With a year remaining until the introduction of the European Union’s General Data Protection Regulation (GDPR), research by security firm RiskIQ reveals that more than one-third of all public web pages of FTSE 30 companies capturing personally identifiable information are in danger of violating the regulation by doing so insecurely.
Most data capture forms found on websites fall within the scope of GDPR as they collect personal data. The regulation emphasises that measures should be in place to ensure that information is securely captured and processed. RiskIQ said that insecure collection of information was not just a GDPR compliance violation; the loss of personal data, profit, and reputation resulting from the use of insecure forms is an issue for consumers, as well as shareholders.
In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at €10m or 2% of global annual turnover for the preceding financial year, whichever is greater – and this could double depending on the infraction. The regulation applies to all companies engaging with European citizens, regardless of whether they have a physical presence here.
GDPR ‘hygiene’ extends beyond secure collection. As part of the regulation’s fairness and transparency guidelines, organisations must clearly state at the point of capture how they’ll be using an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box, a significant departure from the ‘opt out’ process most organisations have in place today.
The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes but also for regulatory compliance such as GDPR.
“Thorough knowledge of an organisation’s web presence is crucial to steering clear of potential GDPR repercussions,” said Colin Verrall, vice president, RiskIQ EMEA. “Our customers are using RiskIQ’s Digital Footprint to capture their full digital footprint and actively identify potential areas of non-compliance, including insecure data collection pages and forms.”