With four months to go, you’d be forgiven for believing that most startups are ready for when the General Data Protection Regulation (GDPR) comes into effect on May 25. But despite the threat of hefty fines, it seems as if most firms still aren’t compliant, according to new research from Mailjet, the email-service provider.
Having surveyed over 4,000 startups primarily based in the UK and France, the researchers revealed that 91% of enterprises are collecting personal data from clients but only 29% of them encrypt it. And even though GDPR will require companies to inform regulators within 72 hours after a breach, just over a third have a data-breach notification plan in place.
While it’s worrying that a significant number of startups don’t encrypt data or have a notification plan in place, it’s even more shocking that an even bigger number of firms also failed the GDPR’s basic consent requirements. Under the new legislation companies must ask clients for their explicit consent to use their data and give them the right to withdraw it at any time. Given the focus the legislation puts on this, it’s surprising that only 47% asked their customers for permission prior to contacting them. Moreover, just half of the respondents make it easy for customers to withdraw their consent.
Commenting on the survey, Pierre Puchois, CTO at Mailjet, said: “Launching a startup today means doing so amongst a sea of pre-existing regulations and the best founders won’t ignore this. They have an opportunity to build their systems right from the very beginning and avoid penalties such as those GDPR will impose.”
Following a few years where everyone from tech giants like Uber to SMEs have been breached and had personal data about clients stolen, it’s worrying that many startups are still not compliant with these regulations. Hopefully, this research will work as a wake-up call for the ones who have not yet brought themselves up to speed.