Are Web Agencies Responsible for Their Clients' Data Privacy Compliance?
As a marketing agency, you probably already know about the European Union (EU)'s General Data Protection Regulation (GDPR). At its core, the GDPR regulates how companies process personal data. It also governs how you can collect, use, and interact with clients' data.
Failing to comply with the GDPR can result in lawsuits and exorbitant fines of up to €20 million or 4% of your worldwide annual revenue. As such, you must be aware of how the GDPR affects you.
Read on to learn more about the GDPR and whether marketing agencies are responsible for their clients' data privacy compliance.
We'll also cover where marketing agencies fall under GDPR classifications, agency duties under the GDPR, and agent and client duties in case of user damage.
What is the GDPR?
The GDPR is a legal framework that gives EU consumers control over their personal data. It establishes strict standards for handling and treating personal information.
Who does the GDPR apply to?
Every company that operates within the EU or has EU customers must comply with the GDPR, even if they aren't specifically marketing services or goods to EU residents.
Therefore, if your marketing agency provides services across borders and part of your client base operates in the EU, you must follow GDPR protocols. For instance, if you run a web agency in the United States but have clients in Europe, you must follow the GDPR. However, if your clients are in the US, you must follow different regulations, such as:
- The California Consumer Privacy Act (CCPA)
- The Colorado Privacy Act (CPA)
- The Utah Consumer Privacy Act
- Virginia's Consumer Data Protection Act (VCDPA)
- New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Who is responsible for GDPR compliance?
As a marketing agency, you are responsible for your and your clients' GDPR compliance.
Under the GDPR, every company harvesting EU consumer data must define themselves as data processors or controllers. Marketing agencies are typically both — they act as controllers when acquiring data from consumers or third parties for clients, and they act as processors for their own internal data. Because data controllers are responsible for ensuring that all their clients are GDPR compliant, marketing agencies must ensure clients' GDPR compliance.
What are agencies' duties under the GDPR?
Because they're controllers and processors, marketing agencies are responsible for a wide range of duties, including:
Data Processor Duties
As a data processor, you must do the following for your clients:
Process personal data
Process personal data according to the client's documented instructions: After signing a contract with the client, you must follow their documented instructions. The client's instructions should cover the whole data processing cycle, from collection to termination. Once you are finished processing the data, you'll have to cancel your access to your client's data or return the personal data to them.
Handle data protection internally
Handle data protection internally: As a data processor, you must ensure your client's data is confidential and safe at all times. You can only use third-party data protection services if you have obtained the client's prior written consent.
Assist and cooperate with the client
Assist and cooperate with the client: Under the GDPR, users can exercise the right to restrict, delete, or change any personal data that the controller has collected from the individual. As the processor, you must help your client respond to such requests. You can do this by telling clients about incoming requests and following the instructions in your contract to fulfill them.
Educate the client on compliance
Give the client all the information they require to demonstrate compliance with relevant laws: When doing this, you can't hinder any review activities or inspections carried out by the client or anyone commissioned by the client.
Assist the client with data breaches
Assist the client with data breaches: Data processors must deal with the information that their clients collect. As such, you must help your client meet any obligations arising from situations like data breaches. Depending on how the situation unfolds, this may involve helping them identify the root of the breach, reporting the breach to relevant authorities, and cooperating with a Data Protection Impact Assessment (DPIA).
Keep personal data confidentialKeep personal data confidential: Make sure that only authorized personnel have the right to process your clients' information. You can also fulfill this obligation by educating employees on how to process data safely and confidentially.
Data Controller Duties
As a data controller, you are responsible for:
- Complying with the GDPR: Your marketing company must comply with the GDPR's data protection principles.
- Ensuring that individuals can exercise their rights regarding their personal data: Individuals must be able to exercise rights including the rights of rectification, data portability, access, erasure, and restriction.
- Recording and disclosing personal data breaches to GDPR-enforcing authorities: If a data breach occurs, record the event and notify GDPR-enforcing authorities within 72 hours of becoming aware of the breach. Failing to issue a breach notification can result in a fine of up to €10 million or 2% of your revenues.
- Choosing GDPR-compliant processors: As a data controller, you can only use processors that meet GDPR requirements. Many of these processors may be clients. As such, you need to help clients become GDPR-compliant if aren't already.
Actions to take as a data controller
Creating and embedding privacy policies for your clients
Just answer a few questions about your company and clients, and you'll be able to download and embed a professional legal policy for your clients. All of our policies have the disclaimers and language required for compliance. We also provide automatic updates as privacy legislation changes, so your clients' policies will always be compliant.
Enzuzo has multi-domain support so you can manage all of your clients legal policies in one place.
Creating cookie banners for your clients
Clients need cookie banners and pop-ups for GDPR compliance. If your clients don't have GDPR-compliant cookies or banners, use Enzuzo's free cookie consent banner generator to create some for them.
Creating workflows that empower users to exercise their privacy rights
Lastly, you can help clients comply with the GDPR by creating mechanisms that allow users to exercise their privacy rights. One of the best ways to do this is through Enzuzo's user-friendly data subject access request (DSAR) workflow.
Agency and client duties in case of damages to users
Agencies and clients also have specific duties when users are damaged by GDPR infringement.
Under Article 82 of the GDPR, anyone who has suffered damages due to GDPR infringement has the right to receive compensation from the processor or controller. While agencies can simultaneously act as controllers and processors, in this context, “processor” usually refers to agencies, while “controller” typically refers to clients.
Specifically, the controller or client is responsible for the damage caused by the GDPR-violating processing, while the processor or agency is only responsible for the damage caused by the processing if:
- It behaved inconsistently or contrary to the client's instructions, or
- It has failed to fulfill its GDPR obligations.
Get started with Enzuzo today
As a marketing agency, you are responsible for your and your clients' GDPR compliance. Accordingly, you have a lot on your plate.
Fortunately, Enzuzo is here to help. A comprehensive privacy platform, Enzuzo has everything you need for compliance, including privacy policies, terms of service agreements, cookie banners, and more.
Interested in experiencing the Enzuzo difference? Try Enzuzo for free today.