Analysis Shows Poor GDPR Compliance in European Websites
Marking the one-year anniversary of GDPR coming into force (May 25, 2018), a web-scanning service has analyzed the visible GDPR compliance of the 100 most popular websites in each of the 28 European member states. The scan is non-intrusive. As a result, it cannot say that an organization is compliant (non-compliance can occur deep in the system), but it can say if an organization is not compliant simply by examining the parts that are visible over the internet.
The results are surprisingly inconsistent across the different countries, and generally not very reassuring. However, website security and use of HTTPS are promising, with an average of just 6.75% and 5.96% failures. Greece is the worst nation for website security, with a 38% failure rate. Malta is worst on HTTPS with a 29% failing.
It should be said that these figures cannot be used for country comparisons. There is no normalization of results. Malta, for example, has a population of less than 500,000 while France (a 10% failing in HTTPS) has a population of more than 65 million. There will be a similar disparity in the number of websites in each country — meaning that a single failure in Malta will have a much greater effect on its percentage score than a single failing in France.
The results can, however, give broad views in certain areas. In the most populous areas, Germany and the UK both have a zero HTTPS encryption failing, while France has a 10% failing. This would generally suggest a need for HTTPS improvement in France.
France does, however, fare better than Germany and the UK (and Austria, Luxembourg — and Malta) in cookie protection or usage issues. France has a mere 80% failure rate; while the other five countries have a clean sweep 100% failure rate. Throughout Europe, cookie protection presents the highest single failure, with a 78.25% failure rate.
Ilia Kolochenko, CEO and founder of ImmuniWeb, sees the same distinction. “We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements in European companies. However, there is a long road before the majority of organizations start valuing actual security above paper-based compliance, thereby providing users with the privacy and security they truly deserve.”
It will be several years before we see the real effect of GDPR on European data protection. The different national regulators are laboring under a common security problem: triaging many thousands of alerts. Overall, there have already been hundreds of thousands of breaches and complaints, but few fines. One often-quoted figure is that there has been $57 million levied in GDPR fines so far — but once the single Ä50 million fine levied by CNIL against Google, it becomes a much smaller figure. The real fines have not yet filtered through the system.
It will be interesting if ImmuniWeb continues this survey annually — perhaps with greater detail — to see whether and when GDPR has a measurable effect on European websites.
Related: GDPR: One Year Down – Now What?