Welcome to the second in our series of GDPR posts exploring the practicalities of the new EU regulation in the client-agency relationship. This time around I’ll be taking a look at data. Data is at the heart of the GDPR and there are clear definitions around what constitutes identifiable data that have been updated for the modern age. Data can be drawn from any part of the business - from a website or CRM system through to the contacts in individual email accounts and company phones.
There’s data everywhere and all of it needs to be taken into consideration.
What is identifiable data?
Under the GDPR, there are three particular sets of identifiable data – personal data, sensitive personal data and data relating to criminal offences.
Personal data is the most common of the two and the one that most Data Controllers and Data Processors are going to come into contact with. It is any information that enables you to identify a person – name, address, email address, unique identification numbers, location data, physical characteristics, genetic characteristics, biometric characteristics, etc. Some allow you to identify an individual on their own while others need to be used in tandem with other elements to identify an individual.
Sensitive personal data takes it one step further and brings racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, memberships, sexual orientation, health data and sex life data into the picture. The difference between this and personal data is that there are additional protections and restrictions around this data.
You can find out more detailed information about data from the Information Commissioner’s Office (ICO).
How can you help your clients?
In order to get ready for the GDPR, the likelihood is that your clients’ Data Protection Officers will be mapping out data sets. Most businesses will have multiple systems with data in various formats and states.
As a digital agency, you will only have access to a small part of this jigsaw – typically the systems you have access to as part of the projects you’re working on with your clients. You can’t advise on your client's’ entire data mapping strategy but you can help to support the Data Protection Officer in putting this together.
If we take a typical project, the following systems are likely to be considered:
Website or application – this could be bespoke or could be driven by a CMS or e-commerce platform
CRM system – e.g. Salesforce, Microsoft Dynamics
Marketing Application – e.g. Kentico EMS, Marketo, Acquia Lift, Hubspot, Pardot
E-mail Marketing – e.g. DotMailer, Campaign Monitor
This isn’t an exhaustive list and every project is different but you get the picture.
Most of those in the list are fairly common but there are a couple that may not necessarily be considered on first thought.
Websites and applications on their own can still be liable – think contact/feedback forms, gated downloads and newsletter subscriptions. That’s a small selection of possible web parts but each one is capturing pieces of identifiable data.
The second is Google Analytics. Really this only falls into the list if demographic-specific features are enabled within Google Analytics that capture specific, identifiable data.
You will understand what data is being captured by your clients and where it is being stored and transferred. While you can’t take the lead on data mapping, this knowledge is a valuable tool for your clients. You will be able to work in collaboration with your clients to understand what data is held in each system you interact with, where the data is, how it is stored and the security of that data.
Hopefully, that has given you some insight into data under the GDPR and the practicalities in terms of the client-agency relationship. Ensuring you know what your clients will need from you will give you a head start when it comes to those GDPR conversations.