ICO Fines Historically Low Since GDPR Whilst Business Websites Remain Vulnerable
As company websites continue to collect personally identifiable data (PII) without following adequate data protocols or regulations, it has been announced that only 0.25% of reported data breaches result in a fine being handed out by the Information Commissioner’s Office (ICO).
Latest research from RiskIQ suggests that the way Law Firms and financial service organisations are gathering and harvesting their data on potential and current clients is breaching GDPR regulations.
Of the 48,949 websites that were analysed by RiskIQ, 4,512 sites were using data entry points accessible by site visitors. The data suggests that 11.5% or 522 websites are insecurely collecting sensitive information like names, addresses and dates of birth which could be breaching data regulations and exposing client information to potential online threats.
Furthermore, 442 of the 3,940 websites using a login page are also insecurely capturing the information that is being inputted by users of the site. When you consider how vulnerable password data can be, website vulnerabilities of this nature could have catastrophic effects.
Despite these website oversights and the growing number of firms falling victim to cyber crime, it has been announced that a mere fraction of businesses, informing the ICO of a data breach, are actually fined by the regulator.
According to information released by Digi.me, between 25 May, 2018 and March 2019, 11,468 organisations were savvy enough to self-report a data breach within the ICO’s 72 hour guidelines. However, only 0.25% or 29 cases of these reports were considered serious enough for a fine to be issued.
The Freedom of Information request also found that 37,798 GDPR related anxieties were lodged by members of the public. The fact that this figure is almost three times higher than all ICO data breach investigations during this time highlights the pressure the ICO is currently under.
The seemingly small amount of firms being fined has led some to speculate that it could deter organisations from planning for GDPR and ultimately driving down standards and placing more information at risk.
However, the ICO claim that their role is more diverse than punitively doling out fines. Instead, they feel that appropriate education can offer more robust GDPR compliance.
An ICO spokesperson commented:
“We are a proportionate and pragmatic regulator, our work is not just about fines – we prefer education to enforcement but will take our strongest action against those that wilfully, negligently or consistently flout the law.”
Jon Baines, Data Protection Advisor at Mishcon de Reya, said:
“The results certainly point to failures to comply with the security principle of GDPR, the extent to which these are serious failings, of the kind which might warrant regulatory action, will depend on the individual facts of the cases,” he said.
“It would be interesting to know if the organizations are even aware, and if they are, whether any will report these breaches (as arguably they should) to the Information Commissioner’s Office.”
Fabian Libeau, VP EMEA at RiskIQ, commented:
“This research shows that organizations are continuing to make progress in ensuring that personal data entered online is collected in a secure manner.
“However, that we still see instances serves to highlight that there is more to be done. Most organizations are continuing to expand their web presence and it’s vitally important that they maintain a complete inventory of those sites and the PII collecting pages they contain.”
Julian Ranger, founder of digi.me, said:
“There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.
“Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organization that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”
Is your law firm’s website compliant with all GDPR regulations? Should the ICO become a lot more militant in ensuring GDPR are adhered with by all the organisations it regulates?