General Data Protection Law

The new General Data Protection Law applied to advertising agencies

The new internet law will come into force in August 2020. Know your main points to prepare your agency and your clients for this change

Law 13,709 / 2018, known as the Data Protection Act (LGPD), appears to regulate the use of personal data collected on the Internet. It arises in a context of change between user interaction with public and private companies, which is increasingly digital. The standard has already been published and companies have until August 2020 to adapt in relation to the protection of personal data.  

In Brazil, 94.2% of Brazilians use the internet to communicate and exchange messages via email, applications, and text messages, according to a survey by the IBGE. The popularization of internet use has also changed the consumption dynamic: in 2018, 7 out of 10 Brazilians say they make regular purchases over the internet.

In addition to changing the dynamics of personal communications with the internet, the Brazilian General Data Protection Law comes at a time when large countries have organized to regulate the protection of data exchanged online, especially after the data leakage scandal by Facebook. In Brazil alone, 443,000 people had their personal data improperly collected by Cambridge Analytica, a number that represents only 0.5% of the total users in the world who had their information transferred.

With the LGPD, communication agencies must review their data collection and use processes for their digital customers. In this article, we will interpret the main points of the law and the impact on the service dynamics of service providers related to communication.

Demystifying the LGPD: What Advertising Agencies Need to Know

The main function of the General Data Protection Law is to regulate the protection of personal data collected by public and private companies on the internet. The main points of the law deal with the concession and use of data in the virtual environment.

It must be clear to the user the purpose of using the data requested by the company. On a landing page, for example, it is a good practice to indicate on the form the type of relationship that the future lead authorizes to be made with the data provided by him.

Responsibility for use and data collection

At LGPD, there is the responsibility of those responsible for the use and collection of data on the internet, which include advertising agencies and marketing analysts as co-responsible for actions taken with user data. Below, we interpret the main figures to which the law refers:

  • Holder: Person to whom personal data refer. The internet user, website visitor, or lead.
  • Treatment agents:
  1. Controller: “natural or legal person, under public or private law, who is responsible for decisions regarding the processing of personal data.” The controller figure in the LGPD can refer to both the agency and the agency’s client.
  2. Operator: “natural or legal person, under public or private law, who processes personal data on behalf of the controller”. As an operator, the law characterizes the actions and responsibilities of those who use the data, such as the inbound marketing analyst of the agency that serves the client.

Note that the law is concerned with giving responsibilities to all the figures that take care of the collection and processing of customer data on the internet, from the analyst to the agency and the company that is served. There is a joint liability for damage when:

  • The marketing analyst (operator), for example, fails to comply with data protection regulations
  • The analyst (operator) does not follow the lawful instructions of the client (controller) or the communication agency itself (controller)
  • The client (controller) or the agency (controller) are directly involved in the data processing carried out by the analyst (operator) and which results in losses.

 Internet law for communication agencies

As we have seen, the General Data Protection Law makes everyone responsible in the process of collecting and using the information on the internet for the correct and responsible use of the data. In this way, we are guaranteed a satisfactory experience for internet users and greater credibility so that the lead feels more comfortable interacting in the digital environment.

Communication agencies, consultants, and analysts must study the law and review their processes to ensure security in the handling of data.

Market education

A first step is to educate your customers with good data usage and storage practices, for example.

This can be an opportunity for the agency to educate its clients to choose safe data collection formats from potential prospects. It is common, for example, for a client to deliver a list of contacts to the agency and request that a relationship campaign is carried out with these leads. It is worth noting that it is essential to know the origin of the contacts and if there is, on record, consent from the leads on the use of their contacts for relationships.

In addition to being incorrect to relate to leads that did not authorize the contact by a certain company, there is also a breach of trust and expectation regarding the quality of the customer experience, which, most likely, will not close a deal with the company.

Contract review

The communication agency should take advantage of this moment of law adequacy to review its contracts with a specialized legal team to analyze if all items are in accordance with the LGPD. In addition to legal certainty for the agency itself, this is an opportunity to ensure credibility in contacting your prospect when drafting a new contract, for example.

It is worth noting that the contract review must be done both in documents intended for clients and for the hiring of people for the internal team and freelancers who, in the new law, are also held responsible for using illegal means in dealing with digital data.

Team training

It is important for the agency to have a general alignment of the team on the rules of the New Data Protection Law and that this is a constant process, including for the inclusion of new talents in the workforce.

With knowledge of the law’s applications, the employee has more information to ensure that they act correctly, in addition to having arguments to deconstruct dubious requests from customers, who are often not aware of the new law.

Best Practices for Data Security

Access permission

Reviewing access and permissions on digital platforms should be a habit in agencies. Often an employee is dismissed but still has access to a client of the agency’s software or social media, which could lead to future problems. Ideally, only allow access to people who are involved in the project and ensure that the level of access also matches the role.

For example, it doesn’t make sense for social media to have manager access on a social network. The manager can change passwords, add and delete people, and social media only needs to monitor the page and have permission to post and delete posts.

The access review must also be done with the client’s internal team. Align with your contact which people really need access to the company’s digital channels.

Be wary of lists

Remember that user data obtained digitally can only be used for the purpose consented by the lead, so when a client delivers a contact list to the agency, make sure the medium the lead data was used in obtained and if there was clarity in clarifying the use of these data.

Always ensure the origin of the data in writing before taking any action with it.

The lead is the boss!

In all ways of interacting with the lead, always leave the option open for him to decide if he no longer wants to have a relationship with the company. This is a great practice to improve the user experience and ensure a high rate of engaged leads.

In addition to the educational and legal bias, there are small tips that advertising agencies should put into practice to ensure a good user experience in digital media, in addition to the security of your company and your client. Here are some key actions that deserve attention.

Applying these tips to your agency’s day-to-day activities, I’m sure you’ll be on the right path. If you have any more good practices to share with us, leave them in the comments!