GDPR in Action: How the EU Fines Companies That Do Not Manage Passwords Appropriately

The European Union's General Data Protection Regulation (GDPR) came into effect very nearly two years ago, and it must be said that it's causing just as many debates now as it did back in 2018. There are people who continue to dismiss it as a useless piece of regulation that has resulted in nothing more than a wave of popups that EU citizens need to close whenever they visit a new website. Others reckon that it's the right response to the increasing number of online threats that are putting our privacy at risk. To truly assess GDPR's success, however, you need to be able to work out what it is exactly. Let's start with the more visible effects of GDPR.

GDPR and the users

Many of you may know that the consent popups didn't start with GDPR. The EU has been pretty firm in its position that websites must obtain the user's permission before storing cookies on their computers for quite a while. Many websites were displaying information about the use of cookies way before 2018, and people were complaining about them back then as well.

Cookies' job isn't merely to track you or invade your privacy. They are often essential to the correct operation of websites and online services. What the new GDPR consent popups did was give you the option of using the website to its full potential while also ensuring that the advertisers aren't too aggressive in their tracking activities. Has it worked, though?

Well, the fact of the matter is, many people either dismiss the popups or click the "I Agree" button without even reading through the warning, which goes to show that, to some extent, the measure is not particularly effective. At the same time, however, there are users who realize that their privacy is more important than a delay of a few seconds, so the popups are not completely useless.

For service providers, this was one of the easiest measures to implement, and you'd be hard-pressed to find a website that doesn't try to tell you what sort of companies might be about to take a look at your data, so from that perspective, the regulation is working. The problem here lies more with the users and their reluctance to educate themselves.

GDPR and online service providers

What some people might not understand is that the cookie popups were far from the only change GDPR brought. To comply with the regulations, many companies had to rethink their risk assessment, their data protection mechanisms, their incident response plans, and their disclosure procedures. Some of them knew that they're unable to do it, and they bailed out, opting to stop offering their services in the EU. Others also failed to do it, but they decided to continue working and hope that they won't be caught, or worse, targeted by cybercriminals.

This obviously didn't work out for everybody. According to a GDPR fine tracker from CoreView, EU authorities have imposed significant fines on more than 28 companies and have raised in excess of €428 million (about $465 million).

The majority of the major violations consist of either failure to protect users' information, exposure of private data through other channels, or excessive collection of personal details. The high number of violations can be interpreted in two completely different ways. On the one hand, you might accept them as a sign that the rules and regulations are working, and companies that don't comply with them are paying the price. On the other, however, a quick look at the reasons for the fines shows that quite a few business organizations have made some pretty basic security mistakes, and it's a safe bet that there are plenty of others who are guilty of the same thing but are yet to be discovered.

All in all, GDPR will need a lot more time to have a significant impact on the way both users and service providers treat private data. And even when it does, it should not be considered a panacea. GDPR's goal is not to completely eliminate the numerous threats to our online privacy, and it certainly can't put an end to data breaches. What it can (and hopefully will) do, however, is ensure that the words "we take security very seriously" are more than just a boilerplate statement issued in the aftermath of a cyberattack.