With EU GDPR one year away, there is still a lot of ground to cover for organizations that will be most affected, and the data shows it.
Over the past year, the EU General Data Protection Regulation (GDPR) and the online collection of personally identifiable information (PII) have been top-of-mind for RiskIQ, and we've recently posted two blogs on the topic, which you can read here and here.
With the go-live date now less than a year away, we at RiskIQ were curious to see the progress organizations were making toward compliance, specifically in the area of secure data capture. As a representative sample of UK plc, we set up a research project to look at the public-facing websites of the top-30 UK companies (FTSE 30 or FT 30 as it is also known). Given that GDPR applies to all EU organizations as well as those that directly engage with EU citizens, the findings are likely to be representative of what we would find if we increased our scope beyond the UK.
Overall, our research identified 100,000 live websites belonging to FTSE 30 organizations, 13,000 pages of which are collecting PII—an average of 400 pages per organization. What's worse, a third of these pages are still collecting information insecurely, either through lack of encryption or vulnerable, obsolete encryption algorithms.
What's at Stake with the GDPR?
An insecure collection of PII can affect consumers through loss and fraudulent use of their data, and organizations through loss of revenue, brand reputation, and damages. Under GDPR those damages can be considerable if collected data is compromised.
Along with secure capture, other elements of the regulation bring requirements to the data collection process. In our recent press release, Bob Tarzey, analyst, and director, Quocirca Ltd. said “Many will already have the data security basics in place to comply with the regulations that precede GDPR. However, GDPR has many additional requirements, especially around the way data is captured and processed. These include obtaining explicit opt-in from data subjects. Before an organization can address GDPR, it needs to fully understand the extent of its online data gathering activities.”
Using our RiskIQ Digital Footprint solution, we’re working closely with some clients to identify and assess all data collection points across their web presence. Once they establish a baseline, these customers can identify and evaluate any new collection points that arise in the future. To see a demo and take a virtual tour of the solution, sign up for RiskIQ Community Edition today.