Over one third of all the public web pages of leading UK companies that collect personal information violate a key principle of new European data protection
With just a year to go before the deadline to comply with the EU General Data Protection Regulation (GDPR), many UK firms’ websites are capturing personal data insecurely, a study shows.
More controls are needed because most data capture forms found on websites fall within the scope of the GDPR, according to new research by digital threat management firm RiskIQ.
The EU regulation requires that provisions should be in place to ensure that personally identifiable information (PII) is captured and processed securely.
In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.
The study revealed that 34% of web pages of FT30 firms that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using vulnerable encryptions algorithms, and 1.5% have expired security certificates.
While the insecure collection of PII is a violation of the GDPR, the study said the loss of personal data, profit and reputation resulting from the use of insecure forms is a legitimate concern for consumers and shareholders.
In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at €10m or 2% of global annual turnover for the preceding financial year, whichever is greater – or even double, depending on the infraction.
This applies to all companies actively engaging with European citizens, regardless of whether the firms have a physical presence in Europe.
The GDPR also requires companies to state clearly at the point of capture how they will use an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box – a significant departure from the “opt out” process most organisations currently have in place.
The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes, but also for regulatory compliance, such as the GDPR.
Information commissioner Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she called “the biggest change to data protection law for a generation”.
However, 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline and 30.6% said they had no timetable for being GDPR compliant, according to security firm Guidance Software.
Almost 18% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance.