‘Classic’ growth hacking techniques employed by start-ups, such as adding contacts to email newsletter databases and scraping email addresses from LinkedIn, could put organisations at risk under new data protection legislation.

According to a survey conducted by email marketing platform Mailjet, fewer than half (47%) of start-ups always seek consent from their customers before contacting them – even though 91% report collecting personal data from their clients.

Under GDPR,

which comes into force across the EU on 25 May

, processing an individual’s personal data if they have not opted in to communications will be against the law if consent is the legal basis the organisation has chosen to pursue.

But according to the poll, the average readiness score among start-ups for GDPR was around 4 out of 10, with the banking and insurance sector the most prepared (4.4), and construction firms the weakest (3.2).

Alex Delivet, head growth hacker at Mailjet, said: “It’s important to make the differentiation between ‘spamming’ and ‘growth hacking.’ Over the past years, it’s been easy to turn to tactics that consist of scraping email addresses and sending mass cold emails. This is spamming, not savvy growth hacking.

“With the arrival of GDPR, these kinds of bad practices will be officially illegal and the best growth hackers will realise there are a lot of GDPR-compliant tactics we can try,” he added.

GDPR encourages deeper considerations than simple tactics

“While it’s true that contacting those who haven’t consented will be illegal under GDPR, this is only the case if you pursue ‘consent’ as the legal ground under which to process your data,” said Paul Snell, deputy editor at B2B Marketing and author of the guide


Getting to grips with GDPR


.

“Consent isn’t the only option for B2B marketers to pursue – even the regulator says ‘if consent is difficult, look for a different lawful basis,” he added. “Legitimate interest is an alternative legal ground to consider. But the legitimate interest of the company needs to be balanced against the rights of the individual in question and whether they would ‘reasonably’ expect their data to be processed.”

But that’s not an excuse to ditch your preparation for the new legislation, Paul concluded. “An underlying principle of GDPR is to force companies to consider how they can incorporate data privacy in their processes by design. If you intend to use legitimate interest as an excuse to continue to use data in the same way you always have – without this consideration – it’s likely you’ll be found out in the end.”

The survey canvassed 4328 respondents at start-ups across Belgium, France, Germany, the UK and the US.