Post GDPR week two: 75% likely to be non-compliant

Two weeks after the May 25th GDPR deadline has passed, it seems that at least 75% of businesses still appear likely to be non-compliant.

Post GDPR compliance readiness week 2
Post GDPR compliance readiness week 2

Sector performance

So far, surprisingly, only 10% of the legal sector seemed to be heading in the right direction, and 0% of the health sector – who both, of course, hold highly sensitive data, particularly the latter.

Opt-in on web contact form.

35% did not have an opt-in box on their web contact form – and 46% had avoided having a web contact form altogether, a significant increase. Perhaps one explanation for this – assuming that ‘consent’ is not the legal basis – is that organisations prefer to have no form at all rather than have to engineer the IT behind the consent opt in information and the data management and governance processes that lie behind it.

Privacy Notice

27%  omitted having the required Privacy Notice, compared to 22% the previous week.

Data subject rights

45% did not include any Data Subject Rights in their Privacy Notice. Some of those that did had clearly not read the ICO instructions regarding Data Subject Rights.

Cookie statement

63% omitted a cookie statement altogether.

Cookie preference pop-up

59% did not provide specific details of the cookies being deployed nor did they use a declaration pop-up so that users could express preferences before browsing the website in question (and hence downloading the cookies without even realising it).


Incorvus has contacted the organisations that were surveyed, to bring these potential vulnerabilities to their attention. Despite organisations requesting such feedback as part of their privacy diligence, so far only 1% have acknowledged or replied to this feedback. We do not know yet, who has acted upon it…..

If you would like further information, or our assistance, please contact Incorvus for details. The above analysis relates to the week ending 31/5/2018.