Report: Majority of companies fear 3rd-party vendors make them vulnerable to GDPR legal risks

Non-compliance with Europe’s General Data Protection Regulation (GDPR) comes with some very high penalties for companies that mishandle data from European Union (EU) members. Third parties can be a point of vulnerability.

That’s probably why a Demandbase survey released Tuesday morning shows that a staggering 80 percent of companies are concerned that their martech vendors might expose them to legal risks under GDPR.

The account-based management (ABM) platform and research firm Demand Metric asked 255 marketers around the world about their attitudes toward data privacy issues. The marketers were from mid- to large-size businesses in a diverse set of industries, and the research was completed one month after GDPR went into effect on May 25.

The report found that of those marketers that are aware of GDPR, only 32 percent say that their companies are fully GDPR-compliant. That’s a troublingly low percent for companies that have any European customers. The penalties for breach of GDPR can be up to €20 million, or 4 percent of a company’s annual revenue, whichever is higher.

Even though third-party vendors are considered data processors and are also bound by privacy rules under GDPR, companies that work with them carry equal liability for any compliance breach.

The report does show that marketers are aware of the importance of data security, with nearly 75 percent saying they will invest in technology to improve their approach to data privacy. But they may need training first, with 57 percent saying their top GDPR challenge is understanding the law, and only 37 percent saying they are facing technological barriers.

Fatima Khan, chief privacy officer at Demandbase, says it’s important for companies to take responsibility for thoroughly investigating potential third-party partners.

“Under the new law, it’s important for B2B marketing teams to implement the GDPR properly because it impacts how companies do business with each other,” Khan told me via email. “In addition to investing in compliance to ensure they have adequate rights to use personal data for marketing, marketers also need to vet their vendors to ensure they aren’t exposing themselves to risk through third-party data practices.”

Email leads the way in gathering consent

Consent collection continues to be a top-of-mind issue for marketers, and most marketers (80 percent) use email to do it. But nearly that amount (70 percent) also use online forms. Slightly less than half (48 percent) use website notices and banners, which is actually surprising given how much we see it on the web. And while 30 percent of those surveyed said they were simply not refreshing consent they had already collected, respondents who did were split between those asking everyone in their database to reconsent (36 percent) and those taking a limited country-by-country approach (35 percent).

Even with this relatively small sample size, it’s heartening to see that despite up to 22 percent of companies saying they would not spend any money on GDPR compliance, a majority (60 percent), say that GDPR has spurred a change in their global approach to privacy. And a significant 86 percent said they value the protection of data from a significant to a moderate extent. More than 90 percent of respondents look at it as a matter of trust and “believe that ensuring data privacy will help their marketing team build trust with customers and also help their marketing team deliver a better customer experience,” according to the report.

Questions about GDPR? Download our free guide, The General Data Protection Regulation: GDPR — A Guide for Marketers