Wednesday, January 18, 2017
by Charlotte Steel


Working in a full-service advertising agency, we are lucky enough to generate some awesome campaigns with snappy straplines and colourful creative, but we understand the importance of taking the behind-the-scenes work just as seriously – and at Denfield, we do just that. That’s why to kick-start the new year, we’re going to talk about data protection!

It’s an incredibly important topic that impacts all UK and EU businesses, especially with the new GDPR (General Data Protection Regulation) legislation changes coming into force next year – the Information Commissioners Officer (ICO) will be increasing fines to £20 million or 4% of the company worldwide turnover, whichever is higher, should a company be found guilty of a major data breach.

The new changes apply to all UK-registered companies that operate on a B2B and/or B2C basis, so make sure you stay informed about the latest updates from the ICO ahead of 25th May 2018 – you can do so here.

How the new changes impact working with marketing agencies

Good news, the changes to the GDPR have a positive effect on the relationship that a client has with their marketing agency as it encourages more robust procedures, better communication and more transparency for their customers… what’s not to love?

Data Controller and Data Processors

When a company appoints a marketing agency to create and fulfil campaigns for their customers, therefore handling customer data, the company is known as the ‘Data Controller’ (owners of the customer data) and the agency is known as the ‘Data Processor’ (processors of the data as instructed by the Data Controller).

The main changes are that both parties will become responsible for keeping and maintaining records of when and what they have used customer data for. This means that a record will need to be documented to detail the date and type of data that was accessed and shared, along with information about the campaign to justify accessing the data in the first place.

Under the new legislation, companies cannot share data that is not necessary for the purpose, so for example if there was no need for the client to share the customer’s home address along with their email address or phone number then it wouldn’t have been justified for the campaign.

How to share data

Even though it is a current requirement that all customer data must be shared securely, it isn’t commonly practised, so here is a little reminder of the basics when it comes to sharing data:


  • Share the minimum required data for an intended purpose securely via a secure server or system such as ShareFile.


  • Share data via email.
  • Share data via removable storage devices (such as USB sticks).
  • Share data via unsecure file sharing services (such as WeTransfer).
    • This is not overridden if the document is password-protected. All files containing customer data must be shared securely.

The rules are becoming stricter, but don’t forget that it’s for a good reason – customer data is the lifeblood of our businesses and it’s crucial that we take these changes seriously. Data isn’t just a bunch of letters and numbers, it is made up of real people with their own lives, interests, responsibilities and needs, and it is our job to respect and look after them. In short, the sooner we digest and implement the new changes, the better!