Table of Contents:
We analyzed 93,000 SME websites in Germany, Austria and the UK to better understand their compliance with GDPR rules. Specifically, we looked at four key factors that make up the fundamentals of SME website GDPR compliance.
In short, it’s not looking good for SME websites.
You’re probably asking yourself: “How does this help me as a digital marketing agency?!” Answer: There is a huge opportunity to educate your SME clients about their responsibilities when it comes to data protection law and to help them get compliant 💪 🎉
SMEs failing to adhere to the GDPR could face a serious fine, depending on the severity of the breach.
Source: GDPR.EU/Fines
From the above table, you can understand the importance of being GDPR compliant.
RELATED STORIES
Let’s get right into the data.
GDPR is a complex regulation, but for SMEs and their websites, it is relatively straightforward. At a fundamental level, SMEs should be providing their website visitors clear information on what data is collected, how it is/could be used, and the option to actively opt-in (versus opt-out) when filling out forms.
To keep it simple, we looked to see if a website has the following:
Note that GDPR compliance is a complex legal issue – the presence (or lack) of these factors is no guarantee of compliance (or violation). Always check with a legal professional if you’re concerned about any data privacy matters.
Only 11% of websites were failing to use SSL to encrypt customer data. While it is not necessary to use SSL to be GDPR compliant, businesses are responsible as a data controller or a data processor to keep information secure, which SSL helps to do.
This is a good result and is possibly related to hosting companies bundling this as part of their offer, heightened awareness of security, and the increased use of eCommerce tools by SMEs.
With privacy issues regularly making front-page news, it is shocking that 63% of our sample don’t have a privacy policy on their website. Not only is there a legal requirement for a privacy policy, but it is also required by third parties such as Google and Apple. For example, websites using Google Analytics must have a posted privacy policy as part of Google’s terms of service.
While some argue that having a Privacy Policy builds trust, the only argument that really stands up is the legal one. If you don’t have it, you are probably violating the law, and a consumer can pursue you through the appropriate regulatory and legal channels.
Many people are annoyed by dismissing cookie banners when visiting a website, but gaining consent is a requirement if you have EU visitors and you track/collect personal data. The cookie banner meets a key requirement in GDPR – you must gain active consent and it is not sufficient to merely allow visitors to “opt-out”.
The good news for “cookie banner haters” is that over 50% of our sample didn’t have one. The bad news for the businesses is they could be violating the law.
Remember, while today there is a focus on Cookies, the law is not just a “cookie” law. It is broad enough to cover any tracking tools and technologies such as local storage. It will also apply any new solutions that come on the market.
Going hand-in-hand with a cookie banner is having a cookie policy that clearly spells out what cookies are active on your site, their purpose, what user information/date they track and where the data is sent/processed. Sometimes this is included as part of the privacy policy or listed within the cookie banner.
That said, approximately 50% of the websites in our study did not link to a stand-alone cookie policy.
Nothing much seems to have changed since the GDPR.eu study in 2019. Some have embraced the requirements, and others are still “meh 🤷🏻♀️”.
Today, there is very little enforcement activity on SMEs as regulators focus on the practices of tech giants. If a regulator really wanted to do something about this, they could but it remains to be seen when or if regulators will turn their attention to the SME market.
As GDPR matures, it will be worth following the development of tracking, processing and storing of personal data. We are all working to help SMEs put their best foot forward online and the Insites digital audit can quickly and easily identify GDPR issues to help to bring SMEs into compliance.
05th April 2023
04th October 2023