Major UK companies at risk of breaking key GDPR principle on collecting PII

New research shows that more than a third of all public web pages of FTSE 30 companies capturing personally identifiable information (PII) are in danger of violating the GDPR regulations by doing so insecurely.

The FTSE 30 is made up of the 30 most influential companies listed on the London Stock Exchange. The study by RiskIQ looking at the sites of these organizations finds that more controls on outward facing web assets are needed.

The study found 13,194 pages on sites owned by these companies that collect PII, an average of 440 pages per organization. Of these, 34 percent of pages that collect PII are doing so insecurely, 29 percent are not using encryption, 3.5 percent are using very old, vulnerable encryption algorithms, and 1.5 percent have expired certificates.

Insecure collection of PII is of course not just a GDPR compliance violation. The loss of personal data, profit, and reputation resulting from the use of insecure forms is a legitimate concern for consumers, as well as shareholders. In addition to personal claim liability, GDPR's Article 83 provides guidance on fines for faults. These start at the greater of €10m or two percent of global annual turnover for the preceding financial year. This applies to all companies actively engaging with European citizens, regardless of whether they have a physical presence in Europe.

"Thorough knowledge of an organization's web presence is crucial to steering clear of potential GDPR repercussions," says Colin Verrall, vice president of RiskIQ EMEA. "Our customers are using RiskIQ Digital Footprint to capture their full digital footprint and actively identify potential areas of non-compliance, including insecure data collection pages and forms."

You can find out more about insecure forms and the risks they pose on the RiskIQ blog.

Image credit: agencyby / depositphotos.com