Table of Contents:
We analyzed 93,000 SME websites in Germany, Austria and the UK to better understand their compliance with GDPR rules. Specifically, we looked at four key factors that make up the fundamentals of SME website GDPR compliance.
In short, it’s not looking good for SME websites.
You’re probably asking yourself: “How does this help me as a digital marketing agency?!” Answer: There is a huge opportunity to educate your SME clients about their responsibilities when it comes to data protection law and to help them get compliant 💪 🎉
SMEs failing to adhere to the GDPR could face a serious fine, depending on the severity of the breach.
From the above table, you can understand the importance of being GDPR compliant.
Let’s get right into the data.
GDPR is a complex regulation, but for SMEs and their websites, it is relatively straightforward. At a fundamental level, SMEs should be providing their website visitors clear information on what data is collected, how it is/could be used, and the option to actively opt-in (versus opt-out) when filling out forms.
To keep it simple, we looked to see if a website has the following:
Note that GDPR compliance is a complex legal issue – the presence (or lack) of these factors is no guarantee of compliance (or violation). Always check with a legal professional if you’re concerned about any data privacy matters.
Only 11% of websites were failing to use SSL to encrypt customer data. While it is not necessary to use SSL to be GDPR compliant, businesses are responsible as a data controller or a data processor to keep information secure, which SSL helps to do.
This is a good result and is possibly related to hosting companies bundling this as part of their offer, heightened awareness of security, and the increased use of eCommerce tools by SMEs.
Many people are annoyed by dismissing cookie banners when visiting a website, but gaining consent is a requirement if you have EU visitors and you track/collect personal data. The cookie banner meets a key requirement in GDPR – you must gain active consent and it is not sufficient to merely allow visitors to “opt-out”.
The good news for “cookie banner haters” is that over 50% of our sample didn’t have one. The bad news for the businesses is they could be violating the law.
Remember, while today there is a focus on Cookies, the law is not just a “cookie” law. It is broad enough to cover any tracking tools and technologies such as local storage. It will also apply any new solutions that come on the market.
Nothing much seems to have changed since the GDPR.eu study in 2019. Some have embraced the requirements, and others are still “meh 🤷🏻♀️”.
Today, there is very little enforcement activity on SMEs as regulators focus on the practices of tech giants. If a regulator really wanted to do something about this, they could but it remains to be seen when or if regulators will turn their attention to the SME market.
As GDPR matures, it will be worth following the development of tracking, processing and storing of personal data. We are all working to help SMEs put their best foot forward online and the Insites digital audit can quickly and easily identify GDPR issues to help to bring SMEs into compliance.
17th October 2019
25th January 2021