GDPR: Who’s Responsible in the Client-Agency Relationship?

Written by Rich Madigan
1st August 2017

5 minute read

On May 25th, 2018, the GDPR (General Data Protection Regulation) will come into effect. Depending on your viewpoint, this will either see the digital landscape overshadowed by the EU-branded Death Star or it will represent a brave new world. Either way, the landscape as we know it will radically change the way organisations handle and store personal data.

There are hundreds of articles, posts and opinion pieces swirling around the web, from scaremongering through to helpful bitesize guides. Sifting through all of this information, you can piece together the sheer scope of work involved in achieving GDPR compliance both internally (with regards to your employees and prospective employees) and externally (with your customers and prospective customers). With that in mind, we’ll be publishing a monthly series of GDPR flavoured posts that will explore the practicalities of the GDPR within the client-agency relationship.

With the GDPR coming into force in just over nine months, the likelihood is that you will have a mountain of tasks to undertake. The new regulation touches many aspects of your business and, while the digital agency only interfaces with a small part of that, it still has a key part to play.

In the first of our series, I’m going to explore the three key roles within the GDPR – the Data Controller, the Data Protection Officer and the Data Processor.

The Data Controller

In a nutshell, the Data Controller states how and why data is processed.

Within the MMT-verse, the view is clear. Data Controllers are our clients and this is typically the case across the board for companies. If you’re capturing user data for sales or marketing purposes, the chances are that you are the Data Controller.

The Data Controller is typically an organisation but there are cases where an individual is the Data Controller, e.g. self-employed, freelance consultants and contractors.

Under the old law, the buck stopped with the Data Controller. This put the burden of responsibility solely on the Data Controller. The GDPR mixes this up and responsibilities are now shared between Data Controllers and Data Processors. However, it is fair to say that the Data Controller is still the key figure. They are responsible for ensuring compliance across the business, communications with supervising authorities, handling user requests (right to be forgotten, right to portability, etc.) and working with their Data Processors to establish reasonable processes to support compliance.

The Data Protection Officer

The Data Protection Officer is a mandatory role that has been introduced as part of the GDPR. The Data Protection Officer is a company’s expert on the GDPR and is responsible for educating on compliance, monitoring compliance and being the point of contact for the supervising authority (e.g. the Information Commissioner’s Office). You can find more information on the ins and outs of the role here.  

For all the Data Controllers out there, a Data Protection Officer is a required role. Early drafts of the law stated it was only mandatory for companies with over 250 employees but this restriction no longer necessarily applies.

The role and responsibilities of the Data Protection Officer are not to be underestimated. Based on the sheer scope of the GDPR, whoever is appointed to this role will have their hands full and should be dedicated to this role.

As you scour through the droves of articles, you will see many parties calling for a Data Protection Officer to be appointed within each Data Processor (for each client of the Data Processor) and this is actually referenced in the articles of the GDPR. The Data Processor is likely to have their own DPO for their own compliance as a business but, when it comes to clients, this should be treated case-by-case to understand exactly what level of contact he/she has with the user data.

The Data Processor

The Data Processor processes the data on behalf of the Data Controller.

So, if we take MMT Digital, we would be the Data Processor for our clients. However this responsibility could also lie with our client’s  hosting provider or any SaaS vendors they use (e.g. Salesforce). However, the caveat here is that this only applies when the party in question has access to the user data.

The first step is to work out if your digital agency is a Data Processor. You need to understand what contact they have with your user data (if any). You’ll need to do it as part of your own data mapping exercises so why not kill two birds with one stone?

If they don’t have access, it isn’t necessarily the end of the road. While your digital agency may not shoulder the responsibilities of the Data Processor, you can still call upon their expertise to understand how and where data is stored to help you in your own data mapping plans.

However, if you have established that your agency is a Data Processor, you need to:

  • work with your agency to put together contracts or SLAs to define how they can interact with the data (Data Processing Agreements). The Data Protection Officer is key to this as they can interpret the law and help get these in place.
  • establish whether there are “sub”-Data Processors involved, understand what they have access to, why they have access and then remove that access or get agreements in place. Again, the Data Protection Officer is key.
  • establish written instructions and guidelines on how personal data can be processed by the Data Processor.
  • put in place an audit framework to contain records of data processing activities. The Data Processor should have input as they will understand the technology but the Data Protection Officer can take the lead as they understand the exact requirements.
  • set up communication channels for supervising authorities.
  • establish processes for breaches, right to be forgotten, etc. (more on this in a later blog post  in our series!)
  • establish whether a Data Protection Officer is required in the Data Processor.
  • understand requirements around cross-border transfers. 

Start the Conversation

All of this is merely the tip of the iceberg as we’ll highlight through our series of GDPR posts. With the new regulation coming into effect in about nine months’ time, there is no time to waste so starting the conversation now is vital. Getting the foundations in place is time-consuming but giving yourself plenty of time should set you firmly on the road to compliance.

Join us next month for the second in our series where we will take a look at data under the GDPR.

In addition, we’ll be hosting a webinar on September 27th exploring all of the topics covered in our series of posts. You can register here.