Once European regulators start enforcing the General Data Protection Regulation, don’t be surprised if brands with noncompliant sites try to shift the blame to their agencies. In the latest in our Confessions series, where we grant anonymity for honesty, a digital agency executive whose company helps build Fortune 500 companies’ websites said brands make agencies contractually responsible for GDPR violations. This conversation has been edited and condensed.
How has GDPR affected your agency’s work?
It feels like the decision-making is, “Let’s figure out how we can pass liability onto agencies as soon as possible because they’re the ones who are building these products.” In theory, it is your clients’ responsibility. But as the law was getting into place, all of a sudden all these Fortune 100 companies, were immediately sending you an update to their MSA [master services agreement] that you’ve agreed on for years that is now saying, “If you are designing and building this, you are assuming responsibility for assuming the nuance of this law, and we won’t indemnify you if something is noncompliant.” So rather than understanding or caring about the intent of the law, it’s mostly just making sure they’re not going to be financially liable or responsible.
What can you do to avoid assuming full liability?
Typically with the MSAs, it’s, “if you want to keep working with us, you’re going to do this.” And we’re certainly not at a point where we would say, “No, we’re not going to work with you anymore because you’re making us liable for this particular law.” So we’ll understand the law and do our best in making sure we’re compliant.
How does it work? A regulator comes after a client, and the client tells the regulator to go after you instead?
I think what happens — and this has not happened yet — is that the company gets sued and then the company sues the agency. What we were told is even when there is no case, you still end up paying legal fees because they’re going to try to push the risk downstream. We’ve tried to make assumptions very, very clear in each contract, and try to supersede some of those terms, so there’s a clear understanding of risk. And then there’s capped indemnity.
So you can only be held liable to a certain degree?
Yeah, we would only be liable for up to X amount of something. Because the thing that’s hard is, if you’re doing a project for a few hundred thousand dollars, and someone gets sued for a million dollars and they try to pass that down to you, the level of risk and reward from a project standpoint changes. The other challenge from this is it changes project timelines and adds costs in the amount of development work. When the lawyers get involved, all the nice and fuzzies of relationships go away.
How do you account for those added costs? Do you tell clients that if the agency assumes liability, it costs 10 or 20 percent extra?
We wouldn’t have success if we structured it that way. They’re not going to give us a markup on something. So we bake into the project cost itself where there are these new or additional resources or additional time because they’ve added complexity from a requirement standpoint. It’s almost like another feature. And they can’t push back on that.
Have you talked with other agencies about banding together and pushing back on clients that pass on liability?
We haven’t done that yet. I would assume that until one of us has a significant issue come out, we’re probably all going to want to stay under the radar a little bit. Because it’s not every single client that’s doing this and passing that on. It’s one of those things where the more you flaunt certain things, the more likely that people talk about it and bring it into your MSA, or a lawsuit [occurs]. On some level, we’re waiting to see how the dust settles.