GDPR - Who’s Responsible in the Client-Agency Relationship?

23 Aug 2017

Posted by Rick Madigan

When the GDPR comes into effect next year, we will either see the digital landscape overshadowed by the EU-branded Death Star or it will represent a brave new world. Whatever your viewpoint, the landscape as we know it will radically change the way organisations handle and store personal data.

The likelihood is that brands will have a mountain of tasks to undertake. The new regulation touches many aspects of a business and, while the digital agency only interfaces with a small part of that, it still has a key part to play.

In this post, I’m going to explore the three key roles within the GDPR – the Data Controller, the Data Protection Officer and the Data Processor.

The Data Controller

In a nutshell, the Data Controller states how and why data is processed.

Within the digital agency world, the view is clear. Data Controllers are clients and this is typically the case across the board for companies. If they’re capturing user data for sales or marketing purposes, the chances are that they are the Data Controller.

The Data Controller is responsible for ensuring compliance across the business, communications with supervising authorities, handling user requests (right to be forgotten, right to portability, etc.) and working with their Data Processors to establish reasonable processes to support compliance.

The Data Protection Officer 

The Data Protection Officer is a company’s GDPR expert and is responsible for educating on compliance, monitoring compliance and being the point of contact for the supervising authority (the Information Commissioner’s Office). 

For many of the Data Controllers out there, a Data Protection Officer is a required role. There are specific guidelines in place for when a data protection officer must be appointed which you can find on the ICO website.

The Data Processor is likely to have their own DPO for their own compliance as a business but, when it comes to clients, this should be treated case-by-case to understand exactly what level of contact he/she has with the user data.

The Data Processor 

The Data Processor processes the data on behalf of the Data Controller.

So, in the majority of cases, the agency would be the Data Processor for its clients. However, this responsibility could also lie with the client’s hosting provider or any SaaS vendors they use (e.g. Salesforce), provided they have access to the user data.

As a digital agency, you may not shoulder the responsibilities of the Data Processor, however, your clients can still call upon your expertise to understand how and where data is stored to help them in their own data mapping plans.

If you are established as the Data Processor for your client, you will need to help them to put together contracts or SLAs to define how you can interact with the data (Data Processing Agreements). The Data Protection Officer for the client is key to this as they can interpret the law and help get these in place.

Start the Conversation 

With the new regulation coming into effect in about nine months’ time, there is no time to waste so starting the conversation with your clients now is vital. Helping them get the foundations in place early should set them firmly on the road to compliance.

Rick Madigan
Posted by Rick Madigan

As Digital Marketing Strategist at MMT Digital, I am responsible for the development and implementation of digital marketing strategies that transform business performance for our clients. In addition, I advise clients on best practice for GDPR readiness and compliance.

View profile

Keep your finger on the pulse

Join our mailing list to be the first to hear about cool opportunities, hot events and more.

Password Reset

Please let us know your email address and we'll send a new password straight to your inbox.