Predicting the impact of GDPR on the A2P and SMS Industry

Most organisations will be aware that the EU’s GDPR is already law and will be enforced from 25th May 2018.  Failure to comply risks regulator sanctions and litigation, but besides mitigating these punitive instruments, business’ have a choice to make.

A business can choose compliance because it is the law, or they can choose compliance because their customers have told them to do so, or they can choose compliance because they believe in the spirit on which the legislation is founded.  Some might even choose to do nothing, but regardless of the choice a business makes, the GDPR has significant disruptive powers.

The potential regulator maximum fines (4% global turnover) and compensation for data subjects (speculation on amounts varies) have grabbed the headlines.  Unfortunately the headlines have created hysteria and obscured the goal of building trust in digital services through better transparency, greater controls for citizens, and enhanced data safeguarding.  To that end, the “Accountability” principle and “Joint and Several liability” are likely to have significant impact.  Before exploring the impact of the GDPR further it is worth taking a quick look at why the legislation exists.

Headlines of personal data breaches and cyber security attacks are commonplace across all markets.  The news regularly exposes poor duty of care of personal data, criminal activities that result from data loss, abuses of citizen trust, and a lack of real choice regarding the exchange of personal data in return for digital services.  However, unless you have been personally affected by these issues or you are in the personal data industry it is difficult to appreciate the risk we face as individuals.

This video was created by Cifas for its 2016 campaign about identity fraud. It does a fantastic job at highlighting the issues individuals face.  To find out more about how to protect your identity please visit

Mindful of the broader context of the GDPR, it is helpful to think about two common A2P SMS engagement models when exploring the impact of the GDPR:

Enterprises engaging in high-frequency, low-cost, targeted marketing without consent

Regulators are taking action against such use-cases, Joint & Several liability as well as rights to compensation will put at risk the whole marketing supply chain.  This is likely to catch out some aggressive A2P suppliers and result in some Mobile Network Operators (MNOs) taking additional safeguarding measures which could potentially change the messaging ecosystem permanently.

Enterprises building enduring trusted and respectful relationships with customers

This is the spirit of the GDPR, it is a conscious choice for a business, and has a cost beyond the cost of complying with the legislation.  Trust and respect become brand attributes that no business wants to risk through poor supply chain management.  This creates an opportunity for service providers to align their brand values and create opportunities for value added services as well as selling messaging on value rather than just the price of termination.  More MNOs might also enter the A2P market leveraging their trusted brands and personal data.

A2P service providers will need to think carefully about how they add value beyond terminating a message.

For example, value added services might include personal data attributes or use-case specific communication services.  In both instances, the service provider is no longer just delivering a confidential message instigated by their customer, potentially increasing service provider exposure should a GDPR breach be identified.

An interesting case in point is HLR Lookup.   XConnect is aware of MNOs and regulators expressing concern of using raw HLR Lookup.  These Lookups do reveal sensitive information that can be abused and lookups are being sold for non-routing services without consent.  XConnect is working on alternative solutions to support a number of HLR Lookup use-cases which will be GDPR compliant.

To this end, XConnect has implemented Privacy-by-Design principles within its Number Information Services Platform, to create “Policy Based Processing”.  In other words, we enable many to many relationships between our customer’s use-cases and the associated data sources provided to us.  For each use-case, XConnect’s Number Information Services can:

Control which data source is used.

Demonstrate the end-to-end Legal basis for the customer’s use-case.

Show an Audit trail for every query.

Safeguard the data from ingress, through processing, and to egress

Perform queries at Scale and velocity

Our Number Information Service (NIS) platform allows us to take raw services like HLR Lookup and make legal use-cases available to enterprises and demonstrate to our data sources (MNOs) that each instance of a HLR Lookup was safeguarded and used lawfully.

We believe that our “Policy Based Processing” capability is central to establishing trust with subscribers and trust with MNOs.  The end result is that it allows the market for MNO derived personal data to thrive, but I worry market trust can still be undermined.  For example, I am not confident that consumer’s appetite for immediate digital satisfaction will change.  Consequently, risks of personal data loss, identity theft and fraud will continue to thrive.  Secondly, I see nothing to change the appetite for SPQR (small profit quick return) business behaviour which can leave a whole supply chain open to compliance risk.

XConnect has already made its choice, and it is what you would expect.  We’ve chosen trust and the spirit of the GDPR.  We are fully engaged in a readiness program, we have privacy by-design at the centre of our data exchange platform, Data Privacy Impact Assessments (DPIA’s) burnt into our product development process, we are encouraging the GDPR conversation with the markets we serve, we have established new company values that are consistent with our ambitions, defined a roadmap for our NIS platform that helps our customers and enterprises navigate the omni-channel conversational web with compliance at its heart, and recently we shared GDPR ready service agreements with our customers.  Ultimately our core business model remains unchanged, XConnect will : Source, Clean, Normalise, Orchestrate, Police, and Provide access to numbering information.   We do it today for NPQ, and it is what we are doing as we take NIS forward.

This is a lot of effort and takes time.  We started our process 9 months ago.  We had to introduce new process, adapt policy, create new software, build awareness, and introduce new tools.  Don’t leave it too late and maybe through collaboration we can all get there faster.  We’d be happy to share some of the details of how we are preparing ourselves.

If you are curious about XConnect’s NIS service or what GDPR means for the industry, please do get in touch via

Latest Posts