Skip to main content

GDPR, customer data and your company

How much influence does GDPR have on the way you as a company process customer data? The answer will depend on your company and how you use the customer’s data. For a company that has good practices for processing personal data – including customer data – GDPR can actually be an opportunity to excel. The blog here covers how customers are protected by GDPR, how a company uses customer data and finally you will be presented with a list of best practices for processing customer data in accordance with GDPR.

What is customer data used for?

Customer data is used for a number of purposes, and it depends on one’s company’s specific needs and industry. Here are some common uses of customer data:

  1. Improving the customer experience: Companies can analyse customer data to understand their customers’ behavior, preferences and needs. This insight can be used to customise products or services, provide better customer service and create a more personalised customer experience.
  2. Marketing: Customer data is used to target marketing campaigns more precisely. By knowing customers’ interests and buying habits, companies can tailor their messages and advertising to appeal more effectively to the target group.
  3. Product development: Companies can use customer data to identify new trends and demand patterns. This can inform the product development process and help create products that better meet customer needs.
  4. Customer retention: By analysing customer data, companies can identify potential risks of customer churn and take action to improve customer loyalty. Personal follow-up and tailored offers can help to retain customers.
  5. Business decisions: Managers can draw on customer data to make informed decisions about business strategy, resource allocation and operations. Data can provide insight into market trends and the competitive situation.
  6. Streamlining operations: Companies can use data to optimise internal processes, improve inventory management, and streamline logistics based on knowledge of the customer’s purchasing behavior.
  7. Compliance and security: Secure handling of customer data is essential to comply with data protection legislation such as GDPR. Companies must ensure that they store and process customer data in a secure and legal manner.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Protection of customer data according to GDPR

The General Data Protection Regulation (GDPR) protects the data and privacy of people who are in the European Union and the European Economic Area. So this includes:

  • EU citizens who live in the EU
  • EU citizens who live abroad
  • Foreign residents in the EU
  • Visitors in the EU

This gives GDPR a broad scope. If your services or website is available to any of the groups above, or you market to them, you should comply with GDPR. Further, it’s important to remember that many other countries have now created their own data protection laws. Many of these are closely modeled on GDPRs with a similarly broad scope. Therefore, key rules and best practices for handling customer data in GDPR may apply worldwide.

Get consent before asking for a customer's data

To start with, GDPR requires you to have a legal basis for collecting personal data. Getting consent is one of the most common and straightforward ways to be sure you have that legal basis. Even if you get consent verbally, make sure you document it.

Your consent forms should be clear and easy to understand. They should state the reasons why you are asking for personal data. They should also mention what you will or will not do with the data, and include a link to your privacy policy. If you share or sell data, you should usually get specific consent to do so.

GDPR and customer data

Minimise the customer data you collect

The GDPR principle of data minimisation affects how much data you should collect from customers. It states that you should only collect and process the minimum amount of customer data needed for your stated purpose. This principle aims to limit the exposure of people’s personal information and risks to their privacy. Inventory your data regularly to make sure you aren’t keeping data you don’t need.

Keep customer data safe

GDPR requires you to implement appropriate technical and organisational measures to protect customer data. technical and organisational measures to protect customer data from unauthorised access, loss, destruction, or alteration.

Use strong passwords, encryption, and access controls. Perform regular data backups. Educate your employees about how to protect their devices and the data on them. Don’t forget to protect paper copies and notes with people’s personal information on them.

Know your customers' GDPR data rights

GDPR gives your customers more rights over their personal data. You should be familiar with these rights and disclose them to your customers in your privacy policy.

GDPR customer data

Let your customers know who to complain to

GDPR allows each EU member state to establish its own supervisory authority. Usually, these authorities are called data protection agencies. Your local data protection agency is responsible for enforcing and overseeing GDPR compliance. As such, they have the power to investigate breaches, issue fines, and provide guidance about data protection.

Find out who your local data protection agency is and provide their contact info to your customers. This lets your customers know you take responsibility for protecting their privacy and their data.

Do this if your customer data is affected by a breach

If your company were to experience an incident that poses a risk to the rights and freedoms of your customers, you must report it. Read more about it here.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

When others process customer data for you

If you use any third-party service providers to process customer data for you, GDPR requires you to draft a Data Processing Agreement (DPA). Basically, this is a contract that outlines the responsibilities and obligations of each party to ensure GDPR compliance.

GDPR rules for sending customer data abroad

The GDPR has special requirements for the transfer of customer data outside the EU (cross-border transfers). Before you send customer data to overseas partners, you must first consider whether they really need this data to do their jobs. If you need to send customer data to another country, we recommend that you do the following to ensure that the transfer meets GDPR requirements:

  • Check whether the country has a decision on an agreement with the EU. If so, you can treat it as an EU transfer
  • Only transfer to companies with binding corporate rules (BCRs)
  • Get the data importer to make a binding commitment to apply safeguards that protect data
  • Get express consent from the customer to share their data abroad

A smart way to keep track of your customers' data

As a company, according to the GDPR, you are responsible for the customer data you collect. It requires good data processes, discipline and documentation. This can be achieved manually, but by using IT tools you can make the task manageable. Both for yourself and the employees.

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit