Skip to main content

The GDPR special edition of MEF’s eBulletin series, supported by CLX Communications, highlights the perspectives of the diverse MEF membership and experts on their path to preparing for GDPR compliance.

Here, Rob Malcolm VP of Marketing and Online Sales at CLX Communications discusses GDPR’s impact on the Enterprise messaging space, and highlights aspects of the new regulation businesses should prepare for. Download the eBulletin for more unique articles and insights now.

GDPR is less than one month away. For many enterprises, it is uncharted territory. This is especially true of businesses that use Enterprise Messaging as part of their customer service operations, be that for two-factor authentication, appointment reminders, or marketing, on CPaaS platforms.

GDPR governs what you need to do if you store and process personal data (including metadata produced by communications) and with whom and how you can communicate.

GDPR defined roles

For enterprises fulfilling these obligations, compliance requires an understanding of where you fit as a Data Processor, Controller or Sub-Processor.

Within the Enterprise Messaging ecosystem the value chain is complex, and for the first time, Data Processors will be placed under a direct obligation to comply, which previously only applied to Data Controllers.

What qualifies as personal data?

Personal data means anything that addresses or uniquely identifies the Data Subject (the consumer) including MSISDN and IMSI numbers – typically used for two-factor authentication.

As well as this ‘mechanical data’ GDPR acknowledges as personal data the content within a message including a name, bank account, drivers licence and so on and also sensitive information which could identify the data subject including ethnicity, religion, health and genetic data.

What are the rights of EU citizens under GDPR?

Enterprises that use messaging to communicate with consumers have statutory obligations. This includes the right to refuse to become a data subject and opens up the issue of informed consent.

The new requirements under GDPR include gathering multiple consents and giving individuals the right to withdraw from a service. All consent should be informed so that a person must understand what they are signing up to. In the past, this has not always been the case, and often consent has been deliberately confusing with pre-ticked boxes and pages of terms and conditions.

GDPR outlaws these practices and brings more clarity.

Beyond consent

EU citizen’s rights extend beyond giving consent so that once it is established and personal data is captured, GDPR mandates what must happen next.

Crucially, consumers have the right to be informed (e.g. right to know how long their data will be kept), to restrict processing (e.g. transparency on how data will be used), the right to data portability (e.g. right to move data from one provider to another) and the right to be forgotten by the data processor. As a Data Processor, these rights require that all requests from an EU citizen need to be done expeditiously.

For enterprises fulfilling these obligations, compliance requires an understanding of where you fit as a Data Processor, Controller or Sub-Processor.

When can you store personal data?

Under GDPR, the processing of personal data must be for “specified, explicit, and legitimate purposes”. A Data Controller or Processor needs to comply with at least one of the reasons to store and use personal data as laid out in the GDPR.

Top of that list is that the consumer has given their consent, but there are other circumstances when it is permissible. For example, for the performance of a contract – the most likely reason that a messaging aggregator will store personal data. Other permissible clauses include for legal obligations, to protect a data subject’s vital interests and for other ‘legitimate reasons’ such as fraud prevention or credit checks.

  GDPR is clear. It’s no longer possible to cut corners. It is therefore vital for Enterprises to seek out the right messaging or CPaaS provider so that the highest standards of protection of personal data are maintained.

Does data need to be kept in the EU?

GDPR applies to companies both within the EU and non-EU companies when their messaging activities are related to individuals in the EU. It stipulates that personal data can be stored in any country, provided that it has adequate data protection laws and can flow freely within All EEA countries (EU + Norway, Liechtenstein, Iceland).

GDPR allows personal data to flow between the EU and the US under the Privacy Shield Framework, a US initiative whereby participating US companies are deemed as having adequate data protection. In all other countries personal data can only be transferred under the condition the entities receiving it have entered into EU Standard Contract Clauses, or the entity has Binding Corporate Rules.

In reality, Enterprises (Data Controllers) that use messaging, particularly in the Government, Banking and Financial Services sectors, are already requesting guarantees from Data Processors and Sub-Processors (CPaaS providers for example) that data remains in the EEA bloc. This is the only robust way of guaranteeing GDPR compliance. The market is already responding with companies like CLX offering new APIs that only use EU mobile network operators and a GDPR specific routing class.


GDPR requires personal data to be processed in a manner that ensures its security. This means that appropriate technical and organisational measures are used and crucially that security is implemented by design. For Enterprises this means following industry best practice to secure data from both internal and external threats – using a Tier 1 messaging provider that guarantees SMS firewalling and implements other fraud prevention measures for example. It also means only storing and using personal data (including metadata) for the time that is absolutely necessary.

GDPR also requires the appointment of Data Protection Officers to record data processing activities in an auditable register and to prepare Data Impact Assessments. In the event of a data breach, there must be timely and accurate communication to Data Controllers and the supervisory authority (within 72 hours) and notification to the Data Subjects (customers).

Do I need to get my customers to opt-in again?

GDPR covers the consent to store and process Personal Data. This should not be confused with the consent to be communicated to. Obviously, overlap exists. The question is whether your customers gave you consent to store their data. If the answer is yes, then you have no issue under GDPR. If the answer is no, then you will need to seek consent.

GDPR is clear. It’s no longer possible to cut corners. It is therefore vital for Enterprises to seek out the right messaging or CPaaS provider so that the highest standards of protection of personal data are maintained. CLX has developed an in-depth guide to GDPR and Enterprise Messaging which can be downloaded from the CLX website.

Rob Malcolm

VP of Marketing and Online Sales, CLX Communications


Download the free GDPR Ebulletin now

With unique insight and analysis on enterprise messaging, permission and consent, the monetisation of personal data post GDPR, customer profiling and cultural and behavioral changes, the GDPR special edition eBulletin provides an invaluable glimpse into how businesses are meeting their obligations under the EU’s new data protection regulation, and how they see the industry in a post-GDPR world.

MEF’s GDPR eBulletin is available now