frank peters - Fotolia
Two-thirds of startups ill-prepared for GDPR
While most startups collect personal data, a survey reveals that many are not very well prepared for compliance with the EU’s forthcoming data protection regulation
Some 91% of more than 4,000 startup companies polled, mainly in the UK (48%) and France (13%), admit to collecting personal data, but many rank poorly in terms of readiness for the EU’s General Data Protection Regulation (GDPR), a survey has shown.
The average GDPR-readiness score was 4.1 out of 10, with the banking and insurance sector scoring the highest (4.4) and construction and real estate scoring the lowest (3.2), according to the survey commissioned by email service provider Mailjet, that also included respondents from startups in the US (7%), Belgium (4%) and Germany (3%).
The proportion of startups collecting personal data from their clients is highest in the banking and insurance sector (93%) and lowest in the hospitality and tourism sector (85%). With only 8% difference across all sectors, however, it appears that personal data collection is at the core of most startups’ business.
The survey also revealed a lack of responsibility by startups in terms of personal data protection. Only 29% of startups polled encrypt the personal data collected, and only 34% said they had a data breach notification plan in place.
“Launching a startup today means doing so amongst a sea of pre-existing regulations, and the best founders won’t ignore this. They have an opportunity to build their systems right from the very beginning and avoid penalties such as those GDPR will impose,” said Pierre Puchois, chief technology officer at Mailjet, which claims to be GDPR-compliant and ISO 27001 certified.
“Attaining the highest levels of data privacy and security is accomplishable by startups and small to medium-sized businesses, not just the big guys,” he said.
According to Mailjet, many startups typically use tactics such as adding the contact details of anyone downloading whitepapers to their newsletter subscription lists, without consent, which is a key requirement of the GDPR. Only 47% of respondents said they ask their customers for their consent prior to contacting them, and only 50% make it easy for customers to withdraw their consent.
However, with 63% of respondents agreeing they respect the need for data minimisation, Mailjet said small business leaders appear to be open to using techniques for growing their business that are sustainable under GDPR.
Read more about the GDPR
- GDPR: It’s not too late to ensure real risks will be addressed, says data protection legal expert Stewart Room.
- The GDPR is widely expected to spark privacy claims after its compliance deadline of 25 May 2018, but Austrian lawyer Max Schrems is doubtful.
- Tools to help organisations comply with the EU’s General Data Protection Regulation.
- The full impact of the EU’s GDPR is complex, warns the head of ICT at T-Systems Belgium.
“It’s important to make the differentiation between ‘spamming’ and ‘growth hacking’,” said Alex Delivet, head growth hacker at Mailjet.
“In the past, it’s been easy to turn to tactics that consist of scraping email addresses and sending mass cold emails, but this is spamming, not savvy growth hacking. With the arrival of GDPR, these kinds of bad practices will be officially illegal and the best growth hackers will realise that there are a lot of GDPR-compliant tactics we can try.”
UK information commissioner Elizabeth Denham has repeatedly said that good data handling practices should be seen as a business enabler and opportunity.
The GDPR will bring “a more 21st century approach” to how personal data is processed, and organisations should seize the opportunity to set out a culture of data confidence in the UK, she told the ICO’s annual Data Protection Practitioners’ Conference in Manchester in March 2017.
And in May 2017, Denham called on businesses to see the benefits of sound data protection and prepare for what she termed “the biggest change to data protection law for a generation”.
According to Peter Gooch, cyber risk partner at Deloitte, some organisations are realising that if they are not building in the right privacy controls when they are designing processes, systems or products, that failure can have a negative impact on the business further down the line.
“They understand that by taking care of privacy issues early on they will save themselves from the pain of regulatory scrutiny and sanction in future. It will be an enabler for the things they want to do – such as big data analytics, consumer profiling and targeted marketing – because it is being done in a way that is consistent with the regulations,” he told Computer Weekly.
Similarly, Gooch believes that in using data in a transparent, privacy-friendly way could be seen as a competitive advantage. “Organisations need to understand that, through greater transparency, they will be able to grow their customer base, collect more data and monetise it more. In this way, organisations will be able to build their brand through trust because they deal with customers’ data in the correct way.”