Disclaimer: This is a guest post by our friends at iubenda – solutions to make your website or app compliant with the law, in multiple languages and legislations.
You’re probably well aware of the existence of the General Data Protection Regulation (GDPR). At its core, the GDPR governs how entities must process personal data, its collection, use, and even how you can interact with it. If you run an agency, you need to be well aware of how the GDPR concerns you when it comes to liability and consent.
Being aware of what your responsibilities are will enable you to protect your agency from legal problems down the line. The better you understand your responsibilities under the GDPR and other similar regulations, the better you’ll be prepared to lead your clients through their intricacies.
- How to Determine What Regulations and Rules Apply to Your Agency
- Where do Agencies Fall Under GDPR Classifications?
- What are the Duties of the Agency Under the GDPR?
- How Your Duties as a Processor Can Impact Your Agency in Terms of Liability
- How to Ensure Your Agency Complies With GDPR, Adds Value to your Clients and Reduces Liability
In this article, we’ll go over everything agencies need to know about how the GDPR impacts you and your duties. We have a lot of information to go over, so let’s get right to it!
How to Determine What Regulations and Rules Apply to Your Agency
The first thing to understand is that there’s no single global privacy or data protection regulation. What laws and rules apply to your business will depend on two factors:
- Where you operate from. If you operate within the EU, you must comply with GDPR rules.
- Where your clients are located. If your customers are located within a country that falls within the GDPR’s jurisdiction, you must handle their data using its protocols.
By and large, if you provide services across borders, and you or part of your client base is located or operates within the European Union (EU), your agency needs to adhere to the GDPR protocols.
For example, if you operate an agency in the United States but have customers in Europe, their data is protected by the GDPR. However, for clients within the US, you’d need to follow a different set of regulations.
As an agency, compliance with diverse sets of regulations depending on where you operate (and who your customers are) puts you in a complicated position. Generally speaking, if you need to comply with multiple laws at once, we recommend that international clients follow the strictest or most robust data privacy and protection rules by default, or use geolocation data to ensure that they’re applying the correct standards to the right people.
Because the GDPR is possibly the most comprehensive set of rules that govern data usage and privacy, it’s a good rule of thumb to ensure you’re handling customer data properly.
Keep in mind that following data protection regulations isn’t just about applying best practices. In many cases, being in breach of local or international regulations can open your agency up to severe liability. This is part of why it’s so important to understand how the GDPR applies to you.
Where do Agencies Fall Under GDPR Classifications?
The GDPR uses different terminology to classify entities, depending on their relationship with end-user data and what their responsibilities are. The two most important classifications are:
- Data controller.As a data controller, you determine the reason and ways of processing user data.
- Data processor.As a data processor, you process data on behalf of the data controller.
To make this classification easier to understand, let’s use an example. Imagine that you own a business, and would like to access your users’ email addresses for your own marketing purposes. So you set up a sign-up form on your website. In this scenario, you are the data controller. It’s your responsibility to ensure that you have a legal basis for processing this data (e.g. consent) and that your users know how and why you’re collecting this information.
Now, let’s step into the role of an agency. You run a marketing agency for the website we’ve just outlined. In this case, you may need to access the email data collected from your client’s users in order to set up and run a marketing campaign on behalf of your client. Here, you’d fall under the category of the data processor – which is common for most agencies.
Not sure what role your business falls under? Here’s a quick checklist that can help you determine if your agency fulfills the definition of a data processor. If your business meets several of these characteristics, you’re acting as a data processor:
- You process data for a third-party, following their instructions.
- You don’t determine who to collect data from or what data to process.
- You don’t decide what to use the collected data for.
- The way you use data is determined by a contract with a third party (i.e. the data controller).
Differentiating between data processors and controllers is key because both entities have different responsibilities under the GDPR.
What your responsibilities are when it comes to data usage and protection vary depending on which of those two classifications you fall under. Let’s break down what this means for you in the most likely scenario you’ll face as an agency (i.e. as a data processor).
What are the Duties of the Agency Under the GDPR? (5 Key Points)
As a data processor, you have a very specific set of duties you need to fulfill when handling your client’s data. The client, in this case, would be the data controller. Let’s break down these responsibilities into six key points.
1. You Must Process Data According to the Client’s Instructions
In your role as a data processor, you’ll need to sign a ‘data processing’ agreement with the controller (i.e. your client). This agreement will underscore your role, and outline the instructions you have to follow when handling the client’s data.
It’s your duty to follow those instructions and only process data under the terms you’re contracted to. Once you’ve fulfilled your duties, you’ll need to cancel access to your client’s data, or return it to them if applicable.
2. Data Must Be Confidential
As a data processor, you need to treat your client’s information with the utmost confidentiality. This means only people who are authorized should have access to the data – and you need to take the measures necessary to ensure the information isn’t accessible to other unauthorized parties.
3. Generally, Data Protection Should Be Handled Internally
It’s your job to ensure your client’s data is safe and confidential at all times. Under the terms of the data processing agreement, you’re not allowed to use third-party services to help ensure the confidentiality of that data – not without the client’s prior knowledge and permission. Therefore, using a third-party to help secure your client’s data should only be done after getting their written permission.
4. Helping Your Client With End-User Privacy Requests
Under the GDPR, end-users can exercise the right to restrict data processing, or to request that you erase any personal information the controller has collected from the individual.
As the data processor, it’s part of your duties to help your client respond to restriction or erasure requests. To do this, you must inform clients about incoming requests and follow the instructions outlined in your agreement to fulfill them.
Take an email marketing agency end-user. If they request that their information be erased, your agreement will outline how to do this, such as by removing the user’s email from your database alongside any other data points associated with it.
5. Assisting Your Client In Dealing With Data Breaches
Your duties as a data processor involve dealing with the information your clients collect. Therefore, it’s part of your responsibility to help them fulfil any obligations arising from situations like data breaches, especially with clients who give recurring revenue.
In practice, this may mean helping them to identify the source of the breach, providing any details required for reporting the breach to the relevant supervisory authority, and cooperating with a Data Protection Impact Assessment (DPIA) if necessary.
How Your Duties as a Processor Can Impact Your Agency in Terms of Liability
How well you fulfill your duties as a data processor will reduce the risk of liability in case of a breach or violation of the regulation.
Article 82 of the GDPR breaks down the issue of civil liability and compensation in the event of a data breach. In a nutshell, it determines that any users suffering damage (material or non-material) due to the infringement of the GDPR have the right to compensation from the data controller or the processor.
Which party is responsible or liable for compensation depends on several factors. As an agency, you might be found liable if:
- You fail to follow your client’s instructions when it comes to data processing, which should be outlined in the data processing agreement signed by both parties at the start of the relationship.
- You fail to fulfill your obligations as a data processor under the GDPR.
In the last section, we went over the key duties you’re responsible for under the regulation. By fulfilling those duties, you drastically reduce the chances that you’ll be found liable in the event of a data breach causing damage to end-users. With this in mind, it can be fairly assumed that helping your clients to be compliant is also in your best interest.
How to Ensure Your Agency Complies With GDPR, Adds Value to your Clients and Reduces Liability (2 Actionable Steps)
Considering the complexity of the GDPR, it can be time-intensive to remain in compliance with its requirements. However, compliance is essential if you want to provide the best service you can to your clients and avoid liability.
1. Have a Data Processing Agreement in Place and Respect It
The data processing agreement that you sign with any controller your agency provides services to needs to be as clear and comprehensive as possible. Remember: Data Processing Agreements are legally required under laws like the GDPR.
Furthermore, consider that even if the GDPR does not apply to some of your client relationships, it’s still a good idea to define your role and responsibilities in writing.
If you’re not sure where to start, we’ve made a free starter template data processing agreement available, based on the work we’ve done in the last few years on the GDPR. You can modify and use this template as necessary for your clients’ individual needs.
Remember, you should always honor the conditions of your DPA. Avoid actions that could breach the agreement at all costs, such as outsourcing processing to third-parties without the client’s written prior consent.
2. Understand the Basics of Compliance
Understanding basic online compliance is critically important for two main reasons:
1) Firstly, it helps you to understand how and when data laws apply to you in the different roles that you play as an agency, i.e. controller (where you purposefully use personal data for your own business processes), and processor (where you process data on behalf of your clients).
These roles can easily become intertwined in a typical agency/client relationship, so it’s important to understand the difference and how it fully relates to your duties and liability.
Also consider that while understanding compliance yourself is critical, having a *Data Protection Officer can be incredibly useful, and might even be legally required where certain conditions apply.
*DPOs do not have to be in-house – the role can be outsourced to an external provider.
2) Secondly, understanding compliance allows you to expand your expertise, and reduce your risk of liability while adding value to your clients. As mentioned above, it will always be in your best interest that your clients be compliant with applicable data law.
While your client is of course primarily responsible for their own compliance as a data controller, understanding basic compliance also presents the opportunity for you to add value and extend your service offerings and profit.
We’ve created two FREE eBooks on basic compliance to help get you started:
- Online Compliance Handbook for Successful Agencies – USA
- Online Compliance Handbook for Successful Agencies – UK
The books cover the basics of compliance, how iubenda’s self-updating solutions can make it easy for your clients to comply while you earn, how to inform your clients and avoid liabilities, and more.
The impact of the GDPR goes well beyond the borders of the EU. As an agency, you’ll probably find yourself in situations where you provide services to clients that fall under its jurisdiction – even if the GDPR doesn’t directly apply to you.
We’ve gone over what your key duties are, but if you’re looking for a quick summary, here goes. It all comes down to understanding basic compliance and your role under the GDPR, formalizing this role where necessary with a written agreement, and meeting your obligations under this agreement and the law. Helping your clients to make their sites and apps compliant is also beneficial to both you and your clients.
Do you have any questions about what your duties as an agency are under the GDPR? Let’s talk about them in the comments section below!