It’s been just over one year since the European Union put into effect the General Data Protection Regulation (GDPR). Set up to establish rules for digital privacy and give consumers more control over their data, GDPR has been controversial because of the supposed burden it places on organizations in order to comply with the regulations. A new study conducted by security testing firm ImmuniWeb found that while companies have had ample time to get their sites and services up to date, many are still failing to meet some of the basic requirements set forth by GDPR.
Where the websites tested the worst was in complying with rules for tracking cookies. GDPR requires companies to disclose if its website is using cookies to track user information and activity, especially if it may sell or otherwise monetize that information. It also requires companies to use secure cookies to ensure they are properly handling potentially sensitive information. Nearly four out of five sites tested failed to meet these thresholds, either by failing to provide a disclaimer that cookies are in use on the site or by using insecure cookies to harvest information.
Other issues are less prevalent, but open sites up to potential issues including data breaches and other exploits. Researchers found that nearly seven percent of all sites tested are using outdated or vulnerable content management systems (CMS), which could be leveraged by a malicious actor to gain access to sensitive information. Another six percent of websites failed to use HTTPS encryption, an essential requirement that ensures a connection between a user and website is secure. If a site does not use HTTPS encryption, there is no guarantee that information shared with the site won’t be intercepted by an attacker.
“We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies,” Ilia Kolochenko, CEO and Founder of ImmuniWeb said in a statement. “However, there is a long road before the majority of organizations start valuing actual security above paper-based compliance thereby providing users with the privacy and security they truly deserve.”
Despite some organizations coming up short of the standards set by GDPR, the regulations largely appear to be working. The European Commission’s Justice and Consumers department revealed there have been 89,271 reported data breaches since the rules have gone into effect. (Organizations are required to disclose any data breach within 72 hours of discovery or face fines under GDPR.) There have also been a reported €56 million (about $63 million) in fines issued in that time.