top of page
  • Writer's pictureAugnet Team

Are Your SMS Communications GDPR Compliant? Here’s Why It May Not Be

Updated: May 15

Whether you run a local business or global conglomerate, non-compliance poses certain risks: fines, legal action and a damaged reputation. You already knew that. But did you know that your SMS messaging could be non-compliant, putting your reputation on the line?

Today, it's believed that up to 20% of all SMS are sent via non-GDPR routes, which affects even the biggest SMS providers, including Twilio. The Electronic Delivery Receipt (EDR) has no way of verifying SMS quality or GDPR compliance, which means your business could be unknowingly exposed to data breaches.

Why are you kept in the dark about these non-compliant routes? Because there’s a lack of data governance. The delivery receipt is often manipulated by ‘bad actors’ in the SMS supply chain, feeding you false information about the level of compliance of your messages.

Essentially, you’re unaware your messages were sent via non-GDPR routes in the first place. This bad practice is not only tricking the sender, but all the suppliers in between. Once a record is faked, the supply chain is left unaware.

Below, we’ll explain why this happens and how to remain compliant going forward.

What are the risks of non-compliance?

For most UK businesses, GDPR-compliance is the main concern when it comes to data protection. But there are many other data compliance laws to consider. International businesses, or UK brands trading abroad, will need to abide by other specific data protection laws, such as CCPA (California), LGPD (Brazil) or POPIA (South Africa).

No matter where you send your SMS, the risks of non-compliance are the same:

  • Fines and penalties – In Europe, the maximum penalties for non-GDPR practice are 4% of worldwide revenue or 20 million euros – whichever is greater.

  • Damaged reputation – Customers will lose trust in your business, which could be particularly damaging for startups and SMEs looking to establish a brand image.

  • Legal action – Lawsuits can drain your resources, especially if you don’t have the right legal expertise.

These are worst-case scenarios. Smaller GDPR offences incur fines of 10 million euros, or 2% of the company’s global turnover, which, in truth, are still eye-watering figures. To put your mind at ease, it’s worth noting that the Information Commissioner’s Office (ICO) always considers mitigating factors, such as the severity of the breach and your overall efforts to comply with GDPR.

However, even if your business avoids hefty fines, your reputation remains on the line. Customers will still lose trust in your brand if they find out their privacy has been violated or their data shared with online fraudsters, whether your business has done so knowingly or not.

But how does this happen in the first place?

Why are non-compliant SMS routes being used?

Ask yourself – what do you really know about the reliability and quality of your SMS messages? The truth is, you know little. That’s because your providers don’t know, either – they can’t track SMS quality in real-time, or guarantee that GDPR-compliant routes are being used. Connectivity is done on a “reasonable endeavour basis” and with no SLA’s in place. This is due to a lack of governance, including the inability to spot non-compliant practices, such as SIM Farm usage, which can be blended in the a supply chain further downstream.

Lack of data governance

SMS providers like Twilio and MessageBird simply can’t identify unlicensed routes in real-time, and therefore cannot guarantee GDPR compliance. Indeed, with any provider, your customers’ data could be shared or accessed unlawfully while passed through the SMS supply chain – without you even knowing. This is made worse by the fact that SMS data is currently unencrypted.

This lack of data governance means the current SMS industry is unfit for today’s data compliance requirements, posing risks to your perfectly legitimate business. Augnet is bridging this governance gap, which we’ll explain in more detail below.

The use of SIM Farms

A percentage of SMS traffic is blended with SIM Farm routes, resulting in a higher volume of non-compliant SMS routes permeating the industry. SIM Farms are large groups of SIM cards connected to computer servers, capable of sending messages in bulk to different mobile networks.

In some cases, bad actors sell SMS services that use those SIM Farms, and the industry is unable to easily detect these non-compliant tactics. Not only do SIM Farms violate the mobile network’s fair usage agreements, prohibiting bulk messages from one SIM card, but they also breach data protection laws. This is because SIM Farmers usually sell SMS data, which isn’t encrypted, to online fraudsters.

Because SIM Farms are unlicensed and often send spam messages, they’re usually under investigation and raided by the ICO. Whether knowingly or not, your business could be using SIM Farm routes, which means, by association, you could find yourself caught up in an investigation or a costly lawsuit.

How can your business remain compliant?

Most SMS providers can’t guarantee GDPR-compliant routes, exposing your business to certain risks. To remain compliant, your business needs the data governance and compliance that’s fit for today’s security requirements, which is where Augnet can help.

Augnet bridges the governance gap. It’s the only company offering a proprietary service for real-time identification of sub-standard or non-compliant routes, ensuring your business uses GDPR-compliant routes every time. That means you don’t have to worry about fraternising with unlicensed SIM Farms, or bad actors putting your business at risk by selling your customers’ data to online fraudsters.


Even the most popular SMS providers, such as Twilio or MessageBird, are unable to guarantee GDPR-compliant routes. These SMS providers base their customer contracts on a ‘reasonable endeavour’ basis, meaning that all reasonable paths will be exhausted, but they’re unlikely to sacrifice their own commercial interests.

This means your business could be, whether knowingly or not, breaching the data privacy of your customers, leading to fines, lawsuits and damaged trust.

Thankfully, there’s an easy and cost-effective solution: Augnet. The best way to ensure your business remains compliant is by using quality-assured SMS routes, which is something only Augnet is currently offering. Read more about our SMS Aware algorithm and learn how Augnet can keep your business compliant and your customers happy.


bottom of page