Many disruptive businesses have been built on data. Knowing how to reach customers based on their preferences and behaviours has enabled them to get ahead of the established players because the customer experience they provide is more personalised and relevant.

The UK has a thriving startup scene. In fact, last year the number of UK startups rose to a new record with nearly 660,000 companies established. This was up from 608,000 in 2015, according to the Centre for Entrepreneurs.

However, worryingly, our recent research revealed that global startups are completely ill-prepared for GDPR. This will have a detrimental effect to the way data driven businesses operate and the future of these small businesses driving a positive impact on our economy currently. The findings that many startups are falling behind around consent and contingency planning are surprising, especially considering that GDPR comes in effect in just a few months’ time.

Startups not ready for the financial consequences

Of the 4,000 startups who completed our quiz about how they manage consumers’ data, 91% admitted that they are collecting personal data from customers, however nearly two-thirds aren’t data compliant. When asked to rank themselves on GDPR readiness, the average score was a low 4.1 out of 10. The banking and insurance vertical scored the highest (4.4) and construction and real-estate scored the lowest (3.2).

Only 29% of startups actually encrypt the data they collect, whilst just 34% have a data breach notification plan in place. Only 47% of respondents report always asking their customers for their consent prior to contacting them. Worse yet, only 50% of respondents make it easy for customers to withdraw their consent.

With the impending arrival of the regulation, the impact on these businesses will be huge if they’re not ready to operate within the lines of the law and their ability to do business will be affected. In addition, the fines are huge so not taking action on getting ready for GDPR will have serious financial consequences. If a company fails to comply with these new rules, it can be sanctioned with a fine equal to up to 4% of its yearly turnover, or 20 million euros, whichever is higher.

Goodbye to typical grow hacks

There are classic growth hacks that have been useful to startups looking to grow their base of customers quickly but following the implementation of GDPR these won’t be able to be used. Tactics such as scraping LinkedIn email addresses and adding contacts who have downloaded whitepapers to the newsletter list, or purchasing lists of contact details from third party providers will not work as consumers do not provide consent beforehand.

With this in mind companies will have to change how they approach growing their databases. Only 47% of quiz respondents report always asking their customers for their consent prior to contacting them and only 50% of respondents make it easy for customers to withdraw their consent. These types of approaches will need to change quickly.

There are opportunities to build customer contact systems from the very beginning to avoid the penalties GDPR will impose. Creative email communications that allow brands to achieve consent and deliver tailored, personal communications will enable them to build long lasting relationships. Startups can see the value of this too; in fact 63% of the respondents agree there is the need for data minimisation. The reduction of the amount of data held beyond what is strictly necessary for purpose should provide an opportunity to improve how brands interact with their audiences.

No excuses for startups

As a result of GDPR startups will also be encouraged to think about how they hold data. Take the recent hack of the MyFitnessPal app, recent reports note that 150 million users data was exposed including usernames and passwords… It just isn’t good enough. Whilst growth hacking is under the spotlight for startups, for these businesses built mainly on customer data, it is equally important to ensure they are responsible and protect it at all costs. A surefire way to do this would be by encrypting their collected data and putting a data breach notification plan in place so that consumers can be completely confident about how they are interacting with companies.

Ultimately, startups need to soon realise there are a lot of GDPR-compliant tactics they should be implementing now. It’s a myth that small businesses can’t become GDPR-compliant. Mailjet itself is now GDPR-compliant and ISO 27001 certified, which shows that attaining the highest levels of data privacy and security can be accomplished by SMBs and startups, and not just big companies. The days of building companies that side step regulation are at an end; with data so inherent to so many fast growth businesses today, GDPR will need to be fully addressed. When startups make the changes the regulation enforces the relationship between their businesses and consumers should be able to thrive greater than ever before.

Make GDPR the opportunity to differentiate your company from others. Once you’re sure that you’re doing all the right things, turn up the marketing power and use that as a unique message. This is the chance to boost trust from customers who value the fact their data is safe in a companies hands. With the recent consumer focus on data following the Facebook and Cambridge Analytica news, there is no time like the present!