Has GDPR Been Kind to You So Far?
It is a year since the EU’s General Data Protection Regulation (GDPR) came into force, a moment that has generated huge debate within the security industry.
Were the new regulations potent enough to safeguard personal data? Would enterprises step up and implement new processes, tighten existing systems and deploy new technologies to cope? Twelve months on not all those answers are clear, but it is certainly the case that GDPR has ‘moved the needle’ across Europe and far beyond.
In pure numbers, there have been 144,376 violation complaints lodged under GDPR, and companies have also reported 89,271 data breaches - one of the new obligations on companies is to report data breaches within 72 hours of discovery.
Just one high profile GDPR case has accounted for the vast majority of the fines collected so far under GDPR, being a bumper fine levied against Google for 50 million euros for lack of consent around advertising.
ImmuniWeb has incorporated GDPR testing into the ImmuniWeb website security test for some time, recently boosting the GDPR scan to include a host of core requirements under the legislation. Interestingly, running the test on the UK’s data watchdog, the Information Commissioner's Office (ICO) reveals that while the site has the all-clear on GDPR (as one would expect), with an overall grade of ‘A-’, there is still work to do, with outdated CMS components dragging down the overall score. Meanwhile, a subdomain, ‘autodiscover.ico.org.uk’ gets an F grade.
ImmuniWeb has also conducted extensive research, widening out testing to the 100 most visited websites of each of the 28 European member states to understand how closely GDPR has been applied to web applications. The full research and results are here.
On the bright side, GDPR has certainly raised awareness around data security across the board, with the EU research finding that 67 per cent of Europeans have heard of the regulation. Another survey from Apricorn found that nearly 66 per cent of organisations now hardware encrypt their data, up from half a year ago, possibly as a direct response to Article 32 of the GDPR. In addition, 41 per cent believe there has been an increase in the implementation of data encryption at rest and in transit since GDPR came into force, with potentially more spend in the pipeline, with 30 per cent of the security budget set to be spent on GDPR compliance, a massive leap from the 13.7 per cent reported in 2018.
However, in one unexpected ripple effect from GDPR, it has emerged that more than four in ten US news sites are still blocking EU citizens from accessing their sites due to concerns over GDPR compliance. A massive 42 per cent of US news sites - including The Chicago Tribune, New York Daily News, Orlando Sentinel and Newsday - still block EU visitors, according to research. Although the block was intended to be a short-term response to the introduction of GDPR, it seems to have become the status quo after 12 months, with an additional one in 10 (nine per cent) of US titles now offering a limited, inferior service to EU readers attempting to access US news online.
Overall, while it appears that GDPR has been a positive force in many ways, it is clear that there is plenty of work left to be done. While many enterprises have focussed on ticking the compliance boxes as quickly as possible in the early days, time will prove be a stern test of the new processes as they mature. How robust is your enterprise GDPR stance?