Two-thirds of start-ups aren’t data compliant ahead of GDPR

International research by Mailjet reveals startups are completely ill-prepared for GDPR, with many falling behind around consent and contingency planning.

With the intention of bringing awareness about GDPR to startups, email service provider Mailjet commissioned an international survey (launched on Product Hunt), asking startups to rate where their company stands in terms of key requirements of the new regulation which will come into effect May 25th, 2018.

Of over 4,000 startups who completed the quiz, primarily based in the UK and France, the average GDPR-readiness score was a disappointing 4.1 out of 10, with the banking and insurance vertical scoring the highest (4.4) and construction and real-estate scoring the lowest (3.2).

Ready to take data, but not responsibility

Despite the low level of compliance, 91 per cent of startups report collecting personal data from their clients. Interestingly this figure does not fluctuate drastically across startup verticals. Banking and insurance scored the highest at 93 per cent while the lowest was only 8 per cent lower (85 per cent, scored by the hospitality and tourism sector). This tells us that regardless of startup industry, personal data collection is at the heart of nearly all startups.

The fact that startups collect customer data may not be shocking. What was surprising was the lack of responsibility startups show towards the protection of this data. Only 29 per cent of startups actually encrypt their collected data while a sad 34 per cent have a data breach notification plan.

‘Launching a startup today means doing so amongst a sea of pre-existing regulations, and the best founders won’t ignore this. They have an opportunity to build their systems right from the very beginning and avoid penalties such as those GDPR will impose. Mailjet itself is now GDPR-compliant and ISO 27001 certified, which shows that attaining the highest levels of data privacy and security IS something accomplishable by SMBs and startups, and not just the big guys,’ says Pierre Puchois, chief technology officer at Mailjet.

Classic growth hacking is gone

Classic growth hacks – scraping LinkedIn email addresses, adding contacts who have downloaded whitepapers to the newsletter list – lack a key requirement upcoming in the new GDPR regulations, consent. Only 47 per cent of quiz respondents report always asking their customers for their consent prior to contacting them. Worse yet, only 50 per cent of respondents make it easy for customers to withdraw their consent.

However it’s not all doom and gloom. With 63 per cent of respondents agreeing they respect the need for data minimisation i.e. the reduction of the amount of data held beyond what is strictly necessary for purpose, we can expect small business leaders to be open to new growth hacking techniques that are sustainable in a post-GDPR world.

‘It’s important to make the differentiation between ‘spamming’ and ‘growth hacking.’ Over the past years, it’s been easy to turn to tactics that consist of scraping email addresses and sending mass cold emails. This is spamming, not savvy growth hacking. With the arrival of GDPR, these kind of bad practices will be officially illegal and the best growth hackers will realise that there are a lot of GDPR-compliant tactics we can try,’ Alex Delivet is head growth hacker at Mailjet.

Further reading on GDPR

Owen Gough, SmallBusiness UK

Owen Gough

Owen was a reporter for Bonhill Group plc writing across the and titles before moving on to be a Digital Technology reporter for the

Related Topics