GDPR in practice â what marketers need to know before sharing data with service providers | DMA

Filter By

Show All

Connect to


GDPR in practice â what marketers need to know before sharing data with service providers

The GDPR puts any customer data shared with your service providers under the spotlight.

Training, good data practices and technology can reduce risk when transferring and sharing data; but the most secure approach is to minimise the data being shared and should there be a breach, to have made that data as low risk as possible.

Data security belongs to marketers as much as technology teams

The data security obligations for marketers are changing. This guide isn’t about encrypted data, firewalls and network security. Instead, this guide is for you, explaining how the way you work can either help protect your customer data, or put that data at risk.

Digital marketers increasingly rely on cloud services, service providers and third-party social, enhancement and validation plug-ins. The GDPR reflects this trend and expands your data security obligations to make you responsible for verifying that the software or services you choose to use meet these new information security standards.

So, if you share data with any other company, link or integrate with another organisation, upload data or use online service or in any other way give another organisation access to your data you need to be able to show that you have checked that they are trustworthy and can look after your data.

For the rest of this document we’ll refer to these scenarios as sharing data, but it’s important to remember that this includes any scenario where another organisation is granted access to your data, which could include:
  • Cloud data storage
  • Online CRM
  • Internet-based services, such as analytics, reporting, email or SMS
  • A technology partner who has either has direct access to your data; or where you transfer the data to them
  • Data correction, validation or enhancement service
  • Social media plug-ins

This guide explains the type of risks which need to be considered when you share data. It’s certainly not exhaustive because how you use data are unique to you. But if you’ve not considered this before, this is a good place to start.

The reality of data breaches

When you think about data protection you may conjure an image of a hacker typing away in a darkened room trying to gain access to your database. If you run an image search for the word “hacker” you’ll see the conventional imagery which accompanies data protection and information security. The reality is a little different. Not every data breach is a sophisticated attack bypassing your expensive information security systems. In fact human error, poor working practices and opportunism are the main causes of data breaches.
Current UK data security incident trends are shown here by the ICO: Data Security Incident TrendsThe annual Baker Hostetler Data Security Incident Response Report shows a similar picture in the US.

When sharing data, where and when is your data at risk?

It’s unlikely that your data is at risk when it is in your password protected database, behind the firewall on a secure and monitored network, in a hosting centre which needs biometric ID to gain entry. Instead it’s more likely to be at risk when you and your team are using it, so it’s important to understand where data can be vulnerable.
When you are using and sharing data the areas of vulnerability are:
“In transit” (being transferred between systems or organisations)

Concepts to understand:

  • Limit data transfers to what is necessary
  • When you transfer data, use a secure transfer mechanism (SFTP, FTPS, HTTPS)
“At rest” (when stored)

Concepts to understand:

  • Store data in a secure way.
  • You will have a database or CRM system, so avoiding keeping files on shared networks or personal devices
  • Avoid having multiple copies of data to look after and protect.
  • Only store data which is necessary. For example, payment and address information may not be necessary after a purchase has been made.
  • Share only the data which is necessary. You may need the full contact details of a customer, but your service provider may only need a location code.
  • Delete data when no longer needed.
When being displayed on a screen or printout

Concepts to understand:

  • Keep the information available and on display to a minimum, restricted to access requirements
  • Because opportunism is also a likely cause of a data breach, avoid putting anything sensitive on display in an email or in an app which could be seen if a laptop or phone was left unlocked. Printed-out material are often the cause of a breach when not destroyed properly, so keep printable information to a minimum.
  • Audit access to applications
  • Disconnect or log out when applications, devices or connections are not in use

Your GDPR obligations when sharing data

The GDPR backs up these risks with new statutory obligation to both ensure and demonstrate that data security is appropriate, not just in your systems, but when being processed or transmitted.

In practice you have to be able to show that:

  • You have assessed or audited your software, service providers and partners, and can show that you only share data with software and organisations which meet the new information security standards; and
  • You only share the minimum data which is necessary for that service or process

Sensible substitutions when sharing data

Certain data types are more useful for hackers and those organisations which collect data for fraud and phishing attacks.
You can often lower the risk of your data, showing that you are protecting data, by substituting risky data with something less risky, but still useful to you. Here are some examples which can help you meet your security and “minimum data” requirements when sharing data.

Ideas for substituting risky data

Data type

Risk rating


What is the risk

Ways to minimise the risk

If this data must be used as part of your email or SMS transmissions

Financial and purchase information


Account balances, payments and purchase information

Embarrassment and potential sensitivity should this information be disclosed to the wrong person

Don’t transfer this information outside of your own systems

Use secure websites and mobile apps to display this data to customers rather than using SMS or email

Determine the minimum necessary for that purpose.

Use a secure transfer mechanism (SFTP, FTPS, HTTPS)

Financial account details


Bank account, sort code, debit and credit card numbers


Remove this data from your own systems when no longer needed

Don’t transfer this information outside of your own systems

Obscure part of the account or card numbers, showing enough to identify the account or card, showing you are a genuine sender, but keeping account and card information private.

Login details


IDs, usernames, account numbers

Identity theft and used to gain access to accounts.

Don’t transfer this information outside of your own systems

Ask yourself if these really need to be in the email or SMS

If you do need to use these login details in Communicator, can they be partially obscured?



Theft, identity theft and used to gain access to accounts.

Store them encrypted in your own systems

Don’t transfer this information outside of your own systems

For more information

At Communicator our aim is to be the most trusted email service provider. To fulfil our GDPR service provider obligations, our compliance and technology teams spent most of 2016 becoming ISO 27001 accredited. Our guides come from the practical,real-life experience of our expert compliance team. To find out more you can read our guides on email marketing and GDPR compliance, here:

Hear more from the DMA

Please login to comment.