With our online survey tool surveydoc, we provide an easy way for many users to get feedback from their clients, students, etc. On May 25th, 2018 the GDPR (General Data Protection Regulation) became a requirement within the European Union. This caused a huge wave of media attention, an enormous amount of costs for companies and until today brought up questions that are still unanswered for most of the businesses.
Interestingly, with the public’s growing awareness of the impact, we got more and more customers at surveydoc. As nosy as we are, we asked some of the new customers. We found out that many of them (especially the ones who signed up for our paid service) came from other mainly US-based competitors. Their number one argument whas the fact that our hosting is in Germany and that we encrypt all the customer data (second). Do we, as little surveydoc (the David in our case), have something against the big guys?
The effect of DGPR – especially on StartUps
The main force behind the GDPR was for sure a good cause but in the end, it was a legal monster and another of those rules that everyone has to comply with. It was similar to the German „facebook rule“ where web site owners had to disable the like button until the visitor actively enables it and therefore allows Facebook to track its data. Another example are the annoying „cookie“ popups that now hinders every one to see the content of a website until you find that little „YES, I agree“. All those regulatory rules mainly do two things (in our opinion):
- They hinder startups and small business owners to improve their offerings/products because a big portion of their resources are gone constantly screening if another rule pops up.
- It is getting harder and harder to start a business without major funding (VC, business angels or bank credit). Many can’t catch up with the ever increasing number of rules and certifications required to run a business idea.
In the end, markets, where a small player could find their niche, are drying out and the big corporate tankers are taking over. Most smaller can’t afford the endless costs for legal consultants, experts, and developers. To give you a number: Microsoft has put 1600 engineers to work on GDPR (see here)! Those number does not include all the legal and organizational teams and their endless numbers of hours to define the requirements for the developers.
How it went for us at surveydoc?
We were where lucky! Years ago right at the beginning of our venture, we decided to use encryption within both our app as well as at our backend and web site. What was initially plant to block system-administrators out of customer data played in handy now! But even so, we had to develop too to be compliant. With the GDPR customers have to have access (at any time) to all data a company has collected from them. Applying that into our world means that the regular export we had (where users can download all their survey results) isn’t enough. We needed a new export covering all the surveys and personal data itself but that was a minor development.
Another, way more difficult part came in more challenging and is yet another example that many legal rules are just designed ignoring the real world. The GDPR requires that you (the company) give a customer the right (at any time) to remove all if it’s data. In practice, this would mean that you delete the customer’s surveys, all survey results and its data on your CRM. Wait? I can’t delete the customer data if he is a paying customer! Well, that is in conflict to our law to keep financial statements (e.g. billing information) up to 10 years accessible. We solved that by moving those sensible data into a special archive.
Conclusion
For the GDPR we a small advantage against the big player and therefore got unexpectedly more customers. It does not mean that the reason a customer signs up with us is always justified. Sometimes it’s just fear and he feels more comfortable with a German/local operator. The costs for us related to the GDPR compliance turned out OK but much of it was just a coincident (e.g. our encryption was in place right from the beginning). So that gave us a small advantage
