Who is GDPR Ready? This article was written before 25th May 2018.
Given all this hype surrounding the General Data Protection Regulations (GDPR), among companies and consumers alike, we just could not help but get curious. So who out of the big, famous companies are actually GDPR Ready?
So we did a little, cheeky experiment and e-mailed these companies to find out if they were aware of the legislation and what data they had on us.
Due to the enforcement of the GDPR, you can request companies to give you all the data they have on you. You can also ask them to delete it and forget you. This is primarily how GDPR empowers us as consumers. For companies to be GDPR ready, they need to have processes in place to deal with these requests.
Essentially, in GDPR terminology, we made a Data Subject Request to check which companies were aware of the coming GDPR and subsequently preparing for it.
In total, we reached out to 200 companies and tested them on two things: awareness and readiness. We assigned six people to write to different companies. One of them wrote to companies from Spain, three from Germany and one from United Kingdom (UK). So let’s summarise the results by geographic location.
We wrote to companies in the United Kingdom (UK) recently.
From their replies, we gauged that 50% of these companies were aware of the coming regulation however, only 10% of them were ready to cope with the Data Subject Requests. So we got a full excel sheet with our entire data sent to us from the ones that were ready. However, after the initial response the excel sheet was usually sent to us later which is acceptable under the GDPR (note: GDPR allows the company 40 days to respond).
Also, one of the “aware” companies clearly explained that they were engaged in a variety of activities to become GDPR compliant and at the moment could not provide a machine-readable format of the data. This was definitely a sign that the company was well aware and in the process of preparing for the GDPR.
We reached out to ten companies which include names like Vodafone, Santander, and Groupon among others. We found that 28% of these companies were ambiguously aware of it but none of these companies were ready for the enforcement of the GDPR. It could be and is rather likely that since then, they have at least made progress in awareness of the GDPR and are in the process of preparing for it.
However, we only say ambiguously aware because the responses we got from them indicated that out of those who were aware of it: they either only had a specialized email address for GDPR related queries which ended up bouncing anyway or asked to show up in person. Therefore, the awareness that they did have was not clearly translated.
Before we start, here it is important to consider that we reached out to a lot more companies in Germany than anywhere else. We are based in Germany and of course, are knowingly a little biased.
The hub of data protection and the place is known to be the most sensitive to data privacy lived up to its reputation.
Almost 63% of the companies, were actually ready for the GDPR. These companies included the big automotive companies like Mercedes, BMW, and Porsche. Moreover, 5% of these companies were aware of the GDPR and working towards it. So all in all, the German market seems to be quite aware of what the GDPR entails and are working towards it.
On average the response time of these companies was about 3 days and the latest one was not any later than 7 days. This was definitely a positive indicator on readiness.
We also sent an email to companies like Whatsapp, Snapchat, Booking.com, Disney and Instagram to find out if these popular companies were ready. However, we found out that none of them were ready and we were unable to assess if they were aware or not. Keep in mind that these Data Subject Requests were sent to them early 2018 so it is possible that they are by now compliant. Time needed to be fully compliant actually depends on several factors including but not limited to company size and number or processes.
These companies either did not reply to our request or we got a general automated message from them.
We also realised that no response could either mean that these companies are either in the middle of their blazing GDPR activities (quite unlikely), or they do not know of the GDPR and its implications (quite unlikely and sad if true) or that they just do not care enough at this point (likely).
To be fair, a lot of companies are still in the process of researching and figuring out exactly to do with the GDPR. For instance, we asked Woodpecker and one of our customers: Combyne on how they went about the process. Moreover, training and development of the employees especially in the field of customer service is on-going for most companies. So that in itself could be a factor why we assessed the companies as unaware since we only judged it through the replies we got.
Compliance will most likely be a high priority for companies if after enforcement, data authorities actually crack down on non-compliant companies and issue the dreaded fines.