Advertisement

FTSE 30 Companies Risk Violating Key GDPR Principle, According to New RiskIQ Research

By on

by Angela Guess

A new press release reports, “With one year remaining until the commencement of EU General Data Protection Regulation (GDPR), new research by RiskIQ reveals that more than one-third of all public web pages of FTSE 30 companies capturing personally identifiable information (PII) are in danger of violating the regulation by doing so insecurely. When assessing the public websites of FTSE 30 organizations, RiskIQ found that more controls on external facing web assets, known as an organization’s digital footprint, are needed in order to support requirements ahead of the fast-approaching GDPR deadline. Most data capture forms found on websites fall within the scope of GDPR as they collect personal data. The regulation emphasizes that provisions should be in place to ensure that PII is securely captured and processed. In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.”

The release goes on, “RiskIQ research on the public facing websites of FTSE 30 organizations reveals: 99,467 live websites in total, an average of 3,315 websites per organization; 13,194 pages on those sites that collect PII, an average of 440 pages per organization; 34% of pages that collect PII are doing so insecurely; 29% are not using encryption; 3.5% are using very old, vulnerable encryption algorithms; 1.5% have expired certificates. Insecure collection of PII is not just a GDPR compliance violation. The loss of personal data, profit, and reputation resulting from the use of insecure forms is a legitimate concern for consumers, as well as shareholders. In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at the greater of €10m or 2% of global annual turnover for the preceding financial year– or even double depending on the infraction. This applies to all companies actively engaging with European citizens, regardless of whether they have a physical presence in Europe.”

Read more at RiskIQ.com.

Photo credit: RiskIQ

Leave a Reply