GDPR Checklist for Clients & Web Agencies

Some of our clients have put the brakes on a project due to the uncertainties associated with GDPR.

As an agency who have been in the game for 20 years we were keen to get advice on where we sit within the incoming regulations, and how we can best service the technical compliance needs of our clients

As a quick update to those who don't know: The General Data Protection Regulation made by European Parliament & Council will be implemented on 25 May 2018. 

You need to be ahead of this regulatory change or you face the risk of huge fines.

We enlisted the help of business legal consultancy Lex Solutions and spoke to Manu Kanwar about how tech businesses should prepare.

Below is a summary:

You need to run an audit of your data stockpile and document your answers to the following questions:

  1. What consent you have for holding this data?
  2. Is the consent sufficient for GDPR purposes?
  3. Who are you storing the data with?
  4. Do you have proper GDPR contracts associated with that storage?
  5. Can you affect someone's voluntary withdrawal from your database?
  6. Are all of these processes documented?

Number 6 is key, just in case you need to be able to demonstrate your processes if you get a call from the ICO

Big companies are terrified about getting lumped with a huge fine.

All companies need to be aware of what data they have, where it is stored, that they have access to it if they need to.

There are also compliance factors with the regulations about not transferring data abroad.

It comes into force on May 25th this year, and everyone needs to be compliant by then.

In some countries it’ll be a process of simply codifiing what’s already there, just in a more onerous way. 

A. You have the consent to process and hold people's data.

B they have the right to withdraw that consent.

C. that you're storing it securely.

D. You have proper agreements with any other processors you might be dealing with.

Then the decisions need to be made about whether you need to hold certain details etc. You may not need explicit consent if it’s deemed consent through the nature of the relationship.

Some relationships like the employer employee relationship requires some data in order to function. Therein lies implicit consent.

Web agency preparation checklist for GDPR

  • We are ourselves compliant with GDPR.

  • That our liabilities are covered off with regards to client data

  • That we are helping our clients with their obligations too.

In most cases clients will have their own lawyers and advisors. So a web agency such as 3B simply needs to make sure that documentation is written up between clients and that the client lawyers can agree to that. 

Some clients have sent us 5 or 6 documents for us to sign in preparation of future ongoing work and the documents are asking questions such as "where is this hosted".

We’re responding saying ‘well, where do you want it?’

We ask them ‘are we your data processors? And they don’t really know. They’re using these boilerplate documents which is raising more questions than answers for us.

In order to properly understand

MK: Look where you are at the moment, look at your own data (quite easy to do), client data. 

 

DM: What’s defined as “consent”? Is it just privacy policy, T’s&C’s etc.

MK: Explicit unequivcabl consent. The things you mentioned just won’t be enough. It would be good to have a tick box, and a privacvy policy which backs that up.

Run an audit to see which consents you had for that, which probably needs to be cleaned up - i.e. you need ‘re-consent’. You’ll need to go back to them with an update privacy policy or something like that.

Most often people are going back and getting people to re-permission/consent.

JB: If people don’t respond to those emails or give permissions/consent - what then?

MK: Probably best they assume that they don’t have consent and that it should be removed.

JB: Weirdly clients are OK with that.

MK: It gives consumers better confidence about where their data is and how it’s being used.

The database that you have will then be clean, and there are no repurcussions in the mean time as yo’ll have consent.

JB: Marshall-arts, they hold their email database in mailchimp, but they have imported the past lists of people who’ve bought tickets from ticketmaster etc. They send over 100,000 records over to me, everyone who hadn’t ticked the ‘consent to be contacted by 3rd parties’ are removed, then the emails are cleaned out for spam, and added to mailchimp. They’re putting people directly into a list without going for a double opt-in. They haven’t had any backlash but they’re aware of the need to ensure they’re compliant.

MK: It sounds like ticketmaster shouldn’t be sending those emails for the people who ticked ‘I do not want to be contacted by 3rd parties’. Depends on the ticketmaster contract, and Ticketmaster’s responsibility to get the consent beforehand. They probably need to re-permission that.

MK: your contract with Marshall Arts should put the onus on then to get consent to process the data, and the process of removing that data if someone opts out.

DM: If ticketmaster don’t get the appropriate permissions ‘but think they do’ and share it with Marshall Arts, are Marshall Arts liable at all? 

MK: Potentially they’re both responsible. 

DM: What can someone in Marshall Arts do to protect themselves.

MK: They need to ensure their contract with Marshall Arts is watertight. Then they need to repermission their data.

MK: I think, going forward, ticket master are going to have trouble saying ‘we’re going to give this to 3rd parties’ - they need to be specific regarding WHO, (potentially even identity of company beyond ‘the venue, the promoters’ etc.) 

JB: Everyone right now is putting brakes on projects or spending vast amounts on getting advice to ensure they’re compliant.

JB: What’s your opinion on cold business emailing? AB and JB have been doing a sales drive this month, we went on to an association, list of all those websites, and from that I’ve got screenshots of those sites. I’ve got thumbnails, can see if they look crap, can click to them and call them - that sort of thing, would you say that’s alright?

MK: Yeah, it’s all public information.

MK: If for instance you did that with all of the heads of marketing for all of those different companies?

JB: Tell me a bit about your company.

About Lex Solutions
MK: We’re a legal consultancy, not a ‘law firm’ and we provide strategic commercial advice. In some cases we’re acting as .

Was in Yahoo for 6 years in house counsel.

My team became the team between the legal and business team.
WIth smaller clients I’ll act as a GC, and they only need be one, or half a day a week etc. Projects come and go and we give them advice when they need it.

Sometimes bigger clients handle deals in house, but we can help them to have better internal process, and how the all be better aligned. Navigating sales enthusiasm with legal risks. 

Contract management systems to help them manage, negotiate and execute contracts all within the tech. Depending on the client we’ll recommend the appropriate tool for them.

If there’s a litigation matter or anything specifically legal I’ll bring in an outside team to advise. We see ourselves as an extension of the internal team.

We are a collection of freelance lawyers that work well together. We all work remotely or in client offices.

3B GDPR Compliance
Jack references https://docs.google.com/spreadsheets/d/15zzVk6y2L70uWhc7EbmOrAWkjaQ-nmNy-BgsywYhTXM/edit#gid=0 list of clients.

DM: Do we have greater liability if we manage the hosting?

MK: You’ll need to back that off with your own hosting provider, but yeah, potentially yeah. You’ll have a contract with your client to agree to host their data. You’ll need a tight contract dealing with that.

JB: We use AWS for some of the bigger clients, sometimes we use Pantheon (who host with AWS in the US). Most of the 3rd party tools we’d plug in are hosted with AWS in the states which concerns some people. We really only tend to work with 3 hosting providers. 

AWS have big resources on their site which we’ve started to look at.

Pantheon - not sure

Siteground - not sure.

Most clients will use Mailchimp for email marketing, Google sheets for processing and tweaking data.
They’ll also have databases, for example have 3000 radiologists, job tittle, worka ddres, mobile phone number, who referred them, stored on a website which we built, advised them on, all within a Joomla content management system. THe news articles are in the same database as your membership. The only encrypted piece of information is the password, everything else is in plain text. THat to me doesn’t fit well with GDPR.

MK: No, that’s not properly secure.

DM: In terms of storing things in a different database, how seperate do they need to be?

MK: Somewhere else entirely is more demonstrable, but you’ll need to do it on a case by case basis. But don’t forget that you’re a data processor. You want to be able to work out ‘what do we think is reasonable, then recommend that to your client, but ultimately it’s their decision’.

Actions.
3B to add a column about ‘do WE hold or store data for them’.
Then we need to tell them where it is, what to consider, and if you need help discussing this. If you need help with it we know someone who can consult you on this for some kind of fee. But WE need to make sure you’re compliant in advance, which means we have to be on this right away.

MK: If they say ‘don’t worry about us’ even if YOU know they’re non compliant, then that’s an issue.

JB: If don’t have the money, we might say ‘in this case, we will move the database to hosting which you control’, so we can log in, make changes, and leave it in your control.

MK: A. where they’re at right now. B. What the options are. C. What the contract says (this needs to be watertight). 

If you suspect there aren’t things being done right, then you need to tell them to fix it.

MK: We’d need tolook at the GDPR consent rules, perhaps the nature of the memebrship is that they need to have their email address fo the membershipr elationship to work. We need to look at all of that. The way to start would be to look at 3B’s own liability and responsiblity, and then can figure out what advice to give clients, and then, to make them aware that there are issues which they need to look at.

There’s no point spending a load of time on it for them to say ‘we’ll look into this ourselves’.

JB: To minimise our liability it seems we shoudl check on the contracts we have in place already regarding data, ownership, control, consent.

MK: I could send you a questionnnaire about things you want to be thinking about.

What data you have, where it is, what consent you have for it.

MK: From there we can look at some client projects, look at the forms etc, and I’d be happy to speak to them if necessary.

DM: It doesn’t seem like theres a line to say these are the steps to take

MK: There are clear cut rules, what you can and can’t do, should and shouldn’t do, those grey areas will be the only places where you really have to make decisions. You need to demonstrate that it’s Secure and adequately protected, Stored in Europe (unless you have certain permissions to take the data outside of the UK).

JB: And we want to establish ourselves as processors.

MK: You should run an audit as mentioned above.