GDPR: Who’s Responsible for Data in the Client-Agency Relationship?

GDPR: Who’s Responsible for Data in the Client-Agency Relationship?

Jan 8, 2018
GDPR: Who’s Responsible for Data in the Client-Agency Relationship?

Welcome to the next part in our series of GDPR posts exploring the practicalities of the new EU regulation in the client-agency relationship. You can view previous posts here.

This time round, I’ll be taking a look at data. Data is at the heart of the GDPR and there are clear definitions around what constitutes identifiable data that have been updated for the modern age. Data can be drawn from any part of the business—from your website and CRM through to the contacts in individual email accounts and company phones. There’s data everywhere, and all of it needs to be taken into consideration.

What Is Identifiable Data?

Under the GDPR, there are three particular sets of identifiable data—personal data, sensitive personal data, and data relating to criminal offences.

Personal data is the more common of the two, and the one that most Data Controllers and Data Processors are going to come into contact with. It is any information that enables you to identify a person—name, address, email address, unique identification numbers, location data, physical characteristics, genetic characteristics, biometric characteristics, etc. Some allow you to identify an individual on their own while others need to be used in tandem with other elements to identify an individual.

Sensitive personal data takes it one step further and brings racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, memberships, sexual orientation, health data, and sex life data into the picture. The difference between this and personal data is that there are additional protections and restrictions around this data.

With data relating to criminal offences, the GDPR hasn’t changed how this data should be handled, and it can only be processed by national authorities.

The notable absence here is anonymous and pseudonymous data. Neither can be used to identify an individual so there’s nothing to consider here.

You can find out more about the specifics from the Information Commissioner’s Office (ICO).

How Can Your Digital Agency Help?

In order to keep on top of the GDPR, the likelihood is that your Data Protection Officer already mapped out your data sets. Like most businesses, you’ll have multiple systems with data in various formats and states.

Your digital agency will only have access to a small part of this jigsaw—typically, the systems they have access to as part of the projects they work on with you. They can’t advise you on your entire data mapping strategy but they can help to support your Data Protection Officer in keeping this current.

If we take a typical project, you likely have to consider the following systems:

  • Website or application – this could be bespoke or could be driven by a CMS or e-commerce platform
  • CRM system – e.g., Salesforce, Microsoft Dynamics
  • Marketing Application – e.g., Kentico EMS, Marketo, Acquia Lift, Hubspot, Pardot
  • Email Marketing – e.g., DotMailer, Campaign Monitor
  • Google Analytics

This isn’t an exhaustive list, and every project is different, but you get the picture.
Most of those in the list are fairly common but there are a couple that you may not necessarily consider on first thought.

The first is your website or application. At this stage, we’re removing any in-built marketing suites (e.g., Kentico EMS). Websites and applications on their own could still be liable—think contact/feedback forms, gated downloads, and newsletter subscriptions. That’s a small selection of possible components, but each one is capturing pieces of identifiable data.

The second is Google Analytics. There is a caveat here, though. Really, this only falls into the list if you are enabling the demographic-specific features within Google Analytics that capture specific, identifiable data.

Your digital agency will understand what data is being captured, where it is being stored and transferred. While it can’t take the lead on your data mapping, it can be a valuable tool in getting the right level of detail. Work in collaboration with your agency to understand what data you have in each system they interact with, where the data is, how it is stored, and the security of that data.

This is an update to the article originally published on January 23, 2018.

Now that GDPR is well and truly here, how confident are you that you made a success of being fully compliant? How clearly did you define your data? Did you communicate to the relevant roles within your company/agency, etc., exactly how GDPR touches them? Maybe there is still someone leading the valiant GDPR cause in your organization? Please tell us your opinions and give us your feedback in our comments section. We would love to get you involved in this still very hot topic and learn about your experiences.

The topic of GDPR is one that is dear to our hearts. Check out some of the critical points you should be addressing here.

DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.

More by this author

We're sorry, but your browser is currently not supported. Try using our website in other browsers like the new Microsoft Edge, Google Chrome, or Mozilla Firefox.
Should you have any query or want to report any issue, feel free to send us an email to