91% of startups admit they are ill-prepared for GDPR

91% of startups admit they are ill-prepared for GDPR

International research by Mailjet reveals startups are completely ill-prepared for GDPR, with many falling behind around consent and contingency planning.

With the intention of bringing awareness about GDPR to start-ups, email service provider Mailjet commissioned an international survey (launched on Product Hunt), asking start-ups to rate where their company stands in terms of key requirements of the new regulation which will come into effect May 25th, 2018.

Of over 4,000 start-ups who completed the quiz, primarily based in the UK and France, the average GDPR-readiness score was a disappointing 4.1 out of 10, with the banking and insurance vertical scoring the highest (4.4) and construction and real-estate scoring the lowest (3.2).


Ready to take data, but not responsibility

Despite the low level of compliance, 91% of start-ups report collecting personal data from their clients. Interestingly this figure does not fluctuate drastically across start-up verticals. Banking and insurance scored the highest at 93% while the lowest was only 8% lower (85%, scored by the hospitality and tourism sector). This tells us that regardless of start-up industry, personal data collection is at the heart of nearly all start-ups.

The fact that start-ups collect customer data may not be shocking. What was surprising was the lack of responsibility start-ups show towards the protection of this data. Only 29% of start-ups actually encrypt their collected data while a sad 34% have a data breach notification plan.

Pierre Puchois, CTO of Mailjet, said: “Launching a start-up today means doing so amongst a sea of pre-existing regulations, and the best founders won’t ignore this. They have an opportunity to build their systems right from the very beginning and avoid penalties such as those GDPR will impose. Mailjet itself is now GDPR-compliant and ISO 27001 certified, which shows that attaining the highest levels of data privacy and security IS something accomplishable by SMBs and start-ups, and not just the big guys."


Classic growth hacking is gone

Classic growth hacks - scraping LinkedIn email addresses, adding contacts who have downloaded whitepapers to the newsletter list - lack a key requirement upcoming in the new GDPR regulations, consent. Only 47% of quiz respondents report always asking their customers for their consent prior to contacting them. Worse yet, only 50% of respondents make it easy for customers to withdraw their consent.

However it’s not all doom and gloom. With 63% of respondents agreeing they respect the need for data minimisation i.e. the reduction of the amount of data held beyond what is strictly necessary for purpose, we can expect small business leaders to be open to new growth hacking techniques that are sustainable in a post-GDPR world.

“It’s important to make the differentiation between ‘spamming’ and ‘growth hacking.’ Over the past years, it’s been easy to turn to tactics that consist of scraping email addresses and sending mass cold emails. This is spamming, not savvy growth hacking. With the arrival of GDPR, these kind of bad practices will be officially illegal and the best growth hackers will realise that there are a lot of GDPR-compliant tactics we can try.” - Alex Delivet, Head Growth Hacker, Mailjet.