One year after the EU General Data Protection Regulation (GDPR) went into effect, 1 in 10 PII capturing websites belonging to the top 10 UK financial services organizations are still doing so without adequate security measures, potentially breaching GDPR guidelines, RiskIQ has discovered. Across 48,949 active websites, RiskIQ research found that out of 4,512 sites capturing PII through data entry points accessible by site visitors, 11.5 percent of these sites (522 sites) are capturing PII insecurely. This method is language agnostic and identifies PII capture regardless of the site language. Out of 3,940 public websites with a login page, 442 of these sites (11 percent) capture login information insecurely. Out of 572 sites capturing PII through data entry fields accessible by site visitors, 80 of these sites (14 percent) are capturing personal information insecurely. Insecure sites are defined as those websites that capture data in clear text using the HTTP protocol or sites with certificate issues, such as expired certificates, misconfigured certificates or using old and untrusted certificates.