The time is almost upon us, that’s right GDPR goes live next month.
In May, Europe’s data protection rules will undergo their largest overhaul in 20 years. This is well overdue, as current regulations were drawn up in the late nineties when the internet was just in its infancy. Fast forward two decades and it is a whole new ‘wireless’ world.
Many of our clients have been hoodwinked into spending thousands on GDPR consultations, but for the majority of our retail clients it is simply a matter of ensuring you have the processes in place.
Here we explain the key roles and specific responsibilities clients and agencies need to adhere to, to ensure the process and roles are fully streamlined in time for next month.
The Data Controller
Within the world of marketing and digital communications, the Data Controller is the client and they state how and why data is processed, this is pretty much the case for all companies regardless of sector. The majority of our clients are in retail, they all capture user data for sales or marketing purposes and are the ultimate Data Controller.
The Data Controller is responsible for ensuring compliance across the business (from staff records to newsletter databases), communications with supervising authorities, handling user requests (right to be forgotten, etc.) and working with their Data Processors to establish reasonable processes to support compliance.
The Data Protection Officer
The Data Protection Officer is a GDPR expert within the retailer or shopping centre team and is responsible for educating on compliance, monitoring compliance and being the point of contact for the supervising authority (the Information Commissioner’s Office). Many of our clients are not large enough to recruit a specific GDPR expert and the ICO will accept this, as long as there is someone within the Data Controller’s team who is identified as the Data Protection Officer.
There are specific guidelines for when a data protection officer must be appointed which you can find on the ICO website.
Clients are likely to have their own DPO for their own compliance as a business (as storing of staff records is now under the same scrutiny as external user data). We reach out to grow clients databases through onsite events and social media, and we can liaise with the relevant DPO to ensure they are updated on how we store and use their user data.
The Data Processor
This leads us on to the agency role – The Data Processor, this is our remit. We process the data on behalf of our retail clients.
In the majority of cases, the agency would be the Data Processor for clients. However, this responsibility could also lie with the client’s hosting provider or any SaaS vendors they use (e.g. Salesforce), provided they have access to the user data.
As an agency, it is important to not undertake the responsibilities of the Data Processor as this would not be compliant for the new legislation. We can clearly illustrate to the DPO how and where the data is stored following a GDPR audit of their website to help them in their own data mapping plans.
We help clients’ Data Protection Officers pull together terms and conditions to help define how we can interact with the data. The Data Protection Officer for the client is key, as they can interpret the law and help get these in place.