The European Marketing and MarTech industry is increasingly turning its attention towards data privacy and security the closer we get to May 2018 – the month the new EU General Data Protection Regulation – or GDPR – takes action.

The new EU legislation aims to protect individuals’ right to privacy, and to secure processing of customer data. What makes the legislation interesting, is its impact on both the companies gathering customer data (data controllers) and on companies processing the data on behalf of the controllers (data processors); Both will be held responsible in case of non-compliance, and the fines are hefty.

According to ObserveIT:

“Most data breaches can be traced back to the activity of a single user. The people who have access to an organisation’s network – including third-party contractors, IT privileged users and business users – today pose the greatest security threat to organisations.”

This means that information security is not just the data controllers’ problem: In order to create a secure and GDPR compliant data security solution, data controllers need to work closely together with their data processors. As a data processor it is your responsibility to make sure you are not posing a security threat to the data controllers you are working with.

How can data processors drive GDPR compliance?

Data processors are companies that process data on behalf of the controllers and according to the instructions given by the controllers. For example, cloud providers, data centers and marketing software companies can all be defined as data processors.

Let’s take a closer look into what kind of measures data processors need to take in order to become GDPR compliant:

What does the new legislation mean for data processor companies?

There are several requirements created by the new law, here we have picked a few important ones for you to consider:

  • Data protection officer: A new role of Data Protection Officer will be introduced to relevant companies. The DPO will be the expert of data protection legislation and the state of information security in the company, reporting directly to the C-level management.
  • Privacy by design: Data privacy and security stems from product development, thus, companies need to apply secure design practices when developing their product. Information security should become a core value for the business, and not just a decorative sentence on a website.
  • Demand of Consent: Data controllers will have to collect explicit permissions from individuals to hold any data in their systems. Data processors should also ensure that data controllers are living up to this regulation.
  • Right to be forgotten: Individuals will have the right to demand their data to be completely deleted from any system processing or storing it for a specific data controller. This means the data processors must prepare all devices, servers and backups ready for such requests.
  • Right to access personal data: Individuals will have the right to know what personal data companies are collecting, how the data is being processed, where and for what purpose. To comply, data processors should make their operations transparent to the data controllers they are working with. Moreover, data controllers are allowed to gather relevant data only: there must be a clear reasoning behind all information being collected.
  • Breach announcements: The data processors must start reporting data breaches when there is a risk of the rights and freedom of an individual being compromised. The reporting must happen in a timely manner, according to the GDPR requirements.

It’s time to get ready!

The new legislation pushes data security into the spotlight in organisations, and shifting the emphasis should begin now. Here are a few tips helping you get going:

  • Implement an information security policy and take the necessary measures described by the policy. The practical tasks might include improving the handling of personal data (encryption, documentation, tracking, changing user rights) or training your personnel in matters related to information security and GDPR. A good way to ensure you have a well-documented ISP in place is to follow an established information security standard like ISO 27001 or the Standard of Good Practise 
  • Analyse your current development practices, and improve the process by adding a security layer to the everyday development work. Make sure all design decisions taken are evaluated from a data security perspective.
  • Analyse and identify where personal data is collected, stored and processed. Also focus on user rights, and the reasoning behind the decisions to collect certain information. This will help you create a transparent image of the data processing path, and identify the changes that need to be done before the GDPR kicks in.
  • Make it possible for the data controllers you work with to gather specific marketing permissions from their customers.
  • Create a breach announcement process: apply necessary controls to track any data breaches, and implement a process to take immediate action in case of a data breach.

Read more about how we at Agillic keep data safe, by visiting our Tech page or reach out to us at to learn more.