GDPR: Who’s Responsible for Data in the Client-Agency Relationship?

By Rich Madigan
August 22nd 2017

4 minute read

Welcome to the second in our series of GDPR posts exploring the practicalities of the new EU regulation in the client-agency relationship. You can view our previous post here.

This time round I’ll be taking a look at data. Data is at the heart of the GDPR and there are clear definitions around what constitutes identifiable data that have been updated for the modern age. Data can be drawn from any part of the business - from your website and CRM through to the contacts in individual email accounts and company phones. There’s data everywhere and all of it needs to be taken into consideration.

What is identifiable data?

Under the GDPR, there are three particular sets of identifiable data – personal data, sensitive personal data and data relating to criminal offences.

Personal data is the most common of the two and the one that most Data Controllers and Data Processors are going to come into contact with. It is any information that enables you to identify a person – name, address, email address, unique identification numbers, location data, physical characteristics, genetic characteristics, biometric characteristics, etc. Some allow you to identify an individual on their own while others need to be used in tandem with other elements to identify an individual.

Sensitive personal data takes it one step further and brings racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, memberships, sexual orientation, health data and sex life data into the picture. The difference between this and personal data is that there are additional protections and restrictions around this data.

With data relating to criminal offences, the GDPR hasn’t changed how this data should be handled and it can only be processed by national authorities.

The notable absence here is anonymous and pseudonymous data. Neither can be used to identify an individual so there’s nothing to consider here.

You can find out more about the specifics from the Information Commissioner’s Office (ICO).

How can your digital agency help?

In order to get ready for the GDPR, the likelihood is that your Data Protection Officer is mapping out your data sets. Like most businesses, you’ll have multiple systems with data in various formats and states.

Your digital agency will only have access to a small part of this jigsaw – typically the systems they have access to as part of the projects they work on with you. They can’t advise you on your entire data mapping strategy but they can help to support your Data Protection Officer in putting this together.

If we take a typical project, you are likely to be considering the following systems:
  • Website or application – this could be bespoke or could be driven by a CMS or e-commerce platform
  • CRM system – e.g. Salesforce, Microsoft Dynamics
  • Marketing Application – e.g. Kentico EMS, Marketo, Acquia Lift, Hubspot, Pardot
  • E-mail Marketing – e.g. DotMailer, Campaign Monitor
  • Google Analytics

This isn’t an exhaustive list and every project is different but you get the picture.
Most of those in the list are fairly common but there are a couple that you may not necessarily consider on first thought.

The first is your website or application. At this stage, we’re removing any in-built marketing suites (e.g. Kentico EMS). Websites and applications on their own can still be liable – think contact/feedback forms, gated downloads and newsletter subscriptions. That’s a small selection of possible web parts but each one is capturing pieces of identifiable data.

The second is Google Analytics. There is a caveat here though. Really this only falls into the list if you are enabling the demographic-specific features within Google Analytics that capture specific, identifiable data.

Your digital agency will understand what data is being captured, where it is being stored and transferred. While it can’t take the lead on your data mapping, it can be a valuable tool in getting the right level of detail. Work in collaboration with your agency to understand what data you have in each system they interact with, where the data is, how it is stored and the security of that data.

What’s next?

Hopefully that has given you some insight into data under the GDPR. We’re going to continue with our GDPR series next month and delve into the realm of data security and data breach notifications.

We'll be hosting a GDPR webinar on September 27th exploring all of the topics covered in our series of posts. You can register here