- Every automated email needs a documented lawful basis — consent, legitimate interests, or contract performance
- Consent is not always required; legitimate interests can cover many client communications
- Preference records must be stored, honoured, and producible under a DSAR
- HubSecure stores lawful basis per communication type and filters all automated sends accordingly
GDPR does not prohibit email automation. It requires that you know why you're legally entitled to send each type of email, that you respect when people don't want to receive them, and that you can prove both of these things if asked. Most firms don't have a problem with the sending — they have a problem with the documentation and the governance.
Let's be clear about something first: compliance with GDPR email rules is not about adding an unsubscribe link to the bottom of every email. That's a minimum requirement, not a compliance programme. Real GDPR compliance for email means having a documented lawful basis for each communication type before you send it.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Compliance CRM Guides cluster. Continue with the product hub for compliance crm.
Lawful basis for professional services emails
The three lawful bases that cover most professional services email communications:
| Communication type | Lawful basis | Notes |
|---|---|---|
| Matter updates and progress reports | Contract performance | You are contractually obliged to communicate. No separate consent needed. |
| Document requests | Contract performance | Required to fulfil the engagement. No consent needed. |
| Invoice and billing communications | Contract performance / legal obligation | No consent needed. |
| Post-matter check-ins (recent clients) | Legitimate interests | Recent clients, related service, client can reasonably expect contact. Document your LIA. |
| Cross-sell of related services | Legitimate interests (with conditions) | Must be a genuinely related service, must not override client interests, must offer easy opt-out. |
| Newsletter / industry updates | Consent or legitimate interests | Consent preferred; LI possible but requires careful assessment and clear opt-out. |
| Purely promotional communications | Consent required | You need explicit, recorded consent. No consent = don't send. |
How HubSecure manages this
Every email sequence in HubSecure is configured with a lawful basis. When you build an automation, you select the basis under which it sends — contract performance, legitimate interests, or consent. The system then filters the sequence based on each recipient's preference record:
- Contract performance emails go to all active clients regardless of marketing preferences — because they're legally required
- Legitimate interests sequences are suppressed for anyone who has exercised their right to object to that type of communication
- Consent-based sequences only send to contacts with active, recorded consent for that specific communication type
The preference record for each contact is stored in the CRM, timestamped, and producible under a DSAR. When a client asks "what communications do you send me and why?", the answer is a one-click report — not a scramble through three systems.
The legitimate interests assessment you should do
For any email sequence you want to run under legitimate interests, you need a Legitimate Interests Assessment (LIA) on file. The three tests:
- Purpose test: Is there a legitimate interest? (Yes — staying in contact with clients to offer related services is a genuine commercial interest.)
- Necessity test: Is email the least intrusive way to achieve it? (For most follow-up sequences, yes — a direct call would be more intrusive, not less.)
- Balancing test: Do the client's interests or rights override yours? (Not if the communication is relevant, expected, and easy to stop.)
HubSecure includes LIA templates for the most common professional services use cases. You document the assessment once per sequence type; the system stores it and links it to every email sent under that basis.
The practical upside of doing this properly: When you document lawful basis per communication type, you discover that you're actually entitled to send more than you thought — without consent. Most professional services firms have been under-communicating with clients because they assumed they needed consent for everything. Legitimate interests covers most post-matter and cross-sell communications for recent clients. You don't need a consent campaign. You need a documented LIA.
The opt-out that's actually required
For all legitimate interests communications, you must offer a genuine, easy right to object. In practice: a clear unsubscribe link, a preference centre where clients can opt out of specific types of communication (not just "all or nothing"), and a process that actually honours those preferences immediately. HubSecure's preference centre is built into the client portal — clients manage their own preferences, the records update in real time.
We have contacts in our CRM who we've never emailed under GDPR rules. What do we do?
It depends on when the contact was added and what basis you had to hold their data. For recent contacts where you have a clear legitimate basis (clients, recent enquiries, professional referral partners), you can communicate under legitimate interests with a proper LIA. For old dormant contacts with no clear basis, you may need to either re-permission them or delete them. HubSecure can segment your contact list by "last activity" and "data basis" to help you make these decisions.
Does HubSecure send emails from our own domain?
Yes — Secure Mail is designed to connect to your domain and send CRM sequences from your firm's email identity with proper SPF/DKIM authentication, so recipients see your address rather than a third-party sending domain.
See the GDPR-compliant automation builder
We'll walk through building a post-matter check-in sequence — lawful basis configuration, preference filtering, LIA documentation, and the preference centre your clients use to manage their preferences.
Book a demoOfficial sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.