GDPR and The Digital Marketing Agency
This Month: The Digital Marketing Agency…
Welcome to the third article in our series of professionally-themed insights for 2019.
Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.
This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you Digital Marketing Agencies out there.
We hope it makes your GDPR life that little bit easier.
Dear Digital Marketing Agency…
Spring’s here at last!
A time for fresh starts and renewed perspectives – especially when it comes to the GDPR and the added data protection responsibility that your clients inadvertently heap upon you.
It’s almost as if designing/writing/hosting a client’s website, devising and implementing their marketing strategy, and building and managing their customer database isn’t enough to keep you busy!
The good news is that it doesn’t have to be like that and, whilst the GDPR still applies to what you do, there’s no need to become swamped with their data protection responsibilities.
So, here’s some basic guidance and gentle reminders on how best to manage your GDPR role with clients…
GDPR Tips for The Digital Marketing Agency
Often, your role providing digital marketing services means that you’re acting as a data processor for your clients – which makes them the data controller.
In other words, they need to be the ones driving core GDPR compliance.
Yet, even if you’re on top of your own data protection responsibilities as a service provider, you may still need to educate your clients (or even push back on them) regarding where their GDPR input begins and yours ends.
Here are some things to consider:
Know whose responsibility is whose.
Your data processor-data controller relationship is a collaborative one so it’s useful to recognise exactly what your GDPR responsibilities are as a data processor. Once you’re clear on those, it’ll be much easier to remind your client of their responsibilities as the data controller – and, ultimately, ensure that they’re not inappropriately passing the buck to you.
Do you know what’s expected of you and where to draw the line?
Proper data mapping is essential
How robust is your client’s approach to data protection and compliance? Knowing that they’ve comprehensively mapped their data not only reflects a good attitude and commitment to best practice, it also ensures that they’re on top of everything; they can justify exactly why they do it, how they do it and where they do it – even to the extent of others’ involvement. And, just as importantly, so that you’re not left to fill the gaps.
How invested are your clients in good GDPR practice?
Minimise potential risks by doing some homework
With the GDPR, there’s no such thing as being over-prepared. A Data Protection Impact Assessment (DPIA) helps take the level of planning up a notch so that you can prepare for the unexpected. It’s particularly valuable if you’re building databases, helps you to rationalise what’s being collected and why, and how best to handle the inherent data breach risks that come with the territory.
How well have you mitigated against potential risks?
If your client is unsure, there are templates available that can be used as a guide but, if used, they still need to reflect the reality of what the client does; otherwise there’ll be a mismatch and the policy will be meaningless.
How well do your clients’ privacy policies do exactly what they promise?
Clarity and transparency are everything
Handling people’s personal and sensitive data is both a huge privilege and responsibility. That’s why data controllers and processors should be nothing less than 100% transparent in what they do with it.
From clear communication between you and your client to openly stating how online visits are tracked, what then happens to the data, and even whether it’s outsourced are all examples of good practice (unlike a recent incident involving Google where it was fined £44m for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation." The regulator judged that people weren’t sufficiently informed of how Google collected their data to personalise advertising).
Are there any fuzzy areas that need refining?
- Know what’s expected of you as a data processor (and of your client as a data controller).
- Engage in open dialogue with your client regarding your individual GDPR responsibilities.
- Be proactive and collaborative in how you and your clients go about safeguarding people’s data.
- Proper data mapping and DPIAs will help you stay on top of the data you control and process.
- The best GDPR practice is one that’s crystal clear and lets everyone know where they stand.
And whatever you do, please…
- Don’t dismiss GDPR or not find time to take it seriously.
- Don’t be coerced into undertaking your client’s responsibilities.
- Don’t put off asking for help if you need it.
Help and support is only a quick email away
If you’re well on top of your GDPR roles and responsibilities, respect!
However, if you’re not quite there yet, still a little murky in places or need advice around privacy policies or privacy impact assessments, then get in touch. It’s what we’re here for (and what we live for – sad, possibly, but true).
In the meantime, we’re about to start our own spring-clean. Here’s hoping it’ll be better than last time…
Next month in GDPR and The Professional: The Accountant…