For FAQs sake; GDPR answers Agencies receive

We’re nearly there, about to enter into a new world – one that sees the end of inboxes being filled with requests to opt-in to random e-newsletters and subscriptions you never knew you had, because they genuinely respect your privacy. What a time to be alive!

And whilst GDPR intrudes our lives on a personal level, the professional panic is very real for many, unsure of the true impact it is going to have on their businesses, with latest figures claiming up to 85% of businesses are struggling to meet the deadline of this Friday!

I’ve been in the front row for many of the conversations we’ve had with our suppliers over the past few months, and I’m yet to see many (or any) articles that have shed any light on the types of engagement suppliers have shown agencies to help them tackle GDPR. So, I thought I’d have a crack at one…

Generally speaking, an agency should be a Data Processor (unless you’re hoarding data you have no right to claim as your own to sell or build products that you shouldn’t legally be doing) in most cases, meaning we’re a bit of a middle-man. Part of the chain without direct relationships with consumers. Reliant on everyone else (Publishers, Networks, Tech and Data Vendors, Clients etc) doing their bit to ensure proper compliance.

As such, it’s been important to get as much information as possible from our clients and suppliers to find out their strategy to achieve compliance, as many of the actions are outside of our control. A rather large mission in the Digital Advertising ecosystem [insert lumascape here], especially considering the different parts of the supply chain that will have to update different elements of a variety of their contracts, all after assessment of their own business processes.

Agencies have the duty to ask suppliers about their views on GDPR, their data storage and processes, cookie collection, privacy policies, partners, contracts, consent mechanism (the list goes on).

Evidently, there appears to be a variety of responses to any Agency asking for documentation to provide evidence of compliance with any Supplier to continue our working relationships without GDPR fear– which I’ve grouped into supplier types:

The Giants

“We are not able to use any customer’s own form of processor terms. This is standard for any one-to-many service."

• Laughs in the face of signing anyone else’s DPA or filling out a questionnaire.
• Has links to a dozen FAQs, policies and essentially answers to no-one’s specific questions, instead adopting a public facing policy.
• Sadly, they know you can’t live without them – so agencies and clients alike, prepare to sign away all your rights to continue to use their service. But have confidence in the fact they’ll have a 1,000-person strong legal team should anything hit the fan – additionally, everyone will be in the same boat. And that boat should be free from any cracks, given the work put in place with their policies and platform changes!

The Cooperatives

“Please find attached the requested signed and completed documents surrounding GDPR implementation. Please don't hesitate to reach out if you have any questions.”  

• Gives answers in depth to all questions, alongside additional information and links to any public documents to provide full reassurance they’re the best bet for buying from in a compliant manner.
• Appreciates the importance of providing clarity of their business position and is likely to have had this in place for some time.
• Probably never had dodgy data practices in placeto begin with, so had an easier path to compliance.

The Nervous

“Our legal team has suggested we send our DPA to you.”

• Generally unsure of why agencies would send such detailed questions and fears the answers they may provide could land them in hot water.
• May have their own DPA that no agency will sign – a DPA stand-off.
• Likely to have a lean sales team, limited legal advice and poses a risk to continue a business relationship with if no reassurances of business practice are ever provided as the year moves on.

The Overwhelmed

“Our business has been inundated with these requests not just across advertising but all business units. For that reason, we do not have the bandwidth to respond to each of them individually.”

• Not huge in terms of the scale of their operation, so operates with a small team.
• Claims the volume of requests has overwhelmed them / they don’t care enough about service to their primary clients (as Buyers) to fill out any specific questionnaires, instead relying on loose FAQs to inform of a general approach.
• Likely to rely on the terms of working towards compliance, if anything were to be questioned by the ICO, due to potentially struggling for sufficient resource in preparation.

The Risky

“Based on advice from our legal teams, our business is confident we can continue to operate as normal without GDPR effecting our sell.”

• Acts confidently about their proposition being 100% compliant due to ‘legitimate interest’.
• Will ride out for as long as they can until anyone gets hit with a fine for similar practices.
• May have a large percentage of business reliant on remarketing strategies.

And for all the questions asked and responses (or lack of) given, we’re still a bit in the dark as to which businesses will truly be 100% compliant (is it even possible to prove?!).

Due to the nature of the new law, a lot is left to interpretation – legitimate interest being the most prevalent of terms to be considered! Meaning each individual legal adviser may have a different assessment on what constitutes full compliance in the spirit of GDPR.

Thankfully, everyone should at least have their policies accessible online for any legal eyes to assess, checking over the level of risk they associated to their applied practices (particularly consent mechanisms, if applicable) and to make a call on using such services after the 25th of May. As well as the fact any bookings made by agencies will be possible to add T&Cs to the booking acceptance for further protection on any buy, which should be standard practice for most to have updated their terms for GDPR. On top of the “grace period” to become compliant (Recital 171) being a further cushion to prevent immediate panic for any current activity through the deadline date.

So, we’ll all still be in jobs next week, right!?

At the end of the day, everyone wants to protect themselves against any potential negative press for negligence or wrongdoing (for which I predict many a journalist jumping on small opportunities to target their enemies) or worse, a crippling fine.

Whilst no one is legally obliged to sign up to any agency’s DPA or fill out their questionnaires, the signal of intent to work in collaboration with agencies, to help them provide their clients with as much assurance of compliance as possible, will benefit the sales propositions who engage in just that. And for those unable to provide any satisfactory evidence of being GDPR compliant – it’s been nice knowing you!