A new report has found that the majority of the UK’s most popular websites are failing to comply with GDPR.
The study from ImmuniWeb found that 86 of the top 100 sites visited in the UK did not meet their obligations, with all of them handling user data via insecure cookies.
As IT Pro reports:
The stats reveal that sites operating across the rest of Europe are more likely to be compliant with GDPR. A study of popular sites in France found 83 of its top 100 were non-compliant, while in Germany this fell to 50. The reasons for this are noticeably different, however, as sites in France and Germany are far more likely (50% and 40% respectively) to have missing or hard to reach privacy policies.
“We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies,” said Ilia Kolochenko, CEO and founder of ImmuniWeb. “However, there is a long road before the majority of organisations value actual security above paper-based compliance thereby providing their users with the privacy and security they truly deserve.
You can read the full article from IT Pro here: https://www.itpro.co.uk/policy-legislation/33726/most-of-the-uks-top-websites-fail-gdpr-claims-immuniweb
With GDPR now over a year old, these are worrying statistics. Compliance should have been met before it even came into force; failing to comply with GDPR now is inexcusable.
That the UK is lagging behind other countries (although only just behind some of them) would seem to indicate that GDPR is less of a concern for British organisations than it is for the rest of the EU.
Yet even with uncertainties over Brexit, GDPR will remain as the framework for Britain’s data protection laws. Failing to comply with GDPR is unacceptable no matter what happens when the UK leaves the EU.
If you’re yet to ensure GDPR compliance at your organisation, Activa Consulting is here to help. Our Gap Analysis service will identify the potential risks to your business and recommend what changes you need to make. Click here to contact us now!
The impact GDPR has already had shouldn’t be ignored. Between May 25th and July 3rd 2018, the ICO already received an immense 6,281 complaints concerning possible data breaches. This is a 160% increase on the same period in 2017, demonstrating how GDPR has raised awareness of how personal data is used and the protection regulations surrounding it – this is an issue that many people have taken to heart. But what about GDPR compliance after Brexit?
The United Kingdom may be leaving the EU on March 29th 2019, but that won’t mean the end of GDPR. Whether a deal is reached or not, the data legislation will still hold for British businesses. The European Union (Withdrawal) Act 2018 ensures that when Brexit comes into effect, GDPR will be incorporated into UK law – so fundamentally, GDPR compliance after Brexit will remain the same.
Anyone hoping to use Brexit to evade the ramifications of GDPR will be sorely disappointed. There will likely be some small changes to make GDPR fit the UK’s individual needs, leading to separate “UK” and “EU” versions of GDPR, but the framework will probably remain the same.
What does this mean for UK firms? Ultimately, GDPR compliance should still be a major focus. Once the UK leaves the EU, there will be little change to data protection regulation, meaning that the same measures need to be taken both pre- and post-Brexit. While the exact details remain to be seen, it is likely that data breaches will be treated in a similar manner, with near-identical penalties for data breaches.
There is an additional factor, however. With the UK no longer a member state, it’s uncertain whether data will continue to flow freely into and out of the EU. It’s important to keep an eye on how this issue develops; it will depend on the eventual deal between the UK and EU. It seems likely that a solution will be found, but companies should put safeguards in place for either eventuality.
Fundamentally, GDPR is here to stay. Brexit won’t change that, and with greater media attention on data protection, it’s at the forefront of everyone’s minds. The penalties for non-compliance are severe, and not to be risked.
For our help in ensuring GDPR compliance after Brexit and before, contact us today for our Gap Analysis and consulting. We also offer Data Protection Staff Training to improve the data protection knowledge and confidence of your employees.
When the UK leaves the EU, many things will change. The new regulations of GDPR after Brexit will still significantly affect the UK in major ways. Read this article for further important information on GDPR after Brexit: http://realbusiness.co.uk/law/2017/05/24/brexit-doesnt-mean-end-gdpr-compliance-uk-businesses/).
GDPR regulations come into place May 2018, before the UK leaves the EU. Therefore, for at least the remaining time the UK is part of the EU, GDPR will affect UK organisations. But once Brexit comes into place and the UK leaves the EU, how will GDPR compliance be affected?
Once the UK leaves the EU it becomes a “third Country”. This is essentially a country that resides outside the EU. Countries such as the USA, Australia, and New Zealand are all Third Countries, for example. Third Countries have different data protection laws than the EU, but many organisations in those countries will still be affected.
GDPR should not be thought of as a law for EU companies, but a law for EU citizens. Hence, any organisation, whether part of the EU or not, must comply with GDPR for any EU citizens they hold Personally Identifiable Information (PII) on.
So, an American based company must comply with GDPR regulations if they have personal data on any citizens from the EU. This is not likely to affect smaller companies in Third Countries massively, but large organisations with branches all over the world will be hugely affected.
This includes the UK. As a Third Country, all UK organisations that hold data on EU citizens will have to comply to GDPR – this is likely to affect UK organisations more because of the prior involvement with the EU and you would expect the likelihood that UK organisations hold data on EU citizens to be higher than other Third Countries.
Though, it is entirely possible that once GDPR becomes national law in the UK, the government will retain those laws post-Brexit.
The UK government’s Data Protection Bill has already essentially confirmed that GDPR (or regulations that are similar to GDPR) will remain in force. In fact, the laws here may even be stricter than the current GDPR laws.
The UK has begun negotiations to make a pact with the EU to continue free transfer of data post-Brexit (see this article). The intention made by the UK Data Protection Bill then seems like a signal to the EU to ensure the UK continues to be a safe place for EU citizens’ data.
If the UK has the same or similar data protection regulations as the remainder of the EU, it is more likely that the EU will accept this pact and data will continue to flow freely.
Another important element of GDPR post-Brexit is the potential need for Data Protection Officers (DPO). If a business is deemed to need a DPO under GDPR they will need to have a nominated representative to complete DPO duties. This representative needs to be based with the EU ie not in the UK, which is fine for multinationals. However, this will be troublesome for UK businesses that have even just a few EU citizens as custmers.
GDPR after Brexit will still be an important regulation for UK based organisations, with the UK government even taking the regulations as a template for their own adaption of the laws, but there will be many complications and issues…
Britain is in a unique and convoluted situation concerning GDPR. With the complications that will undoubtedly arise after Brexit comes into place, Britain’s lawmakers are attempting to maintain some influence and power regarding the EU data regulations.
Certain figures in the British Government claim it will be beneficial for both the UK and the EU – this is not wholly untrue – Britain will still likely need to hold data from Europe and likely in higher quantities than countries such as the US and Australia, for example.
America and Australia are two such examples of “Third Countries” –any country that is not part of the EU – and Britain will become one of these “third countries” under the data transfer rules in the GDPR. Personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an “adequate level of protection” for such data. Brexit will also mean the EU-US Privacy Shield will cease to exist for the UK and the US.
What the UK are attempting to do, though, is to continue to allow data to be free-flowing between EU regulated countries and themselves. Whether the EU will allow the UK to continue to interfere with their rules is unclear, and it further calls into question whether Brexit is going to be beneficial to the UK.
If Britain are to leave the EU, it seems contradictory and hypocritical to then try and influence the EU laws further. Yes, we must try and keep data free-flowing and as highly protected as possible for EU residents, but we can’t expect to be able to influence laws that will no longer be within our jurisdiction. The UK Data Protection Bill seems an obvious attempt to reassure the EU that we’ll remain just as safe a harbour for Personal Data as before – if we weren’t, many banks would surely be unable to retain the UK for head offices.
At Activa we can distil what the new laws really mean for your business and how to remain compliant with both GDPR and the UK Data Protection Bill during the turbulent transition period. Contact us using the form on the right to get a custom quote for your needs.
Read more on the UK’s attempt to maintain its influence on EU data regulations in this BBC article by Chris Baraniuk: http://www.bbc.co.uk/news/technology-41036551