A comprehensive GDPR Readiness Survey Report on how software companies and SMEs prepared and currently operate under the GDPR.
GDPR, you’ve heard of it, probably feared it, but you cannot ignore it. If you are like us, you wanted to get everything ready for the May implementation or, in contrast, you might have thought ‘I doubt any other startup/SME will become compliant, I won’t bother yet’. Well, we wanted to put both sides of the argument to the test and so carried out extensive research on just how GDPR ready Software Industry and SMEs are, what their problems were and how they view their activities in line with GDPR.
Why did we bother?
As a GDPR Compliance Software company, we wanted to find out the state of the market and whether our solutions is useful, as well as how we can improve to offer more value.
Although we are GDPR ready ourselves, we needed to understand some of the barriers companies are facing in becoming fully compliant, where they are in the process internally and what they think of GDPR, so we set out to investigate using a number of questions to get the most out of our respondents.
Data we collected
In this GDPR Readiness Survey, we investigated 100 different software companies and startups of varying sizes, ranging from 1-250 employees in order to get varied data from all companies across the spectrum . We collected the survey in a GDPR compliant way. Here is a breakdown of some of the demographic data we employed:
1-250 employee companies.
Worldwide locations, but operate in the EU or store EU citizens’ data.
We opted for quantitative & qualitative data.
We combined open ended questions with multiple answer questions.
We investigated the biggest challenges SME and software companies faced in being GDPR compliant.
We offered different aspects of GDPR requirements and requested respondents mark with which they comply with and leave blank those that they do not comply with.
The respondent’s annual budget for compliance efforts.
What did we find?
Our results from GDPR Readiness Survey were quite surprising, and illustrated a fairly accurate environment surrounding GDPR in the real world.
Although GDPR can bring about heavy fines, we are yet to see any real world examples of these fines in full swing, and with 50% of our respondents indicating they managed GDPR compliance internally without the consultation of an external body or an external lawyer, we may see that change in the near future as those companies that misinterpreted the regulations come to light. Companies became compliant to serve their customers better, as indicated by Marcin from Survicate.
We do our best to implement services that fulfill our customers’ needs. One of the most important customers’ requirement is the security of their data. That is why for us it is paramount. Survicate understands how the fulfillment of GDPR obligations improves protection of our customers’ data.
In contrast 42% of respondents contacted a lawyer to advise on GDPR compliance, but it’s a likely trait of larger businesses to put more resources into legal help compared to the 50% who didn’t, who are smaller and so less likely to bring in external aid.
Since lawyers are important for GDPR compliance, Peter Sterkenburg from Leadfeeder wants a more robust way to prove GDPR compliance by external lawyers and third parties.
A healthy angle to responsibly consider using personal data. I really do miss proper certification mechanisms though. Still very little movement on that. I am also looking forward to the PECR and what that brings.
So how many companies were GDPR compliant?
What we found interesting though, was that 52% of survey respondents believed that they are fully GDPR compliant – an indicator that there is a lot of groundwork to cover up in small businesses and software companies industry wide. The reasons for this low number of that metric were also surprising, and that smaller businesses are less inclined to comply compared to the larger companies with more resources.
However, Joi, believed differently, CEO of Crankwheel. He said:
We took a mostly manual route with e.g. implementation of data subject rights and how we implement DPAs (it’s a manual customer support procedure that we’ve trained our support folks in). If we see significantly more requests regarding data subject rights, or significantly more customers, we are likely to invest in tools to help with these, either built in-house or sourced externally. Same goes for our employee training etc., we are very small for now but when we grow we would be somewhat likely to invest in a tool that would help with training and compliance certification (even if not formal certification). We have a quarterly process in place to update procedures, training materials, perform new risk analysis etc. and for this, so far, Google Calendar + Google Drive (docs and spreadsheets) have proven to be enough.
Our GDPR efforts were comprehensive and we invested many cross functional resources as well as bringing in external consultants and legal support to ensure we were following all of the guidelines for GDPR and fully protecting our investors, employees, end users, and most of all our customers.
Of those that were compliant, the two main reasons for investing in GDPR compliance were in fact meeting the newly increased customer expectations and in order to circumvent the likelihood of lawsuits for non-compliance, especially given the nature of software companies and the amount of cyber threats they are up against daily.
What were our respondents reasons for lack of GDPR compliance?
Further to this, our GDPR Readiness Survey found 38% of companies believed the new regulations were too complicated, and rightly so. The idea of GDPR was to remove any kind of uncertainty or loophole opportunities from previous legislation, as well as unify the European stance on data handling and processing.
Olga, the Marketing Manager at Chanty, was also confused with the new regulation and she said:
GDPR is the 88-page monster that has struck fear into the hearts of companies slowing down growth and blocking effective marketing efforts. As a result, inboxes were swamped with GDPR consent emails that were deleted in bulk without even opening, not even speaking of giving consent. Companies had to delete entire blasts of emails from the databases that took years to build. As internet user, I don’t feel the difference after May 25th. As a marketer, I feel GDPR definitely doesn’t contribute to development and innovation in European business sector.
In our opinion the GDPR leaves too many grey areas in certain business environments where what should have been black and white rules are now open to interpretation. This is compounded the fact that most companies didn’t have a dedicated GDPR consultant or compliance team, with only 22% reporting compliance was managed by IT and legal.
Of those that were compliant, what steps had they taken?
Despite a clear lack of monetary investment in GDPR compliance, it was great to see that most companies, regardless of size, took steps and measures to comply with GDPR, with all software companies and SMEs we surveyed reporting that they updated their Privacy Policies to acknowledge GDPR and explain how they were taking steps to be compliant.
GDPR is a step in the right direction. It’s been a long time coming and it’s good for businesses and consumers to have a standard in place. It’s important to us to make sure people feel safe using our software and GDPR is a good “badge” to have to show you at least take it that seriously.
Software was the name of the game
Of all steps necessary for GDPR compliance, we found (without surprise) that vendor compliance was in fact the area with least focus from our respondents. We believe this to be not from a lack of effort, but from a lesser understanding of how to obtain the necessary documentation and agreements from third party services and data processors they were using in the course of providing their software or products. This is an area we would like to see improved by the GDPR committee, as obtaining the correct information from business critical third party processors (like analytics software, data enrichment services etc) is somewhat of a grey area, especially for smaller companies who cannot dedicate the time and resources to seek that information out from its partners.
Talking about the transparency & data processors with the third parties, Sander from Unless said:
Oddly enough, new privacy laws like GDPR have actually made it easier to do it right, by highlighting the need for transparency and compelling business owners to understand what kinds of data they collect and how they use it.
Additionally, in our GDPR Readiness Survey, 50% of software companies and SMEs we surveyed indicated that they had conducted Data Protection Impact Assessment and Data Mapping, which is a good foundation for compliancy but there is clearly room for improvement. As expected, due to the small size of most of our respondents, the budget to invest in GDPR compliancy was only €5000 annually, so it would be unfair to expect full compliancy soon after the regulations’ effective date.
GDPR Readiness Key Statistics
Overall, GDPR readiness in software companies and SMEs is an ever changing, dynamic landscape of variable compliance levels depending on budget, size of company and departmental dedication.
With regards to GDPR compliance in software companies and SMEs, what we gathered overall illustrated the following:
More than 52% of the companies surveyed think they are GDPR complaint (according to our GDPR Readiness Survey).
The two biggest reasons for investing in compliancy was the fear of lawsuits and meeting customer expectations.
38% of companies think that the law is too complicated.
48% of surveyed companies think that GDPR has neither a positive nor negative impact on their business operations.