Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library GRI GRI 418 GRI 418-1
GRI 418: Customer Privacy · 2016
Disclosure GRI 418-1

Substantiated complaints concerning breaches of customer privacy and losses of customer data

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to report how many customer privacy complaints were found to be valid, and how many incidents involved customer data being lost, exposed or otherwise compromised. The focus is on confirmed issues, not every allegation or concern raised, so the organisation should distinguish between complaints received and those that were substantiated after review.

In practice, the reporting should cover the organisation’s relevant operations and data-handling activities, not just a few visible sites or flagship locations. The key question is whether the organisation can show the scale of confirmed privacy and data-loss problems across the period, and explain the basis used to identify and count them consistently.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Prior-year breach share Whether a meaningful share of the confirmed breaches being reported can be traced to incidents that happened in earlier reporting periods. Case log with incident dates, investigation outcomes, and the reporting-period cut used to classify each confirmed breach. Privacy / compliance
Complaint type The category used to group the complaints being reported, using the organisation’s agreed complaint taxonomy. Complaint register, triage rules, and the category list used by customer service or compliance. Customer service / compliance
Confirmed privacy complaints The count of complaints about customer privacy that were investigated and confirmed as valid within the reporting period. Privacy complaints log, investigation records, and substantiation status from the case management system. Privacy / legal
Customer data incidents The count of identified incidents where customer data was leaked, stolen, or lost during the reporting period. Data incident register, security incident reports, and breach notifications or forensic findings where applicable. Information security / privacy
No confirmed complaints statement A short statement confirming that no substantiated customer privacy complaints were identified, if that is the case. Final complaint review summary showing zero confirmed cases for the period and sign-off from the responsible team. Privacy / compliance
+ Show GRI 418-1 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first: decide which parts of the business, products, services and customer records are in scope for this disclosure, and keep that scope consistent across the figures and narrative.
2Define the event types you will count before gathering data: separate privacy complaints from data incidents, and make sure your internal definitions match the way you will report the category, the complaint count and the incident count.
3Pull together the underlying records that support each figure: complaint logs, investigation outcomes, incident registers and any case notes showing whether a complaint was upheld or not.
4Prepare the reported outputs in the required form: state the complaint category, give the number of upheld privacy complaints, give the number of data leaks, thefts or losses, and include a short statement if there were no upheld complaints to report.
5Check whether any of the reported matters relate to earlier reporting periods, and note that point clearly where it affects the current-year disclosure.
6Record any exclusions, reclassifications or changes in how the data was gathered or counted, then compare the final disclosure back to the official source material to confirm nothing has been missed or misstated.
Request the data

Request the privacy complaints and customer data incident figures

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

How many customer privacy complaints were upheld, how many customer data loss or leak incidents were identified, and is there any note needed about whether a material share links back to earlier years?

Use your organisation’s own labels first, then map them to the reporting fields. For example, ask for the team’s case categories, incident log terms, and breach register wording rather than using framework language in the request.

Weak request

Please provide the GRI 418-1 data for the year, including substantiated complaints, losses of customer data, and whether any relate to prior years.

Why it fails: It uses framework wording that many operational teams do not track day to day, so the owner may not know which cases to pull. It also does not specify the local register, the counting basis, or the internal labels needed to reconcile the figures.

Better request

Please pull the customer privacy complaint and data incident figures from your case tracker for [period] and [boundary]. Use your own labels, and include upheld/confirmed complaints, customer data leak/theft/loss incidents, any cases linked to earlier years, plus the source register and a contact who can confirm the numbers.

Formal email template
Subject: Request for customer privacy complaint and data incident figures for [reporting period]

Dear [name/team],

I am preparing the sustainability reporting pack and need your help with the customer privacy and data incident figures for [reporting period] and [reporting boundary].

Please share, using your own case and incident terms:
- the number of customer privacy complaints that were upheld or otherwise confirmed as valid in the period;
- the number of customer data leak, theft, or loss incidents identified in the period;
- whether any of the confirmed cases relate to events from earlier years;
- the category labels you used and any short notes needed to explain the counts.

Please also include the source system or register, the date extracted, and the person who can confirm the figures.

A possible LRA training template is attached below; please adapt this to your organisation and check the official source before sign-off.

Many thanks,
[preparer name]
Short Teams / Slack version
Hi [name] — could you send the customer privacy complaint and data incident counts for [period] / [boundary]?

Please use your own tracker terms and include:
- upheld/confirmed customer privacy complaints;
- customer data leak/theft/loss incidents;
- any cases linked to earlier years;
- the source register and a contact who can confirm.

Please adapt this to your organisation and check the official source before sign-off. Thanks.
Industry examples
Retail / E-commerce

Context. The customer care team logs complaints separately from the information security incident register.

Adapted request. Please provide the counts from the customer complaints log and the security incident register for [period] / [boundary]. Use your own labels for upheld privacy complaints and customer data loss events, and flag any cases that started in an earlier year.

Example response. Complaints log: 7 upheld customer privacy complaints. Security register: 2 customer data loss incidents. One complaint related to a case first raised in the prior year. Source systems: CRM complaints queue and incident register.

Financial services

Context. The privacy office manages customer rights complaints, while operational risk tracks data incidents.

Adapted request. Please share the confirmed customer privacy complaint count from the privacy case system and the number of customer data leak or loss events from the operational risk log for [period]. Please also note whether any confirmed matters stem from earlier periods.

Example response. Privacy case system: 4 confirmed customer privacy complaints. Operational risk log: 1 customer data loss event. No current-period cases were linked to earlier years. Reviewed by the privacy lead and operational risk manager.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain how the organisation defines a privacy complaint, how it decides whether a case is confirmed, and whether the figures cover only the current period or also include matters first raised earlier but resolved now.

Context note

Set out what the numbers indicate about customer-data protection performance, including the volume of confirmed complaints and any identified data leaks, thefts, or losses, and note when there were no confirmed complaints to report.

Fluctuation statement

If the figures move materially, describe the main operational or case-handling reasons behind the change, including whether any confirmed matters were linked to events from earlier periods.

Content index entry
GRI 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GRI 418-1 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
I checked whether a meaningful share of the reported cases came from earlier periods, so the figure reflects when the underlying issue happened as well as when it was logged.The assurer will test whether we have mixed up the reporting year with the year the incident occurred, or whether older cases have been counted inconsistently.Case register with incident dates and report dates; ageing analysis; reconciliation between the current-period count and any prior-period cases included; review notes explaining how older matters were treated.
I grouped the complaints using a consistent internal category set, and I kept the mapping used to place each case into the disclosed category.The assurer will probe whether the category labels were applied consistently, whether cases were double-counted or misclassified, and whether the grouping matches the source records.Complaint taxonomy or coding guide; source complaint logs; sample of cases showing category assignment; reviewer sign-off on the final grouping; change log if categories were updated.
I derived the privacy-related complaint count from the underlying case files and only included matters that had been confirmed through our review process.The assurer will check whether the count is complete, whether unconfirmed matters were excluded, and whether the confirmation test was applied in the same way across the population.Substantiation records; complaint investigation files; final count calculation; evidence of inclusion/exclusion criteria; reconciliation to the complaints register and legal or compliance review notes.
I compiled the data-breach total from the incident log, using the same definition and cut-off across the period, and I kept support for each event counted.The assurer will look for missed incidents, duplicate entries, inconsistent cut-off treatment, or weak support for why each event was included.Security or incident register; incident tickets; duplicate-check or reconciliation worksheet; period cut-off memo; evidence pack for each counted event; management review of the final tally.
Where no confirmed privacy complaints were found, I used the underlying records to support that statement and checked that the wording matched the evidence.The assurer will test whether the zero-claim statement is backed by a complete search of the relevant records and whether any unresolved matters were overlooked.Search results from complaint, legal, and incident records; confirmation from relevant teams; close-out or nil-return sign-off; evidence of the review period and scope used for the search.

Evidence pack to prepare

Common reporting gaps

Figures are stated without the supporting narrative, or narrative without figures.Scope is inconsistent between the text and the numbers.The reporting boundary is left undefined.Material changes since the previous period are not disclosed.Estimates and measured values are not distinguished.Source records for the figures are not identified.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner
The team asks Legal or IT in framework language instead of the privacy, complaints, or incident owner who actually holds the case records.
Scope left vague
They never pin down which customer-facing systems, channels, or business units are in scope, so different teams count different populations.
Wrong time basis
They pull cases by report date, closure date, or discovery date without agreeing one cut-off for the period being reported.
Mixed counting rules
One source counts every complaint record while another counts each customer event, so the final number blends unlike bases.
Source labels lost
The original case tags for privacy complaints and data-loss incidents are stripped out during export, making later checks impossible.
Separate groups merged
Privacy complaints and data-loss incidents are rolled into one list even though they need to stay distinct for collection and review.
Evidence trail missing
The file has totals but no linked case notes, screenshots, or log extracts to show how each item was substantiated.
No sign-off record
The draft numbers move forward without a named reviewer and date-stamped approval from the data owner.

Where judgement is often needed

Set the reporting boundary after mergers, sales, or closures
Decide whether to include incidents from businesses added or removed during the period, explain the cut-off you used, and keep the same approach wherever possible so the totals are comparable.
Map local privacy labels to one internal incident type
Where countries use different legal or operational labels, translate them into one organisation-wide category set, disclose the mapping, and avoid double counting the same event under more than one label.
Decide how to treat incidents that sit partly inside and partly outside scope
If a complaint or data loss affects mixed populations, state the rule used to include or exclude it and explain how you handled cases where only some affected people fall within your customer base.
Choose the counting date for late-identified cases
Use one clear basis for timing, such as when the issue was first confirmed or when the complaint was substantiated, disclose that basis, and apply it consistently across the period.
Separate confirmed cases from unverified allegations
Count only matters that have been checked and accepted as valid under your process, and if you also track unconfirmed reports, keep them out of the disclosed totals and describe the distinction.
Decide whether one incident with many affected customers is one case or many
State whether you count by event, by complaint, or by affected customer record, use that rule consistently, and explain it so readers can understand the scale behind the number.
Handle cross-year incidents and reopened files consistently
If a matter began in an earlier year or was reopened after new information emerged, explain whether it sits in the current period total or is treated as a prior-period issue, and note any restatement approach.
Use estimates only where the underlying record is incomplete
If exact counts are not available, disclose that an estimate was used, describe the method at a high level, and make clear which figures are measured and which are approximated.
Round numbers without obscuring small totals
Apply one rounding rule across the disclosure, state it if it affects interpretation, and avoid rounding in a way that could hide a very small number or make a zero look like a positive count.
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Retail banking

Synthetic example: we recorded 12 privacy complaints in the year, and 9 were upheld after review. Of those upheld cases, 3 were linked to earlier reporting periods, and we also identified 5 separate incidents involving customer data being exposed, taken, or misplaced. The complaints were mainly about account access, marketing contact, and online service handling; because we did identify substantiated cases, no statement of zero upheld complaints applies here.

Illustrative only. This example shows how to report the mix of complaint topics, the number upheld, how many relate to earlier years, and the count of data-loss incidents, while making clear that a zero-upheld-complaints statement is not used when substantiated cases exist.

Illustrative breakdown of customer privacy complaints and data incidents (cases)
Account access412
Marketing contact311
Online service handling212
Illustrative (synthetic) example — Healthcare services

Synthetic example: during the period we received 7 complaints about patient-data handling, and 0 were upheld after investigation. We found 2 incidents where records were leaked, stolen, or lost, and none of the complaints category totals resulted in a substantiated case; as a result, we can state that we identified no upheld privacy complaints in this example.

Illustrative only. This example shows a case where complaints were received but none were upheld, alongside the number of data-security incidents and a clear zero-upheld-complaints statement.

Illustrative breakdown of privacy complaints and data incidents (cases)
Appointment and records handling301
Access and identity checks201
Digital messaging and portals200
Company reports

How companies report GRI 418-1

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Transportadora de Gas Internacional S.A. E.S.P.
Oil and Gas · Colombia · 2025
Open report →
Transportadora de Gas Internacional S.A. E.S.P.'s Integrated Sustainability Report 2025 includes detailed narrative and numeric data on ethics and compliance activities, reporting 202 such activities monitored through internal indicators (p.43), and provides figures on substantiated complaints related to customer privacy breaches for 2024 and 2025 (p.158). The report also addresses indirect emissions from purchased goods and services under Category 4 (p.179). However, it lacks a clear headline value for natural gas leaks from flaring, fugitive emissions, venting, and pneumatic sources, with only partial supporting context provided (p.123), and no narrative evidence was found for some expected disclosures.
O-Bank Co., Ltd.
Banks / Diverse Financials / Insurance · Taiwan · 2024
Open report →
O-Bank Co., Ltd.'s 2024 Sustainability Report provides quantitative data on information security, including the number of breaches (2), the percentage that are personal data breaches, and the number of account holders affected, as noted on page 313. The report also states on page 311 that no substantiated complaints concerning breaches of customer privacy or losses of customer data were received. However, there is no quotable evidence found regarding monetary losses from legal proceedings or other narrative details related to data security breaches beyond these points.
First Financial Holding Co., Ltd.
Banks / Diverse Financials / Insurance · Taiwan · 2024
Open report →
First Financial Holding Co., Ltd.'s 2024 Sustainability Report provides detailed information on data breaches, reporting one breach in 2024 with a 100% rate of personal data breaches affecting 592 account holders (p.218, p.226). The report also includes numeric values on substantiated complaints concerning breaches of customer privacy and losses of customer data (p.232), as well as financial losses related to litigation exceeding NT$5 million where authorities intervened (p.218). However, the report offers limited clarity on the specifics of whistleblowing reports and their relation to business execution, with only a brief mention on page 224, and lacks detailed contextual information on supplier categories beyond a brief note on page 151.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
TryHow do I prepare GRI 418-1?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
1 free answer
Check your understanding

Scenarios to work through

A retailer’s privacy team closed 7 customer complaints this year after checking the facts; 5 were linked to incidents that first happened last year, and 2 arose from this year’s activity. The same review also logged 3 separate customer-data losses.

QHow should you decide what to include for the year, and how should you treat the older incidents when describing the complaints?
Reveal model answer →

A services company received 4 customer privacy complaints, but only 2 were upheld after investigation. It also had 1 incident where customer records were stolen from a contractor’s laptop.

QWhich figures belong in the disclosure, and do the unconfirmed complaints get counted with the upheld ones?
Reveal model answer →

A utility has no confirmed customer privacy complaints for the year, but it did record 2 losses of customer data. The reporting team is unsure whether it can leave the privacy-complaint line blank.

QWhat should be shown for the privacy-complaint part of the disclosure when there are none?
Reveal model answer →

A bank’s incident log shows 6 customer-data losses in total, but 4 were discovered this year and 2 were found during a review of an older system failure. The privacy team also has a category label used internally for all customer-facing complaints.

QHow should you present the category label and the data-loss count so the disclosure is usable and consistent with the source records?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

GRI
GRI 418-1
within GRI 418: Customer Privacy
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

What data do I need to gather for GRI 418-1 Customer Privacy before I start drafting the disclosure?+
How should I decide the scope for GRI 418-1 Customer Privacy in practice?+
Who should own the GRI 418-1 Customer Privacy data collection and sign-off?+
What evidence should I put in the pack for GRI 418-1 Customer Privacy assurance?+
How do I use the five assurance claims on the page when checking GRI 418-1 Customer Privacy?+
What are the common mistakes people make when reporting GRI 418-1 Customer Privacy?+
How do I turn the GRI 418-1 Customer Privacy data into a draft disclosure?+
Can I use the Prep & Assurance workbook for GRI 418-1 Customer Privacy to build my evidence pack?+
Where can I find an example of how a GRI 418-1 Customer Privacy disclosure might look?+
How does the ESRS S4 (Consumers and End-users) reference help me with GRI 418-1 Customer Privacy?+
More questions this page can help with
GRI 418-1 Customer Privacy checklist for prior-year breach share, complaint type, confirmed privacy complaints and customer data incidentsHow to prepare GRI 418-1 Customer Privacy using the step-by-step section and workbookWhat evidence pack items do I need for GRI 418-1 Customer Privacy assurance readiness?GRI 418-1 Customer Privacy common reporting gaps and mistakes to avoidHow to write a draft GRI 418-1 Customer Privacy disclosure from the page’s narrative startersGRI 418-1 Customer Privacy content index line example and visualisation ideasWho should own GRI 418-1 Customer Privacy data collection in an ESG reporting process?How to use the Prep & Assurance workbook for GRI 418-1 Customer PrivacyGRI 418-1 Customer Privacy synthetic example disclosure tableCan GRI 418-1 Customer Privacy data be reused for ESRS S4 Consumers and End-users reporting?What does the From company reports table show for GRI 418-1 Customer Privacy?How do I make GRI 418-1 Customer Privacy assurance-ready before review?