We asked 716 small business leaders in Europe about their GDPR compliance. Their answers suggest widespread ignorance about data security tools and loose adherence to the law’s key privacy provisions

One year after the EU’s General Data Protection Regulation entered into force, we were curious to learn more about how the law would affect the 23 million small businesses in Europe and whether they were struggling to comply. Owners, managers, and other GDPR-compliance supervisors answered our questions from all over Spain, the United Kingdom, France, and Ireland. What we found surprised us.

Read the 2019 GDPR Small Business Survey

You can read the full report for more details about our findings and our methodology. But here are some of the key takeaways and results that surprised us most:

  • Around half of small businesses are failing GDPR compliance on two crucial requirements. The GDPR requires companies to describe data processing activities in clear, plain language to data subjects. It also requires businesses to identify a lawful basis for using someone’s data. Around half of respondents were not completely sure they complied with either of these two provisions.
  • Many business leaders are confused about basic data security concepts, like encryption. When we asked whether they used end-to-end encrypted email, about two-thirds said yes. But when we asked these people to identify the service, only about 9% named one. “VPN,” “Mailchimp,” and “Dropbox” were among the responses. Seven Irish respondents said their end-to-end cloud storage provider was “Reddit.”
  • Small businesses have invested heavily in GDPR compliance. We were surprised to learn that over half of small businesses report spending between €1,000 and €50,000 on GDPR compliance, including consultants and technology. Yet despite these costs, most said they did not believe the GDPR would slow the growth of their business.
  • While some respondents said they did not believe regulators would bother imposing penalties against small businesses, many more cited fear of fines as their main reason for complying with the GDPR. Here’s one explanation that was typical of several responses: “We are the easy hits. Big companies can afford lawyers to fight in their corner. We can’t so are seen as easy targets.”

You can read more excerpts from the survey, graphs, and data by reading the full 2019 GDPR Small Business Survey.