The new legal and financial risks surrounding GDPR are forcing key changes in the relationship between brands and their agencies. This means new contracts and negotiations, which will be challenging at best, fraught at worst.
Brands will want clarification on where data is held and who is responsible for it. They’ll want to know how agencies are preparing for GDPR, what consent is being granted and how they plan to manage potential data breaches. They can insist that businesses dealing with sensitive data, personal information or a large volume of data assign a data protection officer, as per the new regulations.
This blog article explains some of the key risks thrown up by GDPR, and what marketers and brands should want to clarify under their new contracts.
Two killer consequences of GDPR risk
Legal: who is responsible for what?
Under GDPR, all parties involved in the use of personal data are fully liable.
It states that “each controller (in our marketing scenario this is the brand) or processor (the marketing agency) shall be held liable for the entire damage” where more than one controller or processor are involved in the same processing. A brand will only be absolved of this liability where it can prove that it was “not in any way responsible for the event giving rise to the damage.”
John Haggis, consultant solicitor at Keystone Law, said: “If a marketing agency fails to process the data pursuant to the data controller’s instructions, then both the agency and data controller will be liable for breach of the GDPR.”
Financial: what’s the worst that could happen?
The Information Commissioner’s Office (ICO) is empowered to fine up to four per cent of a business’ “total worldwide annual turnover of the preceding financial year” or up to €20 million (£17.6 million at time of writing), whichever is greater. If the worst happened and the ICO snapped its full bite force, how could that impact your business?
Indemnity insurance: a thorn in the side of the marketer/client relationship
These figures add a whole new strain to the marketer/client relationship, as it raises the question of indemnity insurance. Can agencies even afford to insure themselves against GDPR risks? It’s a far cry from the limited liability agencies are used to, when the Data Protection Act maximum penalty stood at £500,000. Furthermore, will reinsurance providers want to cover insurers against such colossal risk?
How brands might expose themselves under GDPR
So, what risks are we talking about here? There are three key areas to consider.
1. The brand’s own personal data
This is the simplest risk area, as it’s quite straightforward to work out how brands directly obtain and use personal data – and then remedy it if required.
Areas of exposure include brands using personal data that are not compliant – if, say, consent has not been granted - or if their website leaks personal data, for example.
2. The use of broker data
Buying in data to augment your target marketing lists has, historically, been very attractive to marketers. However, under GDPR there are some hazards of transparency and accountability that come with purchased data.
- Informed consent from the data subject must be obtained– this is often unlikely to have happened
- Personal data must be accessible, rectifiable and portable, and the person must be able to object to profiling and automated segmentation – again, this is unlikely to have been provided to the level required under GDPR
- Personal data cannot include “sensitive data”, such as ethnic origin, trade union membership or data concerning health
3. The black hole of online advertising
Online advertising presents a complex quagmire for brands and agencies alike.
GDPR makes it illegal for companies to pass a user’s personal information to another company, or to store these data, without agreeing a formal contract with the data controller – normally this is the initial company that requested the data from the user – that clearly defines how their data can be used.
But just look at how data is passed around countless parties online, including ad exchanges, media owners, retargeting systems, data management platforms and so on. Risk snowballs, as it’s impossible to agree the required contractual agreements with all parties that could potentially gain access to this personal data.
If you need a steer along your GDPR path, Me Learning and the Chartered Institute of Marketing (CIM) can help. Together they have developed a new GDPR course for marketing professionals. For more information, click here.