Back to Knowledge Base

How is GDPR affecting customer communications?

How is GDPR affecting customer communications?

In the months leading up to the introduction of the general data protection regulation (GDPR), a kind of mass hysteria seemed to grip marketers and professionals in customer communications.

Now that the dust has settled and GDPR is a part of our business landscape, what are the lasting effects? Has GDPR changed the way we communicate with customers? Or was the Great GDPR Panic of 2018 just another case of mass hysteria, rather like Y2K?

Before we look at some of the changes brought by GDPR, let’s quickly review what GDPR mean in real terms:

  • Companies must have consent to send messages to consumers
  • People have the right to prevent their data from being processed
  • People also have the right to request a copy of their data and to ask for it to be deleted


Some customer communications are essential and unavoidable. For example, your bank must communicate with you if someone tries to hack into your account. And your insurer must send you details of your policy. These kinds of customer communications are lawful under GDPR and come under the ‘contract’ basis for processing personal data.

For many of the typical customer communications that our clients send every day, GDPR changes nothing. The only action that organisations must take is to document that this is the lawful basis used to justify these communications.

Things change if the communication is primarily for marketing (e.g. cross-selling or up-selling communications). In such cases, it may be appropriate to use the legitimate interest basis.

Legitimate interest and marketing communications

If you want to tell customers about a new service or product, you may need to demonstrate that the customer has a legitimate interest in that communication. This basis is not a blanket rule for sending anything to anyone: you are advised to balance out the interests of the individual and the interests of your organisation. Any communications should not be obtrusive, and recipients should have an easy way to opt-out of further communications.

What has changed following GDPR?

In theory, very little should have changed following the introduction of GDPR.

Communications teams may be more cautious, and certainly put more work into obtaining consent and defining the lawful basis for processing, but otherwise, customer communications are still being sent. We may be thinking twice before hitting send, but customers still need our messages, and we still have a legal basis for sending emails, text messages and letters.

Has GDPR affected how you manage customer communications? Has the new regulation hampered your work – or supported it?