GDPR Readiness Survey for Software and SMEs

A comprehensive GDPR Readiness Survey Report on how software companies and SMEs prepared and currently operate under the GDPR.

GDPR, you’ve heard of it, probably feared it, but you cannot ignore it. If you are like us, you wanted to get everything ready for the May implementation or, in contrast, you might have thought ‘I doubt any other startup/SME will become compliant, I won’t bother yet’. Well, we wanted to put both sides of the argument to the test and so carried out extensive research on just how GDPR ready Software Industry and SMEs are, what their problems were and how they view their activities in line with GDPR.

Why did we bother?

As a GDPR Compliance Software company, we wanted to find out the state of the market and whether our solutions is useful, as well as how we can improve to offer more value.

Although we are GDPR ready ourselves, we needed to understand some of the barriers companies are facing in becoming fully compliant, where they are in the process internally and what they think of GDPR, so we set out to investigate using a number of questions to get the most out of our respondents.

Data we collected

In this GDPR Readiness Survey, we investigated 100 different software companies and startups of varying sizes, ranging from 1-250 employees in order to get varied data from all companies across the spectrum . We collected the survey in a GDPR compliant way. Here is a breakdown of some of the demographic data we employed:

• 1-250 employee companies.
• Worldwide locations, but operate in the EU or store EU citizens' data.
• We opted for quantitative & qualitative data.
• We combined open ended questions with multiple answer questions.
• We investigated the biggest challenges SME and software companies faced in being GDPR compliant.
• We offered different aspects of GDPR requirements and requested respondents mark with which they comply with and leave blank those that they do not comply with.
• The respondent’s annual budget for compliance efforts.

What did we find?

Our results from GDPR Readiness Survey were quite surprising, and illustrated a fairly accurate environment surrounding GDPR in the real world.

Although GDPR can bring about heavy fines, we are yet to see any real world examples of these fines in full swing, and with 50% of our respondents indicating they managed GDPR compliance internally without the consultation of an external body or an external lawyer, we may see that change in the near future as those companies that misinterpreted the regulations come to light. Companies became compliant to serve their customers better, as indicated by Marcin from Survicate.

We do our best to implement services that fulfill our customers’ needs. One of the most important customers’ requirement is the security of their data. That is why for us it is paramount. Survicate understands how the fulfillment of GDPR obligations improves protection of our customers’ data.

In contrast 42% of respondents contacted a lawyer to advise on GDPR compliance, but it’s a likely trait of larger businesses to put more resources into legal help compared to the 50% who didn’t, who are smaller and so less likely to bring in external aid.

Since lawyers are important for GDPR compliance, Peter Sterkenburg from Leadfeeder wants a more robust way to prove GDPR compliance by external lawyers and third parties.

A healthy angle to responsibly consider using personal data. I really do miss proper certification mechanisms though. Still very little movement on that. I am also looking forward to the PECR and what that brings.

So how many companies were GDPR compliant?

What we found interesting though, was that 52% of survey respondents believed that they are fully GDPR compliant - an indicator that there is a lot of groundwork to cover up in small businesses and software companies industry wide. The reasons for this low number of that metric were also surprising, and that smaller businesses are less inclined to comply compared to the larger companies with more resources.

However, Joi, believed differently, CEO of Crankwheel. He said:

We took a mostly manual route with e.g. implementation of data subject rights and how we implement DPAs (it's a manual customer support procedure that we've trained our support folks in). If we see significantly more requests regarding data subject rights, or significantly more customers, we are likely to invest in tools to help with these, either built in-house or sourced externally. Same goes for our employee training etc., we are very small for now but when we grow we would be somewhat likely to invest in a tool that would help with training and compliance certification (even if not formal certification). We have a quarterly process in place to update procedures, training materials, perform new risk analysis etc. and for this, so far, Google Calendar + Google Drive (docs and spreadsheets) have proven to be enough.

Jim from Dynamic Signal spoke in the similar fashion.

Our GDPR efforts were comprehensive and we invested many cross functional resources as well as bringing in external consultants and legal support to ensure we were following all of the guidelines for GDPR and fully protecting our investors, employees, end users, and most of all our customers.

Of those that were compliant, the two main reasons for investing in GDPR compliance were in fact meeting the newly increased customer expectations and in order to circumvent the likelihood of lawsuits for non-compliance, especially given the nature of software companies and the amount of cyber threats they are up against daily.

What were our respondents reasons for lack of GDPR compliance?

Further to this, our GDPR Readiness Survey found 38% of companies believed the new regulations were too complicated, and rightly so. The idea of GDPR was to remove any kind of uncertainty or loophole opportunities from previous legislation, as well as unify the European stance on data handling and processing.

Olga, the Marketing Manager at Chanty, was also confused with the new regulation and she said:

GDPR is the 88-page monster that has struck fear into the hearts of companies slowing down growth and blocking effective marketing efforts. As a result, inboxes were swamped with GDPR consent emails that were deleted in bulk without even opening, not even speaking of giving consent. Companies had to delete entire blasts of emails from the databases that took years to build. As internet user, I don't feel the difference after May 25th. As a marketer, I feel GDPR definitely doesn't contribute to development and innovation in European business sector.

In our opinion the GDPR leaves too many grey areas in certain business environments where what should have been black and white rules are now open to interpretation. This is compounded the fact that most companies didn’t have a dedicated GDPR consultant or compliance team, with only 22% reporting compliance was managed by IT and legal.

Of those that were compliant, what steps had they taken?

Despite a clear lack of monetary investment in GDPR compliance, it was great to see that most companies, regardless of size, took steps and measures to comply with GDPR, with all software companies and SMEs we surveyed reporting that they updated their Privacy Policies to acknowledge GDPR and explain how they were taking steps to be compliant.

Adam from Better Proposal says about the GDPR:

GDPR is a step in the right direction. It's been a long time coming and it's good for businesses and consumers to have a standard in place. It's important to us to make sure people feel safe using our software and GDPR is a good "badge" to have to show you at least take it that seriously.

Software was the name of the game

The startup mentality was in fact in full swing here, as many respondents admitted to using a third party compliance software tool, instead of lawyers support, to quickly handle generating a new Privacy Policy and Cookie Consent document, although how accurate those policies are in line with GDPR and the businesses using the software is unknown.

Of all steps necessary for GDPR compliance, we found (without surprise) that vendor compliance was in fact the area with least focus from our respondents. We believe this to be not from a lack of effort, but from a lesser understanding of how to obtain the necessary documentation and agreements from third party services and data processors they were using in the course of providing their software or products. This is an area we would like to see improved by the GDPR committee, as obtaining the correct information from business critical third party processors (like analytics software, data enrichment services etc) is somewhat of a grey area, especially for smaller companies who cannot dedicate the time and resources to seek that information out from its partners.

Talking about the transparency & data processors with the third parties, Sander from Unless said:

Oddly enough, new privacy laws like GDPR have actually made it easier to do it right, by highlighting the need for transparency and compelling business owners to understand what kinds of data they collect and how they use it.

Additionally, in our GDPR Readiness Survey, 50% of software companies and SMEs we surveyed indicated that they had conducted Data Protection Impact Assessment and Data Mapping, which is a good foundation for compliancy but there is clearly room for improvement. As expected, due to the small size of most of our respondents, the budget to invest in GDPR compliancy was only €5000 annually, so it would be unfair to expect full compliancy soon after the regulations’ effective date.

GDPR Readiness Key Statistics

Overall, GDPR readiness in software companies and SMEs is an ever changing, dynamic landscape of variable compliance levels depending on budget, size of company and departmental dedication.

With regards to GDPR compliance in software companies and SMEs, what we gathered overall illustrated the following:

• More than 52% of the companies surveyed think they are GDPR complaint (according to our GDPR Readiness Survey).
• The two biggest reasons for investing in compliancy was the fear of lawsuits and meeting customer expectations.
• 38% of companies think that the law is too complicated.
• All customers have updated their privacy policy documentation in line with GDPR.
• Privacy Policy and Cookie Consent documents are compiled using third party software tools instead of internally for the majority of respondents.

48% of surveyed companies think that GDPR has neither a positive nor negative impact on their business operations.

If you're still trying to learn more about the GDPR and want to become compliant. Get this free GDPR Guidebook.

Appendix:

Below are the questions and survey results from our GDPR Readiness Survey for your own interpretation

Below is a list of those companies which supported this survey and agreed to the publication of their names.

Aazar Ali Shad is the former Co-Founder of ECOMPLY, and has more than 5 years of SaaS Experience. He is a huge privacy enthusiast.

Userpilot - User Onboarding & Product Adoption Software

https://salesflare.com - An Intelligent Sales CRM for teams who thrive on technology

https://www.poptin.com - A Lead Conversion Platform

https://lemlist.com - A Conversational Email Outreach Platform

https://www.visitor-analytics.io/ - The friendliest way to view your website statistics

https://www.proposify.com/ - Get the business proposal software that streamlines the creation of quotes, contracts, and other sales documents

dynamicsignal.com - The Employee Communication and Engagement Platform

https://crankwheel.com/ - CrankWheel enables you to add a visual presentation to your phone call in 10 seconds flat. Any browser, any device, works every time.

https://contentstudio.io - The only platform you will ever need for your content marketing and Social media management.

https://www.growthdynasty.com - A Tech Marketing Agency

Publbox.com - Now You Can Create, Organize and Automate All Your Social Media - From One Place

AcademyOcean.com - Use Academies to get new leads and to turn them into loyal customers

www.albacross.com - Albacross tells you exactly who’s visiting your website and how to reach them..

www.sendpilot.co - You won't need a social media team if you use SendPilot

www.meetnlearn.com - Marketplace for online & offline tutoring

www.wunderx.com - Enabling Equipment Data Mining: Edge is coming.

starhunter.com - All-in-One Solution for Recruitment Agencies

https://www.heysuccess.com/ - a default platfrom for international student mobility and recruitment.

https://kyvio.com - We Help Trainers and Coaches Sell More, Sell Faster

https://www.receptive.io - Leading B2B SaaS companies use Receptive to build winning products

https://www.sendinblue.com/ - SendinBlue empowers businesses to build and grow relationships through marketing campaigns, transactional messaging and marketing automation.

ryd.one - Your Car Assistant

https://www.chanty.com - Join Chanty – simple AI-powered team chat. Get unlimited message history free forever.

https://betterproposals.io - Online Proposal Software

https://demio.com - A Webinar Platform Built for Marketing

https://www.flipsnack.com - Digital flipbook maker for stunning magazines

https://survicate.com - Survicate is the fastest way to collect feedback from customers.

Easyecom.io - Best inventory management software, a key to rule in eCommerce industry

Vogueestates.com - The Real Estate Solution

https://competitors.app - Track Competitors Software Tool

https://rocketlink.io - Track and retarget any link you share

http://www.subbly.co/ - A subscription ecommerce platform for entrepreneurs & marketers

www.munevo.com - Munevo wants to support people with disabilities to live independently by using smart technology

https://unless.com/ - Personalize your website to give your visitors the unique experience they deserve.

www.climedo.de - The intelligent research database with integrated electronic research management

https://nightwatch.io/ - The All-in-one SEO Tool

Folder Security - NTFS Permissions Analyzer

‍