What a small digital agency did to try to become GDPR Compliant
The information contained within this article is not legal advice and must not be taken as such. To ensure that your agency or business is GDPR compliant, you will need to hire a lawyer. Really.
The GDPR, a new regulation concerning data privacy, security, and transportation from the EU, is coming into effect May 25 of this year. It affects any and all companies which store, process, and collect data within the EU or of EU citizens. This includes any digital agencies and online businesses operating anywhere in the world, as long as they might be accessed by someone within the EU or a citizen of an EU country. For all intents and purposes, it is unavoidable for the majority of online businesses.
Like us, most small businesses don’t necessarily have the resources available to get compliant with ease. It doesn’t help that GDPR does not set forth a strict and clearly defined process, and there is currently no certification program either, to guide small businesses to compliance.
We have spent the past few months making sure we are as prepared as we can be and wanted to share the steps we have taken. Hopefully, the insight can serve as a starting point, or help to fill in some gaps in your own agency’s path to compliance.
This article also assumes that you have some baseline knowledge of GDPR as I am sure this is not the first page on it you have come across.
We looked at two facets of our business to become GDPR compliant, inwards and outwards.
Let’s start outwards.
Looking at how an agency collects information under the GDPR
We looked at all the places where we collect information from clients and visitors on our site. This means contact forms, offer downloads, landing pages, newsletter signups, blog signups, and analytics.
The GDPR is pretty clear on what kind of information you can collect and how it is done. All data needs to be processed under at least one lawful basis. These can be summarized with the following (list taken from Wikipedia):
- The data subject has given consent to the processing of personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (in situations such as where the data subject is a client or in the service of the controller) unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
Points 1 and 2 – specific purpose and contractual obligation – are important here for forms – on a website. Often, we see companies and marketing agencies ask a plethora of information for high value offers, such as company size, pet name, and favourite ice cream flavour. The reasoning behind this is usually to either build or refine personas but under GDPR, we need to state how this information actually helps.
We went through our forms and pruned their fields, making sure we are only requesting information that we can and do actually use to determine our personas. It is time to question whether every piece of information is actually useful for your agency. We ended up with a much smaller list of information but we also knew that these were important and had a clear use to us.
Under the GDPR it is not acceptable to opt-in a contact onto a list for a purpose they did not agree to
Another aspect of forms you should consider is consent. Under the GDPR it is not acceptable to opt-in a contact onto a list for a purpose they did not agree to or they do not know about. Gone are the days where a company could easily collect emails and add them to their funnel. Now, if you want to build your email list, you need to allow your contacts to opt-in to the purpose of the list.
What this means is, if you currently have multiple lists or funnels, a contact will have to opt-in to each one on the form. For example, let’s say you have a newsletter or blog subscription list, an upsell funnel, and a referral funnel.
To use these in accordance with the GDPR, a contact has to choose to be part of the funnel right on the form. This is best done with a checkbox on the form and a clear description of what the contact is opting into. Additionally, it is recommended that they have easy access to your Privacy Policy and an explanation of what data of theirs is being processed, for what purpose, and how it is handled.
Now, you may take a simple route and have one opt-in for all emails but this creates a business risk. In the example above, if you put all the funnels under one email, contacts will either opt-in or out. Since they might be receiving emails they do not want, they will likely not opt-in. This could potentially make your lists much smaller than it could have been.
On the other hand, if you include a separate opt-in for each list or purpose, your contacts can choose what kind of emails they want. Not only does this allow them to customize their experience with your company, but your agency’s email engagement should be better. Overall, we predict email lists to shrink, but the contacts that are left should be much more valuable.
In conclusion, your forms should follow these guidelines:
- Only collect information that is necessary
- Opt-in to marketing emails and any other funnels you have. DO NOT have these automatically checked.
- A checkbox for contacts to agree to the terms of service and privacy policy, with links to both documents for review.
- A clear description of what the contact is signing up for, without any legal language or obfuscation.
Contact Lists
The next step is looking at your existing contact lists, as this will need some work to become GDPR compliant as well.
First, no contact should be in your agency’s database unless they were added there under GDPR methods. If not, they will be removed. For most agencies, this probably means that the majority of their contacts will need to be purged. Fight the urge to email your entire contact list asking them if they would like to stay on.
We decided to purge the majority of our contacts
We decided to purge the majority of our contacts and only kept the ones in our database which we had an actual and legal basis of, such as our clients.
In addition to removing these contacts from your list, your agency must also decide and document how long this personal information will be kept. For contacts in your database which have a strong legal basis or are required to carry out work – such as clients and suppliers – a standard time is for the duration of the contract or work relationship.
However, for contacts that are only part of your email list or have unsubscribed but are still in your database there are not set times. The GDPR leaves that up to the controller’s discretion but it is advised to consider the following:
- For how long is this personal data useful?
- How difficult or valuable is it to keep the data up to date?
- The costs, liabilities, and work required to maintain that data.
For Growth Labs, we have decided that we will evaluate our contact database every
30 days or so to make sure the personal data is as up to date and still
relevant. In other words, we plan to prune our database every 30 days.
Of course, the ease of such a process depends on how many new contacts
your company or client gets per month.
Cookies
The second thing we looked at were our cookies. Under the GDPR, cookies are considered personal information, even when visitors are using a dynamic IP.
Therefore, we had to make sure visitors were able to opt-in to our cookies and to better inform them, we wrote up the cookies our website uses. Now, visitors can easily see which cookies get downloaded, what they are used for, and how long they stay on their system.
Privacy Policy
We also reworked through our Privacy policy to make sure it was updated and that included the things required under GDPR. The information you should make sure your privacy policy has include the following:
- Who the data controller is and/or how to contact them. Essentially, you want visitors and clients to have an easy way to contact your agency for requests and questions regarding their data.
- What kind of data you will collect and its explicit purpose, including its lawful basis.
Looking at how GDPR affects internal processes
Another core component of GDPR are the rights of a person and their personal data, summarized in these 6 parts:
- The right of access (Article 15)
A person has the right to know if their data is being processed, and has the right to access their data being processed. - The right to rectification (Article 16)
A person has the right to update and keep current their data being processed, and to complete any data that is incomplete. - The right to be forgotten (Article 17)
A person has the right to request to have their data erased and removed, under certain conditions. - The right to restriction of processing (Article 18)
A person has the right to request the restriction of their data being processed, under certain conditions. - The right to be informed (Article 19)
A person has the right to know when their data has been erased, changed, or disclosed, especially as a consequence of the rights above. - The right to data portability (Article 20)
A person has the right to receive their data that has been collected in a common and easily readable file format - The right to object (Article 21)
A person has the right to object and request that their data no longer be processed, unless there is a compelling legal reason to do so. A person also has the right to not be profiled, especially for marketing purposes. - The right not not to be subject to a decision based solely on automated processing (Article 22)
A person has the right not to be the subject of automated profiling, and shall not be a subject of a decision based entirely on automated processing.
For more information, you can read the actual legislation text, but in short, an agency needs to provide an easy way to allow people to submit these requests and to carry them out. If your agency runs any kind of online or mobile app, it is highly recommended to provide these features within the application itself.
In our case, we looked at how we handled and stored data of visitors and clients to make sure it can be easily exported into a widely readable format, or deleted entirely, easily and quickly. The best format for export is .CSV. This format is provided by the majority of SaaS marketing apps.
It is important that these requests are responded to as fast as it is possible for your agency to do so. Therefore, it is important to create and document processes for how your agency will handle these requests.
We want to make sure a person can easily issue any request concerning their data, and that it is done in such a way that allows us to respond quickly.
We also highlighted in our Privacy Policy
who to contact and how, in case any person wanted to exercise these
rights. We are currently in the process of redesigning our website, and
this aspect will be an important part of it. We want to make sure a
person can easily issue any request concerning their data, and that it
is done in such a way that allows us to respond quickly.
Employees and Contractors under GDPR
Most articles around the Internet dealing with GDPR seem to focus on how it will affect marketing and email collection, but they all gloss over a very important part – the information of your employees, contractors, and clients.
It is not just user or visitor data that marketing agencies collect, they also store the private information of its clients, employees, and contractors. Often, this is done for practical purposes. Storing contact information or billing information, for example, also constitutes personal data.
Therefore,
it is important that any security and processing measures you apply to
visitor, contact, and client data are also applied to the handling of
the personal data of your agency’s employees and contractors.
Checking in on your Processors and Controllers
Like most agencies, Growth Labs uses cloud based storage – we use Google Drive – and so we need to make sure that Google has the correct amendments in their contract with us that shows they are GDPR compliant.
This needs to be done for any third party software that your agency uses because it is likely they are all storing some personal data of either your contact list or your agency’s staff.
Likewise, if your agency uses contractors, freelancers, or other companies to help process data, they will need to sign updated contracts or addendums to it to make sure they understand and comply with GDPR standards. This step is crucial and to do it properly, a professional lawyer should really be consulted.
The
contractor agreements will also need to stipulate what data processing
activities they will take part in, what security measures your agency
demands from them, and the rules they have to follow in handling the
data.
Document your agency’s GDPR compliant processes
This is a great opportunity, if your agency hasn’t already done it, to document data and privacy security processes and standards. Not only should you outline the rules your contractors, freelancers, and employees should follow in processing data, but your agency should also evaluate where security risks are, what can be done to mitigate them, and how your agency will respond to requests concerning personal data.
This is a great opportunity, if your agency hasn’t already done it, to document data and privacy security processes and standards.
Going through this process in a transparent way will help your agency gain trust and integrity. Complying with GDPR is important, but it is even more important that your agency is doing all it can to safeguard the sensitive information it has of its employees and clients from malicious, external forces. Doing so will also protect the agency itself.
The GDPR is vague on actual, technical specifications for compliance, the general feeling is that a well documented and transparent process in the storage, handling, and processing of data is a good first step, as long as it is diligently followed. Take this opportunity to make your agency secure and consistent in protecting its data.
And please do consult a lawyer to at least make sure everything is in its right place. We did.