Click here for decision in Communisis Plc v The Tall Group of Companies Ltd & Ors[2020] EWHC 3089 (IPEC) (17 November 2020)



Communisis recently held a Breakfast Briefing on The Impact of Regulation on Customer Communications which was attended by colleagues from across our client, business and supplier networks.

We heard from Audra Simons – Director of Innovation for global cybersecurity firm Forcepoint, Michelle Griffey – Chief Risk Officer and Sue Maclure – Head of Data, both for Communisis.

Customer Communications used to refer to the large-scale print and mail operations that dominated regulatory or transactional communication structures for banks, building societies and insurance businesses. While print continues to dominate in many of these markets today, Customer Communications has now come to refer to any bidirectional conversation between a brand and its customer. Perhaps the differentiator beyond channel is still the fact that this is carried out at massive scale and complexity, across multiple systems and siloes, and in any channel.

For Communisis working in this space with clients, mainly in regulated markets, risk management and the balancing of the requirements of regulators, clients, our supply chain and end customers has become a significant business preoccupation.


Where cost management and the ability to deliver savings through prudent outsourcing strategies have always been at the heart of our business, risk management and a clarity of vision for the impact of these efficiencies on end customer experience have emerged as key drivers for business success.

People continue to lie at the heart of enterprise business success, even in highly automated environments. But these same people also remain the source of significant risk particularly in relation to cybersecurity and the risk of breaches.

‘Don’t treat cybersecurity as part of your yearly compliance training – make it real and make it relevant. Your people are your best form of defence and simultaneously your biggest weakness. When it’s real,  your teams are properly trained and know what good looks like, and when it’s relevant cybersecurity becomes part of everyone’s job..’ Audra Simons - Forcepoint

For Audra Simons, cyber hygiene is as important and as critical to success as the financial health of your business. She urges boards to consider cybersecurity in the context of risk and manage its provision in this framework.

When you consider that cyber security risk reaches beyond the contracted party, out and deep into the supply chain, the costs associated with breaches can be considerable.



Expected frequency

Business interruption

Take your best trading day’s revenues and add £50k for costs

1 in 2 year event

Business interruption

4 x largest consecutive trading days revenues + £200k costs

1 in 5 years

Customer data loss

Number of unique customer records x £10


Customer data loss

For breaches larger than 1m records x c.£2.50 per record conservatively


*Example from Lockton who provide cyber risk insurance.

Audra comments ‘In the future there will be nowhere to hide from dirty cyber hygiene practices. As the true value of the data companies hold becomes better understood, so too will that data’s value as an asset to the business, even being reported as part of an annual report or audit. Businesses naturally want to protect their assets/money - why should data be any different?’

Breaches are unfortunately inevitable. The skills and investment required to launch an attack today are minimal, so there is a relatively low barrier to entry into this criminal activity.

Firms need to be ready with a full, cross-company plan for recovery that also reaches across their supply chain network. While it is perhaps unrealistic to expect every partner in the network to apply the same controls, they should be appropriate to the supplier’s status and value.

One element that can be applied universally across the supply chain network is the acknowledgement that cybersecurity and preparedness are risk management activities and should be handled as such.

‘Have the risk conversation with suppliers,’ says Audra, ‘and identify the potential impact of those risks on your company and your customers, but take a tiered approach, not all suppliers are created equally.

‘Put relevant controls in place based on the potential impact of a breach and put it into the contract, including ensuring the obligation to notify when a breach has occurred.’ Audra continues. ‘Cybersecurity risk identification, especially in relation to supply chain, is in its infancy in terms of being seen as a real business risk.’


The regulator landscape is surprisingly rich, with different groups vying for attention. Often though, it is left to the risk function to navigate this environment and to make value judgements as to where to prioritise activity. The risk community can also operate at some distance from the ‘front-line’ operations meaning that tactical decisions are often implemented due to the time lag from the risk centre outwards. Businesses need to determine whether the elements being implemented around assurance are adding value or just ticking boxes.

‘There is a need for us to work collaboratively with our clients and the regulator to become more resilient across the piece.’ Says Michelle Griffey Chief Risk Officer for Communisis

‘Suppliers are being inundated with requests for documents, checks, questionnaires and audits in support of regulatory compliance, all of which require a different slant to meet the specific needs of individual clients and their interpretations of the regulations.

This adds complexity and cost but little real value. Efficiencies must be possible using standard processes that are acceptable across multiple clients.’

At heart, of course, all regulatory activity is intended to keep customers safe, which should be a priority for all businesses. This fact can sometimes be missed in the inevitable ‘box-ticking’ exercise that circulates the regulation.

It was certainly never intended for compliance with different regulatory requirements to prevent business growth. Nevertheless, significant time and effort is often spent in navigating these requirements and priorities.

Challenge sometimes arises in the operational environment which can be distant from regulatory bodies and compliance functions and where poor information sharing can result in tactical decisions made at the last minute.

Michelle comments ‘Cyber is a great example of an area where we as an industry – the regulator, clients and our suppliers, should be focusing. It’s not a competitive field and as such we should combine forces to combat this threat.’



We asked Sue Maclure, the Head of Data for Communisis to comment on GDPR a year on from its inception which has seen a number of significant pieces of regulator activity including some hefty fines.

Sue described the importance of common-sense in the interpretation of the GDPR codes. What she calls the ‘Would it feel OK for your gran?’ test.

Sue comments, ‘There’s a layer of pragmatism that is sometimes missing from the interpretations that have emerged around GDPR and the use of data. While it’s important to keep a copy of the statutory codes close, particularly around direct marketing and data-sharing, be pragmatic. Don’t over-think it. If it feels OK, it probably is. If you wouldn’t send whatever it is to your Gran, or use your Gran’s data in this way, it’s probably – no definitely – not OK, so don’t do it…’

It’s also really important to avoid the temptation to overburden customers with regulatory information and detail intended to increase transparency. In fact, what happens too often is that the burden of the management of this information effectively defaults to the customer themselves, who must then navigate multiple consents with various implications for their privacy and in some cases, customer experience.

Sue proposes that brands start simply, layering consent as the interaction deepens.

‘Be honest but do it in bite-sized chunks. Transparency doesn’t mean drowning in detail, but it does mean giving customers good choices. And if you want somewhere reliable to start, start with good accessibility practices.’

Looking out at where the regulator’s attention is likely to rest next, we see an emerging focus on a number of areas including cybersecurity, AI, Machine Learning (ML) and data broking.

e-Privacy is also likely to attract significant focus, including web and cross-device tracking for marketing purposes, children’s online privacy and the use of surveillance and facial recognition technology. This focus is closely aligned to concerns around the inappropriate use of personal information in political campaigns and the need for companies to be able to comply quickly and cost-effectively with freedom of information or subject access requests.

Despite the level of attention on the industry, the ability for brands to use data to improve the lives and experiences of customers is still significant and arguably with the increasingly sophisticated use of this data comes the opportunity to deliver increasingly personalised, relevant and engaging experiences for customers. As an industry we just need to remember Sue’s ‘Would if feel OK for your Gran?’ test.



Personalised video solutions for one to one communications. 


Great documents improve customer understanding, remove customer doubt and prevent unnecessary contact centre volume.


Modern digital print brings quality and flexibility to large scale marketing and transactional direct mail.


Data is the fuel of business and our full-service approach brings together online and offline data sources to drive new business insight.


We use your information to make work. We’d also like to set optional cookies to improve your experience on our site and analyse how you use it.

Yes, I agreeNo, take me to the Cookie Policy