• by Jess Nelson , January 29, 2018

A study of 4,000 startups from the United States and Europe reveals an alarming lack of preparation for the European Union’s General Data Protection Regulation (GDPR). 

Mailjet, an email service provider based in Paris, surveyed more than 4,0000 startups to test their level of preparation for the upcoming implementation of the data privacy regulation on May 25.

The average GDPR-readiness score across 4,300 startups located in France, the U.K., the U.S., Belgium and Germany was a woeful 4.1 out of 10 according to Mailjet’s analysis. The banking and insurance verticals were most prepared for the implementation of GDPR, while the construction and real estate industry was the least prepared.

More than 90% of startups acknowledged collecting personal data, but the majority do not comply with the data protections laid out in GDPR. Only 29% of startups encrypt their data, and only 34% have a data breach notification plan. Furthermore, only 47% of startups polled by Mailjet ask for consent before collecting data, and only half have made it easy for customers to withdraw their consent.

Adopted by the European Parliament and Council in 2016, GDPR addresses the use of personal data by organizations and businesses. The legislation unifies data protection for all individuals residing in the European Union, but it is not solely restricted to organizations located within the European Union. Any business that communicates with E.U. residents must abide by GDPR or face potentially catastrophic fines. 

The penalties for non-compliance could cripple startups, as article 58 of the GDPR grants the supervisory authority the power to impose administrative fines. Fines are calculated based on several factors, such as the gravity of the infringement and whether or not data controllers and processors took any steps to mitigate the damage.

Organizations will be fined the greater of €10 million or 2% of the global annual turnover from the previous year if it is determined that their non-compliance is related to technical measures such as breach notifications. If the non-compliance relates to key provisions of the GDPR, organizations can be fined the greater of €20 million or 4% of the global annual turnover from the previous year.

Considering the financial ramifications of not complying with the GDPR, any startup utilizing data from European residents needs to make GDPR compliance a priority over the next four months.