FTSE 30 companies at particular risk of ‘violating GDPR’

With one year remaining until the commencement of EU General Data Protection Regulation (GDPR), new research by RiskIQ has revealed that more than one-third of all public web pages of FTSE 30 companies capturing personally identifiable information (PII), are danger of violating the regulation by doing so insecurely.

When assessing the public websites of FTSE 30 organisations, RiskIQ found that more controls on external facing web assets, known as an organisation’s digital footprint, are needed in order to support requirements ahead of the fast-approaching GDPR deadline.

>See also: GDPR: What do you need to know?

Most data capture forms found on websites fall within the scope of GDPR as they collect personal data. The regulation emphasises that provisions should be in place to ensure that PII is securely captured and processed. In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

The research on the public facing websites of FTSE 30 organisations revealed that there are 99,467 live websites in total, an average of 3,315 websites per organisation. Of these, 13,194 pages collect PII, at average of 440 pages per organisation. Crucially, 34% of pages that collect PII are doing so insecurely, with 29% are not using encryption.

Insecure collection of PII is not just a GDPR compliance violation. The loss of personal data, profit, and reputation resulting from the use of insecure forms is a legitimate concern for consumers, as well as shareholders.

>See also: 6 steps to GDPR compliance

In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at the greater of €10m or 2% of global annual turnover for the preceding financial year– or even double depending on the infraction. This applies to all companies actively engaging with European citizens, regardless of whether they have a physical presence in Europe.

GDPR hygiene extends beyond secure collection. As part of the regulation’s fairness and transparency guidelines, organisations must clearly state at the point of capture how they’ll be using an individual’s data.

Permission to use their data must be explicit and demonstrated through an action such as ticking a box, a significant departure from the ‘opt out’ process most organisations have in place today.

>See also: GDPR compliance: what organisations need to know

Bob Tarzey, analyst and director, Quocirca Ltd., said “While this RiskIQ research is focused on large UK companies, the findings will be representative of all organisations. Many will already have the data security basics in place to comply with the regulations that precede GDPR. However, GDPR has many additional requirements, especially around the way data is captured and processed. These include obtaining explicit opt-in from data subjects. Before an organisation can address GDPR, it needs to fully understand the extent of its online data gathering activities. With enforcement of GDPR less than a year away, the time to act is now.”

The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes but also for regulatory compliance such as GDPR.


The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics