We have covered the topic of GDPR compliance in a number of blog posts over the past two years, focusing on the collection of personally identifiable information (PII) on public-facing websites and whether organizations are doing it in a compliant way.
With GDPR coming into effect later this week, we wanted to take one last look at how organizations were getting prepared. For a representative sample, we ran an analysis on the public-facing web assets of ten top UK Financial Services organizations. While secure data collection is only part of the GDPR requirements for web-based PII capture—other items include PII usage notices, active opt-in controls and first and third party cookie configurations—it’s the most straightforward indicator to suggest that larger organizations are struggling to gain a complete view of their assets on the Internet.
The findings indicate that collecting data on insecure sites is still very much a concern and highlight the challenges business are facing in protecting PII as required by GDPR.
A PII capturing site is one which accepts user input that can identify an individual. Examples of PII include input data such as name, address, date of birth, and email address. PII capture also extends to pages with iframes and pop-up windows that populate during a browser session and accept data. Insecure versions of these are those that capture data in clear text using the HTTP protocol or sites with certificate issues, such as expired certificates, misconfigured certificates, or old and untrusted certificates.
Across this sample of organizations, we found that 9.4% of sites with login pages were capturing login data insecurely and 34% of sites with forms that capture other personal information such as name, address, and date of birth, were also doing so in an insecure manner. By insecure we mean the capture of data in clear text using the HTTP protocol, or where there are certificate issues such as expired certificates, misconfigured certificates or the use of old and untrusted certificates. You can see the full release here.
Now more than ever, companies need to be aware of their digital footprint. With the ever-expanding number of PII touch points, it’s essential companies ensure they are tracking all of their digital assets and consistently monitoring for weaknesses in their handling of personal information.
RiskIQ’s Digital Footprint product is being used by many organizations to provide a complete and continuously updated inventory of their Web assets and the outstanding GDPR compliance issues associated with those assets. RiskIQ identifies PII-collecting sites, and knows if they’re insecure or not, by referencing the Document Object Model (DOM) of each page of a website. This method is language agnostic and identifies PII capture regardless of site language. We have introduced GDPR reporting into the solution to make this information accessible to management, allowing them to better understand the compliance issues and associated risks.
Companies that haven’t already implemented encryption for all collection and transmission of personal information will have missed the boat for complying with the fast-approaching GDPR. Learn more about RiskIQ’s GDPR solution here, and contact us to find out how we can help your organization comply with the fast-approaching regulation here.