On May 25th, 2018, the GDPR (General Data Protection Regulation) will come into effect. Depending on your viewpoint, this will either see the digital landscape overshadowed by the EU-branded Death Star or it will represent a brave new world. Either way, the landscape as we know it will radically change the way organizations handle and store personal data.
There are hundreds of articles, posts, and opinion pieces swirling around the web, from scaremongering through to helpful bite-sized guides. Sifting through all of this information, you can piece together the sheer scope of work involved in achieving GDPR compliance both internally (with regards to your employees and prospective employees) and externally (with your customers and prospective customers). With that in mind, we’ll be publishing a monthly series of GDPR-flavored posts that will explore the practicalities of the GDPR within the client-agency relationship.
With the GDPR coming into force in just over nine months, the likelihood is that you will have a mountain of tasks to undertake. The new regulation touches many aspects of your business and, while the digital agency only interfaces with a small part of that, it still has a key part to play.
In the first of our series, I’m going to explore the three key roles within the GDPR—the Data Controller, the Data Protection Officer, and the Data Processor.
The Data Controller
In a nutshell, the Data Controller states how and why data is processed.
Within the MMT-verse, the view is clear. Data Controllers are our clients, and this is typically the case across the board for companies. If you’re capturing user data for sales or marketing purposes, the chances are that you are the Data Controller.
The Data Controller is typically an organization, but there are cases where an individual is the Data Controller, e.g., self-employed, freelance consultants, and contractors.
Under the old law, the buck stopped with the Data Controller. This put the burden of responsibility solely on the Data Controller. The GDPR mixes this up, and responsibilities are now shared between Data Controllers and Data Processors. However, it is fair to say that the Data Controller is still the key figure. They are responsible for ensuring compliance across the business, communications with supervising authorities, handling user requests (right to be forgotten, right to portability, etc.) and working with their Data Processors to establish reasonable processes to support compliance.
The Data Protection Officer
The Data Protection Officer is a mandatory role that has been introduced as part of the GDPR. The Data Protection Officer is a company’s expert on the GDPR and is responsible for educating on compliance, monitoring compliance, and being the point of contact for the supervising authority (e.g., the Information Commissioner’s Office). You can find more information on the ins and outs of the role here.
For many of the Data Controllers out there, a Data Protection Officer is a required role. There are specific guidelines in place for when you must appoint a data protection officer, which you can find on the ICO website.
The role and responsibilities of the Data Protection Officer are not to be underestimated. Based on the sheer scope of the GDPR, whoever is appointed to this role will have their hands full and should be dedicated to this role.
If you have not appointed a Data Protection Officer, then you must have staff within the business that fully understand the GDPR and your obligations—to the same standard as would be expected from a Data Protection Officer.
As you scour through the droves of articles, you will see many parties calling for a Data Protection Officer to be appointed within each Data Processor (for each client of the Data Processor), and this is actually referenced in the articles of the GDPR. The Data Processor is likely to have their own DPO for their own compliance as a business but, when it comes to clients, this should be treated case-by-case to understand exactly what level of contact he/she has with the user data.
The Data Processor
The Data Processor processes the data on behalf of the Data Controller.
So, if we take MMT Digital, we would be the Data Processor for our clients. However, this responsibility could also lie with our client’s hosting provider or any SaaS vendors they use (e.g., Salesforce). However, the caveat here is that this only applies when the party in question has access to the user data.
The first step is to work out if your digital agency is a Data Processor. You need to understand what contact they have with your user data (if any). You’ll need to do it as part of your own data mapping exercises, so why not kill two birds with one stone?
If they don’t have access, it isn’t necessarily the end of the road. While your digital agency may not shoulder the responsibilities of the Data Processor, you can still call upon their expertise to understand how and where data is stored to help you in your own data mapping plans.
However, if you have established that your agency is a Data Processor, you need to:
- work with your agency to put together contracts or SLAs to define how they can interact with the data (Data Processing Agreements).
- establish whether there are “sub”-Data Processors involved, understand what they have access to, why they have access, and then remove that access or get agreements in place.
- establish written instructions and guidelines on how personal data can be processed by the Data Processor.
- put in place an audit framework to contain records of data processing activities. The Data Processor should have input as they will understand the technology but the Data Protection Officer can take the lead as they understand the exact requirements.
- set up communication channels for supervising authorities.
- establish processes for breaches, right to be forgotten, etc. (more on this in a later blog post in our series!)
- establish whether a Data Protection Officer is required in the Data Processor.
- understand the requirements around cross-border transfers.
Start the Conversation
All of this is merely the tip of the iceberg as we’ll highlight through our series of GDPR posts. With the new regulation coming into effect in about nine months’ time, there is no time to waste so starting the conversation now is vital. Getting the foundations in place is time-consuming but giving yourself plenty of time should set you firmly on the road to compliance.
Keep an eye out for the second blog in our series where we take a look at data under the GDPR.
How has your company started preparing for GDPR compliance? Maybe there are some issues raised in this article that you have already looked at implementing. What were your experiences? Any opinions or comments connected with this blog post are very welcome, I would love to read them. Please share them below.
As a Certified Kentico Marketer, Rich regularly shares his knowledge, experience and advice on Kentico EMS via the MMT Digital blog and quarterly webinars to help clients not only get better returns on investment from the EMS but also formulate digital marketing practices and strategies that deliver real value to customers. He liaises directly with Kentico on a regular basis to trial new software releases, contributing feedback and helping to shape the development of the product. More recently, Rich has been heavily involved in advising the agency’s Kentico clients on GDPR compliance.
STOP PRESS: To help you even further, Kentico has organized a free event in London on September 26, 2017 called “Get Your Business GDPR Ready”. Featuring Digital Clarity Group’s co-founder and principal analyst Tim Walters, the event focuses on the key points you need to know to help ensure your business is fully GDPR compliant. Kentico’s David Komarek will also give a presentation on how Kentico 11, the upcoming release of our CMS, can help streamline your company’s GDPR compliance. Both presentations are followed by a Q&A session. The topic of GDPR is one that is dear to our hearts. Check out some of the critical points you should be addressing here.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.
GDPR: Who's Responsible for the Right to Be Forgotten in the Client-Agency Relationship?
Nov 7, 2017 • 5 minute read