How GDPR affects your client data and communication

When a client chooses your business, they’re putting their full trust in you. Not only are they saying that they believe you will act in their best interest, but they are also assuming that you have already acted in their best interest.

Put yourself in the shoes of one of your potential clients. Let’s say you’re looking for an accountant to prepare quarterly financial documents for your business. You find a firm that offers what you need at a reasonable price with ongoing support. 

You’re sold, so you decide to sign on as a new client.

As a new client you have to go through the onboarding process, which includes sending sensitive personal and business information to them. You are putting your trust in that business that they will protect this information. 

So, while you expect them to take good care of you in the future as a client, when you choose to work with this firm, you’re betting that they have the system and processes in place to properly collect and protect your personal information. And if you can’t trust that, you can’t rest assured that your information is protected. 

Can your clients be 100% certain that their data and communications with you are protected and will remain private?

While extremely important, security is not the only consideration when it comes to strengthening your client data and client communication processes. They both present unique challenges and opportunities. 

To effectively collect, manage, and protect customer data, you need to consider the following: 

  • Data required

  • Data storage 

  • Security

  • Laws and regulations

When you’re communicating with clients, there are similar things to consider. Considerations include: 

  • Customer needs 

  • Customer preferences

  • Security

  • Efficiency 

  • Effectiveness 

  • Laws and regulations

This right for individuals and businesses to have their personal data protected is one of the key reasons that General Data Protection Regulations (GDPR) were introduced in the European Union in 2018.

And these regulations are changing the way many companies around the world handle client data and communications. 

Complying with GDPR will likely require your company to shift too—from the way you communicate internally, how you collect and store data, and the manner you communicate with clients.

What is GDPR? 

GDPR are regulations that affect data privacy in the European Union. Implemented in May of 2018, it is intended to protect consumers by giving them more control over their data, protecting that data, and requiring companies to provide more information to consumers on the companies’ practices. While these rules were created and implemented in the EU, they apply to every business and website that processes information from citizens of countries in the EU. 

GDPR also requires companies to follow data protection procedures to keep consumer data secure and avoid data breaches, which have been far too common over the last decade. 

What type of data does GDPR intend to protect? 

All companies collect a wide range of data. Depending on the nature of your business, some of the information you collect may not fall under what GDPR considers “personal information.” However, GDPR is quite broad. Personal data that your business needs to handle in a sensitive manner according to GDPR may include the following forms of information: 

  • Names

  • Images

  • Social media posts

  • Emails

  • Bank account information

  • Medical records

  • IP addresses

Fines for companies that don’t comply with GDPR are severe. Penalties can be as high as $22.5M (€20 Million). 

What if you don’t operate in the EU? Does your company need to abide by GDPR?

If you have working relationships with EU residents and collect or distribute their personal information, you must abide by GDPR. So, not having a physical presence in the EU, does not necessarily mean you are not affected.

Companies required to follow GDPR regulations are either “controllers” or “processors,” meaning they collect personal data and decide how to use it (controller) or handles and possibly distributes data as directed by the controller (processor). 

If your business does not operate in the EU and has no affiliation with EU-based clients, you may not be subject to GDPR, however, this does not mean GDPR will not have an impact on your business. GDPR regulations have inspired US laws, meaning you may be required to follow regulations similar to GDPR in the near future. The California Consumer Privacy Act, for example, was passed in June of 2018 and is very similar to GDPR. 

How GDPR affects your client data and client communications 


Client data is connected to your communications with clients due to the fact that it’s difficult, if not impossible, to send messages back and forth without sending and receiving personal information. This information could be as simple as their name and email address. If you’re collecting it, you have to protect it.

Here are three ways GDPR affects the way you collect and protect client data and communicate with clients: 

Data minimization

How much information do you collect from your clients? Is it all necessary? 

GDPR calls for businesses to minimize the amount of information they collect. In other words, if your business is collecting more data than you need from a client, you will be in violation of GDPR. 

Do you record conversations without a legitimate reason? Are you asking for information that won’t be used while serving your client? These are questions your business needs to ask, and if you are collecting information that isn’t absolutely necessary to conducting business with clients, adjust your processes to comply with GDPR. 

Designing to be private

Waiting until after a communication platform is built to implement security protocols is a recipe for disaster. “Privacy in design” is a term used in GDPR that requires companies to develop their systems with data protection measures built into it from the start. 

Explained in the regulations

“The controller shall… implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects.”

Are you using consumer-focused communication tools that intentionally collect data, or a secure, GDPR compliant, business-grade communication system? Don’t risk your client’s data; use systems that are private and secure. 

When breached, notify

The client data you store must be protected. If a data breach occurs, according to GDPR, your company must notify customers within 72 hours of realizing a breach occurred. 

Why you should follow GDPR with your internal communications starting today


If you collect information on web visitors or customers from countries in the EU, you need to be GDPR compliant. Failure to do so may result in being banned from serving EU citizens or at-risk of pricey fines. 

Lowering your risk of fines is just one benefit of being GDPR compliant. Possibly a greater benefit is establishing trust among your current and future clients, regardless of the country they live in. GDPR is now known around the world and consumers are beginning to demand more from their service providers. By becoming compliant and displaying that on your website and sharing it with customers, you assure them that you take data privacy and the information they share with you seriously.