3 GDPR mistakes that can damage your customer relationships... and how to fix them

Photo by  Nick Fewings  on  Unsplash

The GDPR came into force on 25 May. And still, months later, the internet is full of myths, talk of 'compliance journeys', and general scare-mongering. 

One thing's for sure: the GDPR triggers a lot of emotional reactions; it's probably one of the most-talked-about legal changes of the last decade.

I’ve seen everything from small business owners declaring that they'll simply stop trading — to consultancies suggesting that corporations should add new options to their phone menus to document consent for call recording. 



Whether it's the panic freeze or a bout of frantic activity, both reactions can inadvertently damage customer relationships.

That's why I’ve invited Dwight Leatham, who writes for law firms and others, to help us shed light on how to get the communications bit right.

So without further ado, here are 3 common mistakes we've seen — and what to do instead.



Mistake #1: Leaving all GDPR-related changes only to the lawyers

Where was it most obvious that the GDPR exists? — In our inboxes.

The first emails asking us for fresh opt-ins to a newsletter started to trickle in last summer. By now, there’s rarely a day without such an email or news about updated Ts&Cs or privacy policies.

That in itself is rather ironic, as the point of the GDPR is partly to protect people from unwanted emails (see more on that below).

What makes it even worse, though, is the fact that those emails are almost universally dreadful. They’re written in a way that would bore the socks off even the hardiest socks-and-sandals-wearing bureaucrat.

For example, we’ve had this newsletter subscription double-opt-in email from BRITA, who make water filters: 

"Just a moment, darling — I just want to confirm my declaration of consent to BRITA before we leave” … said no-one, ever.

"Just a moment, darling — I just want to confirm my declaration of consent to BRITA before we leave” … said no-one, ever.


“Declaration of consent” is copy-paste from the GDPR legal text. Used here, it suggests BRITA didn't pass this on to its writers to fix the tone of voice.

Which is, of course, very efficient and saves money on a writer.

Also, BRITA is based in Germany, and there are certain stereotypes about directness, efficiency and bureaucracy.

But those attributes don’t sell half as well as Gemütlichkeit, pretzels and engineering, and we bet more people would ‘confirm their declaration of consent’ if the message was written differently.


You need lawyers, you need writers

You need legal advice, of course. Lawyers can help you test your set-up; they’ll tell you what you can and can’t do, and how to comply.  Beyond that, the ICO, or Information Commissioner’s Office, which regulates the GDPR in the UK, suggests you call on writers, too

The ICO says you should avoid lawyerly language in your GDPR comms and write in a style your customers will understand. Sometimes that will mean writing differently for different people — for instance, if you make an app for kids, you’ll want to have one privacy policy for children and and another, more comprehensive one for their parent(s) or guardian(s). You should also tie this in with your organisation’s values. 

The Privacy Policy of Moo.com is a good example of that. It starts like this:


While the first sentence is hardly surprising, bam! they follow that with character. It makes the reader sit up straight and take notice. And it doesn’t change any of the legal content at all.


Mistake #2: Capitulating in front of all the legalese

A lot of the info about the GDPR is decidedly not in plain English. And it's all very abstract, written to cover many different scenarios.

Don't despair: here's a non-technical explanation of what the GDPR is, what it covers, and an inexpensive way for the small business owners amongst you to access legally-approved documents and get compliant.


What’s the GDPR?

Think back to October 2015, when hackers stole nearly 160,000 people’s personal info, including some bank and credit card details, from telecoms group TalkTalk. The group hadn’t done enough to keep the info secure.

More recently, we’ve had the Facebook and Cambridge Analytica goings-on. Facebook let an outside developer build an app to collect users’ info without telling them what it collected. And Facebook refused to take notice, knowing it hadn’t done enough to keep the info private. 

Concern about events like these — which have gone on at companies from Bupa to Uber  — has led to the GDPR, or General Data Protection Regulation.

It applies to every organisation, even outside the EU, that handles the personal info of people who live in the EU.

Don’t think Brexit will give you a get-out. It won’t. There’ll be changes, yes, but the GDPR (or something similar) is here to stay.  

The law isn’t about hefty fines, though there’s a tiny risk you could get one. It’s more about people’s rights and organisations being upfront about what they plan to do with personal info.

Let’s say you collect your customers’ names, addresses — work, home, email, IP (which gets linked to everything they do online) — and more. Or you handle this info to do your marketing. Then the GDPR affects you. Even if you hold the info in a way that it can’t easily identify a specific person (pseudonymisation, if you like long words), the GDPR applies. 

You can no longer assume people want your mailings. You may have grabbed their email addresses when they bought from you or downloaded a white paper. Yet you must first ask. And instead of pre-ticked opt-in boxes, you must leave your customers to choose — and be able to show how and when you did this. That’s just the tip of it, which is why you need lawyers.

If you’re a small business looking for a balanced, practical approach to making sure you’re compliant, check out Suzanne Dibble’s GDPR Compliance Pack.
It’s just £197 and includes video guides, 20 legal template documents and checklists — from GDPR-compliant privacy and cookie policies to a template for compliant newsletter opt-ins.
It’s so good that From Scratch has signed up as an affiliate, so in full disclosure, we’ll earn a small commission for each purchase made through this link.


Mistake #3: Seeing GDPR as a threat instead of an opportunity

“This will kill our company.”

“I might as well fold my business.”

“Lead magnets are dead.”

Those are just some of the reactions we’ve heard. It’s easy to think of the GDPR as a threat, because a lot of the legal changes are uncomfortable. We need to find new ways of doing things, and many marketers and small business owners don’t have a legal or technical background to put them at ease.

As writers and consultants, we’re small business owners and marketers, too. And we feel your pain.

However, it’s worth remembering that no-one is out to destroy our livelihoods.

The ICO and its European alter egos take a level-headed approach to enforcement. Any non-compliant business that has genuinely worked on doing right by the people whose data they process is more likely to get guidance and support from the ICO than a 20-million fine. In her podcast about GDPR, Information Commissioner Elizabeth Denham confirmed that the ICO “have always preferred the carrot to the stick” and that she intended to continue in that way.


So, how can you turn the GDPR into an opportunity?

You need to tell your customers who you are and explain what you’ll do with their info. First, you need to get their consent.

Already, there are good and bad examples of how to go about this. The Guardian is one of the good ones, for the most part. From its ‘Opt in and get more out of the Guardian’ email to its FAQs and newsletter preferences pages, it’s clear and on brand, with no jargon in sight. 

What's really nice here is how  The Guardian  responds to the questions readers will ask themselves, in the right order — from 'why are you asking me to tick tose boxes again?' to 'what's in each newsletter?'

What's really nice here is how The Guardian responds to the questions readers will ask themselves, in the right order — from 'why are you asking me to tick tose boxes again?' to 'what's in each newsletter?'

"Why not take a few seconds...?" — A lovely way to invite readers into a closer relationship.

"Why not take a few seconds...?" — A lovely way to invite readers into a closer relationship.

On the other hand, if you bank with Santander, you may have got a three-page ‘My new Data Protection Statement’. It’s dense, hides the opt-out and is a lesson in how to confuse your reader with the word ‘you’:

Role reversal in legal policy documents: sometimes, sticking with the way it's always been isn't such a bad idea.

Role reversal in legal policy documents: sometimes, sticking with the way it's always been isn't such a bad idea.

Use the GDPR as a push to improve the way you do business. Customers who choose to give you their contact details want to hear from you. It’s part of the lead-up to buying; they want to check you out first. All you have to do is make the process clear and above board. 


Here are some things you could do:

  • Create a subscription preferences page on your site, describing the types of stuff you’d email and how often;

  • Add a fair and easy-to-understand privacy policy;

  • Use those pages as another place to show what your brand is about.

Readers usually come to such content with very low expectations: they’re likely to think it’s going to be boring, overwhelming and bamboozling.

Use the opportunity to surprise them with clear language and a bit of fun — and the GDPR can enhance your business. 

When lawyers and writers are in sync, prepare to be amazed. 


Get help finding compliant words that delight customers

If at any point you’re stuck, or if you’ve got a specific question about making your new, GDPR-compliant pages come alive through words, email us or leave a comment below.

We’ll help you find words that resonate — and share a Q&A about it in another blog post. (Anonymously, if you prefer.)


Dwight Leatham

I’m Dwight, a writer at Word Space.  I’m good at getting into complex topics and at stripping these down in words. 


Sabine Harnau

I'm the founder of From Scratch — the boutique communications consultancy helping purpose-driven businesses woo customers and keep them happy.