Blog News

GDPR and the Client-Agency Relationship

It’s a GDPR world. Sure, the regulation is a European Union standard, but really, its scope will have a global impact simply because most corporations are already doing business in the EU and will want to streamline customer data handling practices moving forward.

Understanding GDPR

If you’re someone who works with digital partners, such as an agency, knowing how GDPR affects you starts by recognizing what GDPR covers. There are no doubt terabytes flooding your inbox each day about GDPR compliance, but it really boils down to a few things.

First and foremost, be transparent with your customers about what data you are collecting from them, your legal basis for collecting it (which may need to be customer consent), how you are using it, and who you are providing it to (outside of your organization).

Second, ensure that you are doing all the required steps associated with protecting your customers’ data—essentially, data security best practices—like immediate reporting of a breach and use of encryption.

Third, ensure that your customers can see the data you have about them, that they can move it to another provider if they choose, and that they can have you delete their data entirely.

Working with Your Agency

As a digital agency and sometimes a hosting partner, at GLG, we have a special relationship with clients and their customers’ data. GDPR provides some excellent guidelines concerning how agencies and their clients collectively handle customer data—specifically, your customers’ data. Agencies and clients have a responsibility to each other and to their customers to understand that clients play the role of data controller while agencies play the role of data processor. In other words, as you collect tracking and marketing data about your customers, you ask your agency to do things for you. Agencies and hosting partners do those things with the understanding that you understand the rules of GDPR. An agency acting as a data processor is acting on your instructions as the data controller, which are likely spelled out in your Master Services Agreement or in a specific statement of work.

More Details

If you have questions, ask your agency; your agency may have already appointed a data protection officer (and perhaps so has your own company) as stipulated in the GDPR framework. As CTO at GLG, I am that person for our clients, and I would be happy to have a conversation with you to provide more perspective. Having a conversation with your agency’s data protection officer to understand the parameters of your agency’s role as a data processor and your role as a data controller is a good first step to complying with the new GDPR world.