Security Experts:

Analysis Shows Poor GDPR Compliance in European Websites

Marking the one-year anniversary of GDPR coming into force (May 25, 2018), a web-scanning service has analyzed the visible GDPR compliance of the 100 most popular websites in each of the 28 European member states. The scan is non-intrusive. As a result, it cannot say that an organization is compliant (non-compliance can occur deep in the system), but it can say if an organization is not compliant simply by examining the parts that are visible over the internet.

The firm concerned, ImmuniWeb (formerly High-Tech Bridge), has added GDPR scan components to its existing website security test, and made this a free offering. The four visible elements of GDPR compliance that it checks are access to the privacy policy, insecure use of cookies, outdated or vulnerable content management system (CMS) components, and lack of HTTPS encryption (or use of SSLv3, which is more than 20 years old and should have finally died with the POODLE attack in 2014).

The results are surprisingly inconsistent across the different countries, and generally not very reassuring. However, website security and use of HTTPS are promising, with an average of just 6.75% and 5.96% failures. Greece is the worst nation for website security, with a 38% failure rate. Malta is worst on HTTPS with a 29% failing.

It should be said that these figures cannot be used for country comparisons. There is no normalization of results. Malta, for example, has a population of less than 500,000 while France (a 10% failing in HTTPS) has a population of more than 65 million. There will be a similar disparity in the number of websites in each country -- meaning that a single failure in Malta will have a much greater effect on its percentage score than a single failing in France.

The results can, however, give broad views in certain areas. In the most populous areas, Germany and the UK both have a zero HTTPS encryption failing, while France has a 10% failing. This would generally suggest a need for HTTPS improvement in France.

France does, however, fare better than Germany and the UK (and Austria, Luxembourg -- and Malta) in cookie protection or usage issues. France has a mere 80% failure rate; while the other five countries have a clean sweep 100% failure rate. Throughout Europe, cookie protection presents the highest single failure, with a 78.25% failure rate.

Privacy policy failure rates are a little better. Austria and Ireland both have zero failings, while Finland fares worse with an 88% failure rate. Among the most populous countries, the UK leads with 17% failing, followed by France at 40% and Germany at 50%.

It is difficult to draw clear conclusions from this survey -- but two things do stand out. Firstly, not a single European country displays complete GDPR conformance across all its websites. Secondly, website operators seem to draw a distinction between security and compliance. Website security issues are given higher importance (an overall 6.75% failing) than cookie protection and privacy policy issues (78.25% and 51.5% failing respectively).

Ilia Kolochenko, CEO and founder of ImmuniWeb, sees the same distinction. "We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements in European companies. However, there is a long road before the majority of organizations start valuing actual security above paper-based compliance, thereby providing users with the privacy and security they truly deserve."

It will be several years before we see the real effect of GDPR on European data protection. The different national regulators are laboring under a common security problem: triaging many thousands of alerts. Overall, there have already been hundreds of thousands of breaches and complaints, but few fines. One often-quoted figure is that there has been $57 million levied in GDPR fines so far -- but once the single €50 cmillion fine levied by CNIL against Google, it becomes a much smaller figure. The real fines have not yet filtered through the system.

It will be interesting if ImmuniWeb continues this survey annually -- perhaps with greater detail -- to see whether and when GDPR has a measurable effect on European websites.

Related: First GDPR Enforcement is Followed by First GDPR Appeal 

Related: GDPR Complaints Filed Against Eight International Streaming Companies 

Related: GDPR: One Year Down - Now What? 

Related: One Year on, EU's GDPR Sets Global Standard for Data Protection

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.