Two weeks after the May 25th GDPR deadline passed, at least 75% of businesses likely to be non-compliant.
Sector performance
So far, surprisingly, only 10% of the legal sector seemed to be heading in the right direction, and 0% of the health sector – who both, of course, hold highly sensitive data, particularly the latter.
Opt-in on web contact form.
35% did not have an opt-in box on their web contact form – and 46% had avoided having a web contact form altogether, a significant increase. Perhaps one explanation for this – assuming that ‘consent’ is not the legal basis – is that organisations prefer to have no form at all rather than have to engineer the IT behind the consent opt in information and the data management and governance processes that lie behind it.
Privacy Notice
27% omitted having the required Privacy Notice, compared to 22% the previous week.
Data subject rights
45% did not include any Data Subject Rights in their Privacy Notice. Some of those that did had clearly not read the ICO instructions regarding Data Subject Rights.
Cookie statement
63% omitted a cookie statement altogether.
Cookie preference pop-up
59% did not provide specific details of the cookies being deployed nor did they use a declaration pop-up so that users could express preferences before browsing the website in question (and hence downloading the cookies without even realising it).
Incorvus has contacted the organisations that were surveyed, to bring these potential vulnerabilities to their attention. Despite organisations requesting such feedback as part of their privacy diligence, so far only 1% have acknowledged or replied to this feedback. We do not know yet, who has acted upon it…..
The above analysis relates to the week ending 31/5/2018.