the final tally. |
| Where no confirmed privacy complaints were found, I used the underlying records to support that statement and checked that the wording matched the evidence. | The assurer will test whether the zero-claim statement is backed by a complete search of the relevant records and whether any unresolved matters were overlooked. | Search results from complaint, legal, and incident records; confirmation from relevant teams; close-out or nil-return sign-off; evidence of the review period and scope used for the search. |
- The governing policy or written commitment behind this disclosure
- A methodology / definition note setting out how the disclosure was scoped and prepared
- Source-system exports the figures or facts were drawn from
- The internal approval / sign-off record for the disclosure before publication
- Minutes or records evidencing the relevant engagement or consultation
- Figures are stated without the supporting narrative, or narrative without figures.
- Scope is inconsistent between the text and the numbers.
- The reporting boundary is left undefined.
- Material changes since the previous period are not disclosed.
- Estimates and measured values are not distinguished.
- Source records for the figures are not identified.
- Wrong owner
The team asks Legal or IT in framework language instead of the privacy, complaints, or incident owner who actually holds the case records.
- Scope left vague
They never pin down which customer-facing systems, channels, or business units are in scope, so different teams count different populations.
- Wrong time basis
They pull cases by report date, closure date, or discovery date without agreeing one cut-off for the period being reported.
- Mixed counting rules
One source counts every complaint record while another counts each customer event, so the final number blends unlike bases.
- Source labels lost
The original case tags for privacy complaints and data-loss incidents are stripped out during export, making later checks impossible.
- Separate groups merged
Privacy complaints and data-loss incidents are rolled into one list even though they need to stay distinct for collection and review.
- Evidence trail missing
The file has totals but no linked case notes, screenshots, or log extracts to show how each item was substantiated.
- No sign-off record
The draft numbers move forward without a named reviewer and date-stamped approval from the data owner.
- Set the reporting boundary after mergers, sales, or closures
Decide whether to include incidents from businesses added or removed during the period, explain the cut-off you used, and keep the same approach wherever possible so the totals are comparable.
- Map local privacy labels to one internal incident type
Where countries use different legal or operational labels, translate them into one organisation-wide category set, disclose the mapping, and avoid double counting the same event under more than one label.
- Decide how to treat incidents that sit partly inside and partly outside scope
If a complaint or data loss affects mixed populations, state the rule used to include or exclude it and explain how you handled cases where only some affected people fall within your customer base.
- Choose the counting date for late-identified cases
Use one clear basis for timing, such as when the issue was first confirmed or when the complaint was substantiated, disclose that basis, and apply it consistently across the period.
- Separate confirmed cases from unverified allegations
Count only matters that have been checked and accepted as valid under your process, and if you also track unconfirmed reports, keep them out of the disclosed totals and describe the distinction.
- Decide whether one incident with many affected customers is one case or many
State whether you count by event, by complaint, or by affected customer record, use that rule consistently, and explain it so readers can understand the scale behind the number.
- Handle cross-year incidents and reopened files consistently
If a matter began in an earlier year or was reopened after new information emerged, explain whether it sits in the current period total or is treated as a prior-period issue, and note any restatement approach.
- Use estimates only where the underlying record is incomplete
If exact counts are not available, disclose that an estimate was used, describe the method at a high level, and make clear which figures are measured and which are approximated.
- Round numbers without obscuring small totals
Apply one rounding rule across the disclosure, state it if it affects interpretation, and avoid rounding in a way that could hide a very small number or make a zero look like a positive count.
Synthetic, written by LRA — not from a company report, not text from any standard.
| Category | Upheld complaints | Earlier-period link | Data incidents | Total |
|---|---|---|---|---|
| Account access | 4 | 1 | 2 | 7 |
| Marketing contact | 3 | 1 | 1 | 5 |
| Online service handling | 2 | 1 | 2 | 5 |
Synthetic example: we recorded 12 privacy complaints in the year, and 9 were upheld after review. Of those upheld cases, 3 were linked to earlier reporting periods, and we also identified 5 separate incidents involving customer data being exposed, taken, or misplaced. The complaints were mainly about account access, marketing contact, and online service handling; because we did identify substantiated cases, no statement of zero upheld complaints applies here.
| Category | Complaints received | Upheld complaints | Data incidents | Total |
|---|---|---|---|---|
| Appointment and records handling | 3 | 0 | 1 | 4 |
| Access and identity checks | 2 | 0 | 1 | 3 |
| Digital messaging and portals | 2 | 0 | 0 | 2 |
Synthetic example: during the period we received 7 complaints about patient-data handling, and 0 were upheld after investigation. We found 2 incidents where records were leaked, stolen, or lost, and none of the complaints category totals resulted in a substantiated case; as a result, we can state that we identified no upheld privacy complaints in this example.
How to turn the collected data into a draft disclosure. The charts below are drawn from the illustrative figures above — swap in your own data.
Other views you could build
- Customer privacy complaints by category — table: A simple listing of complaint types alongside the number of cases substantiated in each category, so readers can see which issues were confirmed.
- Confirmed complaints versus data loss incidents — bar: A side-by-side comparison of the count of upheld privacy complaints and the count of customer-data leaks, thefts, or losses identified during the period.
- Breakdown of customer data incidents — stacked bar: How identified customer-data leaks, thefts, or losses are split across incident types or reporting periods, if the reporter groups them that way.
- Trend in confirmed privacy issues over time — line: How the number of upheld customer privacy complaints changes across reporting periods, including any visible rise or fall.
- Where incidents were identified — map: The locations linked to confirmed privacy complaints or customer-data incidents, if the organisation tracks them by place.
- Share of privacy-related matters with no confirmed cases — donut: The proportion of reported privacy-related matters that did not result in any upheld complaint, where the organisation wants to show the balance between reported and confirmed cases.
What separates a figure from a disclosure.
We confirmed 3 privacy complaints and 2 customer-data loss incidents.
We confirmed 3 privacy complaints and 2 customer-data loss incidents, with 1 of the 5 linked to an earlier year.
We confirmed 3 privacy complaints and 2 customer-data loss incidents this year, and 1 of the 5 related to an earlier period because one case stayed open across reporting dates.
Real reports where this topic is disclosed. The confidence label shows how closely each match maps to GRI 418-1 — these are report practice, not exact disclosure examples.
| Company | Sector · Country | Year | Match | Page | Report | Assurance | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Transportadora de Gas Internacional S.A. E.S.P. | Oil and Gas · Colombia | 2025 | Partial | p. 141 →p. 158 →p. 142 → | Integrated Sustainability Report 2025 → | Deloitte; EY; BSI | |||||||||||||||||||
Evidence in Transportadora de Gas Internacional S.A. E.S.P.’s reportWhat the report shows Transportadora de Gas Internacional S.A. E.S.P.'s Integrated Sustainability Report 2025 includes detailed narrative and numeric data on ethics and compliance activities, reporting 202 such activities monitored through internal indicators (p.43), and provides figures on substantiated complaints related to customer privacy breaches for 2024 and 2025 (p.158). The report also addresses indirect emissions from purchased goods and services under Category 4 (p.179). However, it lacks a clear headline value for natural gas leaks from flaring, fugitive emissions, venting, and pneumatic sources, with only partial supporting context provided (p.123), and no narrative evidence was found for some expected disclosures.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
|||||||||||||||||||||||||
| O-Bank Co., Ltd. | Banks / Diverse Financials / Insurance · Taiwan | 2024 | Exact | p. 23 →p. 311 →p. 35 → | 2024 Sustainability Report → | Deloitte | |||||||||||||||||||
Evidence in O-Bank Co., Ltd.’s reportWhat the report shows O-Bank Co., Ltd.'s 2024 Sustainability Report provides quantitative data on information security, including the number of breaches (2), the percentage that are personal data breaches, and the number of account holders affected, as noted on page 313. The report also states on page 311 that no substantiated complaints concerning breaches of customer privacy or losses of customer data were received. However, there is no quotable evidence found regarding monetary losses from legal proceedings or other narrative details related to data security breaches beyond these points.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
|||||||||||||||||||||||||
| First Financial Holding Co., Ltd. | Banks / Diverse Financials / Insurance · Taiwan | 2024 | Partial | p. 33 →p. 97 →p. 232 → | 2024 Sustainability Report → | PwC | |||||||||||||||||||
Evidence in First Financial Holding Co., Ltd.’s reportWhat the report shows First Financial Holding Co., Ltd.'s 2024 Sustainability Report provides detailed information on data breaches, reporting one breach in 2024 with a 100% rate of personal data breaches affecting 592 account holders (p.218, p.226). The report also includes numeric values on substantiated complaints concerning breaches of customer privacy and losses of customer data (p.232), as well as financial losses related to litigation exceeding NT$5 million where authorities intervened (p.218). However, the report offers limited clarity on the specifics of whistleblowing reports and their relation to business execution, with only a brief mention on page 224, and lacks detailed contextual information on supplier categories beyond a brief note on page 151.
Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict. Datapoint coverage
Source trail
|
|||||||||||||||||||||||||
A retailer’s privacy team closed 7 customer complaints this year after checking the facts; 5 were linked to incidents that first happened last year, and 2 arose from this year’s activity. The same review also logged 3 separate customer-data losses.How should you decide what to include for the year, and how should you treat the older incidents when describing the complaints?
A services company received 4 customer privacy complaints, but only 2 were upheld after investigation. It also had 1 incident where customer records were stolen from a contractor’s laptop.Which figures belong in the disclosure, and do the unconfirmed complaints get counted with the upheld ones?
A utility has no confirmed customer privacy complaints for the year, but it did record 2 losses of customer data. The reporting team is unsure whether it can leave the privacy-complaint line blank.What should be shown for the privacy-complaint part of the disclosure when there are none?
A bank’s incident log shows 6 customer-data losses in total, but 4 were discovered this year and 2 were found during a review of an older system failure. The privacy team also has a category label used internally for all customer-facing complaints.How should you present the category label and the data-loss count so the disclosure is usable and consistent with the source records?
See how companies actually report GRI 418-1 — drawn from their own published reports, with the exact pages, and an LRA AI-assistant that works through it with you. Available to LRA Community members and to students throughout their platform access.
How this disclosure maps across the major reporting frameworks.
What data do I need to gather for GRI 418-1 Customer Privacy before I start drafting the disclosure?
The page says to prepare five datapoints: prior-year breach share, complaint type, confirmed privacy complaints, customer data incidents, and a no confirmed complaints statement. Use those as the starting checklist before you draft anything. ↑ section
How should I decide the scope for GRI 418-1 Customer Privacy in practice?
Use the page’s step-by-step preparation section to work out what sits in scope, then align the datapoints and evidence pack to that scope. The page is designed to help you turn the disclosure into a workable data request rather than a last-minute write-up. ↑ section
Who should own the GRI 418-1 Customer Privacy data collection and sign-off?
The page is aimed at sustainability/ESG managers, HR or data owners, and assurance reviewers, so ownership should sit with the people who can confirm the underlying complaint and incident data. The workbook is there to help organise that handoff and make the evidence pack easier to review. ↑ section
What evidence should I put in the pack for GRI 418-1 Customer Privacy assurance?
The page includes an evidence pack with five items for assurance readiness, plus five assurance claims to verify using claim, risk and evidence. Build the pack around the datapoints and the supporting records that show how each figure or statement was prepared. ↑ section
How do I use the five assurance claims on the page when checking GRI 418-1 Customer Privacy?
Treat them as a review checklist: each claim should be matched to the related risk and the evidence that supports it. That helps you spot gaps before assurance rather than after the draft is already final. ↑ section
What are the common mistakes people make when reporting GRI 418-1 Customer Privacy?
The page has a section on common reporting gaps and mistakes, so it is meant to help you avoid missing the required datapoints or mixing up the scope. It is also useful for checking that your draft is backed by evidence rather than just narrative. ↑ section
How do I turn the GRI 418-1 Customer Privacy data into a draft disclosure?
Use the draft-output section for visualisation ideas, narrative starters and a GRI content-index line. The page also includes a synthetic illustrative example, which can help you see how the datapoints might be presented in a finished draft. ↑ section
Can I use the Prep & Assurance workbook for GRI 418-1 Customer Privacy to build my evidence pack?
Yes — the Download Centre includes a Prep & Assurance workbook (.xlsx) and a printable Library Card (.pdf). The workbook is the practical tool for organising the datapoints, evidence and assurance checks before you draft. ↑ section
Where can I find an example of how a GRI 418-1 Customer Privacy disclosure might look?
The page includes synthetic illustrative example disclosures, including a quantitative data table. It also has a 'From company reports' table that links to real published reports if you want to see how the topic is disclosed in practice. ↑ section
How does the ESRS S4 (Consumers and End-users) reference help me with GRI 418-1 Customer Privacy?
The page says ESRS S4 is the closest correspondence, so it can help you think about whether the same underlying data can be reused across frameworks. It does not say the requirements are identical, so you still need to check the disclosure wording and scope separately. ↑ section
- GRI 418-1 Customer Privacy checklist for prior-year breach share, complaint type, confirmed privacy complaints and customer data incidents
- How to prepare GRI 418-1 Customer Privacy using the step-by-step section and workbook
- What evidence pack items do I need for GRI 418-1 Customer Privacy assurance readiness?
- GRI 418-1 Customer Privacy common reporting gaps and mistakes to avoid
- How to write a draft GRI 418-1 Customer Privacy disclosure from the page’s narrative starters
- GRI 418-1 Customer Privacy content index line example and visualisation ideas
- Who should own GRI 418-1 Customer Privacy data collection in an ESG reporting process?
- How to use the Prep & Assurance workbook for GRI 418-1 Customer Privacy
- GRI 418-1 Customer Privacy synthetic example disclosure table
- Can GRI 418-1 Customer Privacy data be reused for ESRS S4 Consumers and End-users reporting?
- What does the From company reports table show for GRI 418-1 Customer Privacy?
- How do I make GRI 418-1 Customer Privacy assurance-ready before review?
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
Sources, status and disclaimer
This LRA assistance tool is designed for educational and internal data-collection purposes. It is not an official interpretation of the GRI Standards, IFRS Sustainability Disclosure Standards or EU CSRD/ESRS requirements. When applying these frameworks in professional practice, users should consult and double-check the official standards, guidance and applicable regulatory sources.