The state of GDPR-readiness in Europe

A consumer perspective
(2nd Edition: February 2018)

A comprehensive market study testing the state of GDPR readiness among 89

organisations from seven countries active in different verticals
 Management Summary

Major change is just around the corner: from 25 May 2018 onwards, the General Data Protection Regulation will be in
full force in Europe. The goal of GDPR is to protect customer data held by companies and organisations. In practice, this
means that individuals are being put back in control of their own data.

If data controllers (i.e. organisations controlling data) don’t comply to the regulation, they risk fines of 4% of total
turnover, with a maximum of 20,000,000 euros.

iWelcome puts organisations throughout Europe to the test, performing a two-monthly assessment on GDPR-compliance
on customer interaction among 89 organisations in Europe. A total of 7 countries are included in the research, namely:
the Netherlands, the United Kingdom, Germany, France, Switzerland, Spain and Sweden. The verticals in scope are
Insurance, Utilities, Media & Publishing, Travel & Services, Retail/E-tail & Consumer Products and Non-Profit.

As GDPR in essence is meant to protect customers, the strongest approach is to investigate the current state from a
consumer’s perspective. We assessed the customer registration processes and privacy statements of organisations and
compared the current state to how it should be implemented under the GDPR.

Following this approach, we were able to measure the following GDPR variables:

›› Consent (GDPR article 6 and 7);

›› Ability to withdraw (GDPR article 7);
›› Right of access (GDPR article 15);
›› Right of rectification (GDPR article 16);
›› Right to erasure (GDPR article 17);
›› Data retention period (GDPR article 5.1(e));
›› Privacy by default (GDPR article 25);
›› Special categories of data, when applicable (GDPR article 9).
Parental consent and data portability are also relevant from a consumer’s perspective, but due to the research
methodology, we weren’t able to measure these
variables.
›› 76.4% of all organisations are uncompliant in most areas;
As mentioned earlier, the assessment is ›› Out of 7 countries, Germany scored highest;
performed every two months. This is the second
edition, reporting on our second measurement.
›› Retail/E-tail & Consumer Products is the winning vertical.

The first edition was published in December

2017 (measurement October and November
2017), the second one in February 2018 (measurement December 2017 and January 2018).

The results of the second measurement show little difference compared to the first. This is especially frightening since the
deadline of May 25 is in less than 90 days. Some major findings:

›› Only 23.6% is on track while 76.4% (!) of all organisations are uncompliant in most areas (compared to 80% in the
November 2017 measurement).
›› Out of 7 countries, Germany scored highest on GDPR-compliance with a score of only 5.76 out of 10. In the
previous round the Netherlands scored best.
›› Retail/E-tail & Consumer Products was the winning vertical.
The goal of this research is to raise awareness among European organisations regarding the new privacy regulation,
and to support organisations on their journey to GDPR-compliance. If you want to know how compliant your
organisation is when it comes to customer interaction, you’re invited to take our online self-test.

2 | ©iWel c ome
 Consent

One of the key aspects of the GDPR is consent. If the processing of data is not covered by one of the bases for
processing as stated in the GDPR (e.g. the performance of a contract), a consumer needs to give consent for the use
of his or her personal data. The use of the data should be linked to one or more specific purposes, that need to be
specified per attribute or field.

In our research, the element of consent was measured by looking at the following aspects:

›› Is consent being asked for in a straightforward manner? For example, by ticking a box which says you agree
with your data being processed.
›› Is the purpose of use mentioned at all? Does the
organisation clarify for what purpose the personal The United Kingdom scores highest, France scores lowest.
data will be used?
›› Is the purpose of use crystal clear?
›› Is the purpose of use specified per attribute?
On average, the United Kingdom scored highest (2.62 out of 4) on consent and France lowest (1.17 out of 4).
Overall, we found that many companies do not mention a purpose of use and – if mentioned – it is either too
generic or difficult to find (e.g. in the privacy policy). On an industry level, Retail/E-tail & Consumer Products scored
relatively high and Non-Profit scored relatively low. No major changes were found compared to the measurement in
November 2017).

Consent score per country Consent score per industry

Overall score on consent

Uncompliant across the board

Uncompliant in most areas
Fulfilling some GDPR-requirements
Fulfilling many GDPR-requirements
Almost or fully compliant

3 | ©iWel c ome
 Ability to withdraw
Consent must be given freely; specific, informed and unambigious. An individual must have the possibility to withdraw
consent at any time, just as easy as it was given.

›› Does the data controller make you aware of the fact that you can revoke your consent?
As this right to withdraw was not always applicable in the registration process, we also investigated the privacy
statements and looked at the possibility of revoking consent for receiving newsletters.

In 27% of cases the ability to withdraw was not addressed in

the registration phase nor in the privacy statement. This is an In 27% of cases the ability to withdraw is not
improvement compared to the November 2017 measurement, addressed in the registration phase nor in the
where 34.2% of all cases did not address the ability to withdraw.
privacy statement

Ability to withdraw. Score per country.

No
Yes

Ability to withdraw. Score per industry.

4 | ©iWel c ome
 Right of access

European citizens have the right to obtain information on whether or not their personal data are being processed.
If that is the case, there is a right of access to that data (including amongst others the purpose of use and the
envisaged period for which the personal data will be stored). Moreover, this right should be free of charge.

›› Is the right of access mentioned? And can you exercise this right free of charge?
As shown in the chart below, a large part of the organisations (61.5%) in the UK does provide the right of access,
but not free of charge. There was one observation in Switzerland where the right of access was not free of charge.
Compared to October there was one observation in the Netherlands where an organisation changed its policy
leading to the right of access not being free of charge anymore.

›› 20.2% does not mention this right at all;

Overall, 12.4% of cases falls into the ‘yes, but not free of charge’
cluster. 20.2% does not mention this right at all and 67.4% does
›› 12.4% provides access, but not free of charge;

mention it. ›› 67.4% provides access to data.

Is the right of access mentioned? Score per country

Check: right of access mentioned

No
Yes, but not free ofo charge
Yes, free of charge

Is the right of access mentioned? Score per industry Is the right of access mentioned? UK score

5 | ©iWel c ome
 Right of rectification
Under GDPR, consumers have a right to rectification of their data when incorrect or incomplete. Data controllers must
point out this right in a clear and concise manner.

›› Is the possibility for rectification mentioned anywhere?

In our sample, 27% of the organisations do not mention this right at
all. This is a small improvement compared to the first measurement,
where 31,5% did not mention this right at all. 27% does not mention the right of rectification.

An interesting finding is that in 67.4% of cases, the right of access

appears conjointly with the right of rectification; when organisations communicate the right of access free of charge to
the consumer, they also point out the right of rectification. This makes sense as these rights are fairly similar in terms of
nature and the complexity to implement them.

Right of rectification. Score per country.

No
Yes

Right of rectification. Score per industry.

6 | ©iWel c ome
 Right to erasure
Initially known as the right to be forgotten, the right to erasure empowers consumers to demand for erasure of their
personal data, unless processing is necessary for specific reasons stated in the regulation, such as compliance with law.
In all other case, it must be possible for consumers to
completely delete (all) data held by organisations.
A majority of 56.2% does not mention the right to erasure.
›› Is the right to erasure mentioned?
The right of erasure, or the ‘right to be forgotten’ is not mentioned in the majority of cases, namely 55.1%.

The right of erasure, or the ‘right to be forgotten’ is not mentioned in the majority of cases, namely 56.2%. In 43.8% of
all cases it was mentioned. The country really making a difference was Spain, where 11 out of 12 observations did not
mention the right to erasure. The number of 56.2% is a small deterioration compared to November 2017, where 55.1%
did not mention the right to erasure at all.

Right to erasure. Score per country.

No
Yes

Right to erasure. Score per industry.

7 | ©iWel c ome
 Data retention period
Data controllers need to be transparent about the period for which data will be stored. This period can be subject to
external circumstances, such as legal obligations or research purposes. The data retention period should be specified,
per category of data. After this period, data should be deleted.

›› Is the period for which consumer’s data will be stored specified?

Only 11.2% of all organisations mention the data retention period. However, they don’t specify the retention period
per attribute, but mention it in general. This is
still insufficient and similar to the situation in Only 11.2% of all organisations mention the data retention period.
November 2017.

Is the data retention period specified? Score per country.

No
Yes

Is the data retention period specified? Score per industry.

8 | ©iWel c ome
 Privacy by default
An organisation’s online environment should be designed in such a way that privacy is always the basis and consumers
are in control. Consumers should not automatically receive information they did not ask for. There has to be an active
opt-in. This also means that a pre-ticked box to receive a newsletter is not according to privacy by default and will no
longer be sufficient under GDPR.

›› Are there any ‘pre-ticked boxes’? Can the consumer make his/her own decisions while interacting with the
organisation online?

46.1% of all organisations somehow have a pre-ticked box or send newsletters automatically.
53.9% of cases are either compliant or didn’t mention additional marketing communication.
44.9% of all organisations have something similar to a pre-ticked box or send newsletters automatically.
In 55.1% of all cases organisations are either compliant or didn’t mention additional marketing communication.
This shows a slight improvement compared to the results of November 2017, where only 53.9% was compliant.

For this variable, Germany scores best: 12 out of the 13

››
observed organisations designed processes according to
44.9% does not act according to provacy by default;
››
privacy by default.
Germany scores best.

<<< Example of how not to act: newsletters will be

sent unless a consumer opts out

9 | ©iWel c ome
 Special categories of data
The GDPR specifies ‘sensitive personal data’ as special categories of personal
›› Racial or Ethnic Origin

data. In order to process this type of data, organisations must ask consumers ›› Political Opinions
for explicit consent with only a subtle difference compared to ‘regular’ consent: ›› Religious or Philosophical Beliefs
where in some cases, consent can be obtained by an affirmative act (for ›› Trade Union Membership
example: “by providing your email address you agree to..”), explicit consent
›› Health
means that an individual should deliberately tick a box, where he or she
agrees upon the use of his or her sensitive data.
›› Sex Life or Sexual Orientation
›› Genetic or Biometric Data
›› Does the organisation ask for explicit consent when making use of
sensitive data?

Not all organisations in our research process special categories of data. This is why we only measured this variable for
a limited amount of industries, such as insurances and travel (e.g. when passing on your diet to a travel organisation,
it can reveal information on health or religion). The results here show that within this subsample, 34.6% was compliant
and asks for explicit consent in case of sensitive personal data. This is an improvement compared to our previous
measurement of 26.9% in November 2017.

10 | ©iWelc ome
 Results on a country-level

Germany scored highest on GDPR-compliance when it comes to customer interaction. German organisations were
remarkably compliant when it comes ‘privacy by default’.
The country scoring lowest was Switzerland. Although the country is not a EU member state, it did reform its own
privacy laws to the same standards. On top of that, international companies will interact with EU citizens, and therefore
will need to be compliant. The current state of our Swiss
sample shows that consent is rarely demanded and
Germany scores best with an average of 5.76 out of 10.
privacy statements are very basic.

GDPR score specified per country

GDPR score put in context

Uncompliant across the board

Uncompliant in most areas
Fulfilling some GDPR-requirements
Fulfilling many GDPR-requirements
Almost or fully compliant

Average scores per country:

Average GDPR-score
Country November 2017 January 2018
Netherlands 5.76 5.59
United Kingdom 4.96 5.26
Germany​ 5.61 5.76
Switzerland 4.01 4.39
Spain  4.62 4.79
France 4.98 5.38
Sweden 4.48 4.80

11 | ©iWelc ome
 Results on an industry-level

Retail/E-tail & Consumer Products are the winners of this measurement, followed closely by Media & Publishing. While
still in last place, Non-Profit scored significantly better compared to the previous measurement, almost closing the gap
to Insurance and Utilities. A remarkable finding is that Non-Profit organisations still have by far the lowest score when it
comes to consent with Retail/E-tail & Consumer Products scoring a lot better.

›› Retail/E-tail and Consumer Products scores best with an average of 6.23 out of 10;
›› Non-Profit scores lowest, but made the best progress in two months.

GDPR score specified per industry

GDPR score put in context

Uncompliant across the board

Uncompliant in most areas
Fulfilling some GDPR-requirements
Fulfilling many GDPR-requirements
Almost or fully compliant

Average scores per industry:

Average GDPR-score
Industry November 2017 January 2018
Insurance 4.44 4.48
Utilities 4.48 4.61
Media & Publishing 5.61 5.82
Travel & Services 5.49 5.55
Retail/E-tail and
6.18 6.23
Consumer Products
Non-Profit 3.50 4.32

12 | ©iWelc ome
 In conclusion; the bigger picture
This report includes the results of the second measurement of iWelcome’s research, obtained during December 2017
and January 2018. Overall, only 23.6% of all organisations are fulfilling most GDPR-requirements or are almost to fully
compliant. This means a staggering 76.4% does not show progress, with the 25 May 2018 deadline approaching
rapidly! In the November measurement this was 80%. That means that only 3% of the companies in our sample made
essential improvements.

The good news is that overall, we see a slight improvement in GDPR compliancy. All countries and industries have taken
small steps and therefore score higher. But it is not enough. There’s still a lot to be done in the coming months. And we
also saw conflicting developments: companies that recently started to charge customers for access to their data, while
it was free of charge before.

We will keep monitoring towards the date that GDPR comes into force, and we will update our report every
two months.

Overall GDPR score

Uncompliant across the board: 9%

Uncompliant in most areas: 47.2%
Fulfilling some GDPR-requirements: 20.2%
Fulfilling many GDPR-requirements: 22.5%
Almost or fully compliant: 1.1%

13 | ©iWelc ome
 What’s next?
We hope that organisations will be able to implement the required changes in their customer journeys in the
upcoming months. This will be crucial not only for GDPR compliance: in the end it is all about building trusted
relationships with their customers. And empowering customers with full control over their personal data will definitely
contribute to achieving this goal.

iWelcome’s platform has been recognised as excellent and innovative for its fine grained GDPR support by analysts
Gartner and KuppingerCole. If you want to know how we can help organisations to implement the key CIAM
capabilities, please contact us:  sales@iwelcome.com

“iWelcome provides unparalleled consent management features.”

KuppingerCole

“iWelcome offers EXCELLENT support for B2C use cases

and for European GDPR compliance”
2016 Gartner Critical Capabilities for IDaaS, Worldwide

About iWelcome
iWelcome provides Identity as- of employees - across industries like Building truly winning partnerships with
a-Service for frictionless privacy- banking, insurance, utility, media & its customers, iWelcome offers lowest
protected consumer services and publishing, travel & services, retail/e-tail Total Cost of Ownership and a time-
security-enabled workforce processes. and Governments & Non-Profit – rely to-service in weeks. Applying Best-
iWelcome is the only European born on iWelcome on a daily basis. Analysts of-Breed Private Cloud Technology,
Identity Platform – headquartered in like Gartner and KuppingerCole have customers benefit from both ends:
Europe, backed by European investors recognised iWelcome as a worldwide using a SaaS service while not having
and specifically serving customers Product and Innovation Leader with to share critical resources.
doing business in Europe. Millions of “Excellence” ratings.
consumers and hundreds of thousands

+31 33 445 05 50 | info@iwelcome.com | www.iwelcome.com

14 | ©iWelc ome