What GDPR means when using a TCMA platform

This post is part of a series in which we explore how GDPR affects the channel, especially when using marketing automation tools. As we’re not legal experts, please consult with your own legal experts for specifics about your situation. 

Through Channel Marketing Automation (TCMA) platforms make GDPR compliance trickier as partners market their vendors to their (the partner’s) customers. Partners of vendors may resell their vendor’s products to the partner’s own customers or may service their vendor’s products. Depending on the type of relationship the partner has with the vendor, the partner’s customers may not know about the vendor. This is most common in reseller relationships in which the partners resell the vendor’s products to their own customers. 

Depending on how the TCMA platform is set up, this could mean that to be GDPR compliant, all the parties including the partner and vendor must get consent from the contact in order for the platform to process their data. In this case, the platform is acting as the data processor meaning that it is handling the contact’s data on behalf of the partner and vendor. 

What is GDPR? A quick refresher

The General Data Protection Regulation (GDPR) Act protects the personal data of European citizens and residents. It applies to everyone handling this data even if they aren’t located in Europe themselves. The key aspect of this act for the channel is that consent must be obtained before anything can be done with the personal data of European residents and citizens. 

Why does GDPR matter to the Channel?

In the channel, there are typically 3 parties involved in obtaining, using, and storing this data. They are the vendor, the partner, and a channel marketing automation company, such as xAmplify. Typically, this means that the party marketing to the contact must obtain the contact’s consent. In this case, this responsibility would fall on the partner. This obtained consent must be stored in each party’s records. 

For more information on this, see our Why GDPR is Important to the Channel post.

What is TCMA and how does the Channel use it?

Marketing Automation is the process of using technology to automate repetitive tasks such as sending emails, posting on social media, and more. It can also be used to personalize marketing campaigns such as addressing each campaign to a specific person. All of this personalization and automation make it easier to keep in touch with existing customers and to reach new ones. This makes marketing operations easier and frees up your sales and marketing teams to spend their time doing more important things such as market research and selling. 

Through Channel Marketing Automation is marketing automation for the channel. It allows vendors to share their marketing content via their partners to their (the partners’) customers. It also allows partner leads to be shared with vendors. 

How GDPR matters with TCMA

Depending on how data is stored in a TCMA platform, customer data could be potentially visible to people who don’t have consent to view that data. This could be due to permissions being assigned incorrectly where users of the platform can see data that they shouldn’t have access to or the appropriate consent was not obtained from the customer

When a partner uses a TCMA, they are marketing their vendor’s content to their customer. This means the customer must provide clear consent to receive marketing communications. Depending on the platform architecture, terms of service, and privacy policy, the customer may need to opt-in to receive communications from both the partner and vendor. 

Under GDPR, the customer must be aware of how their data is being used, stored and how it will be removed if requested. Therefore, the partner-vendor relationship has to be described in the terms of service and privacy provided to the customer. This ensures that the customer understands who could potentially have access to their data and how it will be used by the partner, vendor, or both. 

Contacts need to know what their data will be used for and the process for removing it if they ask. They also need to know how their data will be linked to analytics such as open rates. 

When looking for a TCMA platform, vendors should consider the following factors. 

  • Is customer data isolated? Who can access the data and how? 
  • How long is consent valid for? Does the consent have to be renewed? Is consent by the person uploading data into the platform?
  • How long is data stored on the platform? How are removal requests processed? 
  • How can contacts opt out of having their data stored on the platform? How is data scrubbed?
  • Are unsubscribe links embedded in all marketing materials and communications? Do customers have an easy way to remove themselves from the list?
  • How is data audited? 
  • What is the process for transferring data? 

All of these factors should be considered before the vendor moves forward with selecting a TCMA platform. If the vendor selects a platform without thoroughly considering these factors, they may run the risk of violating GDPR. The vendor also needs to ensure that they and their partners are implementing GDPR best practices such as:

  • Creating an audit trail for customer consent
  • Establish compliance procedures
  • Understanding the data processing infrastructure

The partner-vendor contract with GDPR

Under GDPR, both the partner and the vendor need to get the customer’s consent before doing any marketing. This will depend on the terms of service, the platform used, and the data architecture of the platform. As a result, both the vendor and the partner may be responsible for that customer data. The partner-vendor contract should clearly convey this as since both parties are responsible for customer data, they are responsible for any potential GDPR violations as well. 


Under GDPR, TCMA platforms must isolate customer data and only allow those authorized to access it. When obtaining customer consent, it must be made clear that the customer’s data will be processed/stored in a TCMA platform and they (the customer) may be marketed to by both the vendor and the partner. Finally, the partner-vendor contract must be adjusted to convey that both the partner and the vendor are responsible for the handling of customer data. 

Why is GDPR important to the Channel?

his post is part of a series in which we explore how GDPR affects the channel especially when using marketing automation tools. As we’re not legal experts, please consult with your own legal experts for specifics about your situation. 

Why we’re still talking about GDPR

In the past few months, numerous companies have had their security breached and their customer’s data privacy violated. Authorities are cracking down hard on companies who can’t secure their customer’s data and companies are finding that they need to update their data policies and rethink the way they gather and collect data.

While this is great for the consumer, it’s difficult for companies to actually do. It’s especially tricky in the channel space as more than one company handles a consumer’s data. Vendors, partners, and data processors such as marketing automation platforms all share consumer data. Each of these parties must comply with data protection regulations such as GDPR. 

GDPR is the most prominent of these regulations and can be tricky to navigate, especially as it applies to anyone who does business with anyone in Europe. We’ve created a series in which we explore how GDPR affects the channel, especially when using marketing automation tools.

What is GDPR?

The General Data Protection Regulation (GDPR) Act protects data belonging to European citizens and residents. It applies to any company that obtains and/or handles personal data belonging to these citizens and residents. This includes processing, storing, and transferring data as well. This is true regardless of where the company is located. So a software company in the US that handles European personal data would still have to comply with GDPR even though they aren’t located in Europe. 

Under GDPR, personal data can only be processed if any of the 6 specified criteria are met. For the channel, those criteria would be

  • Consent has been given
  • Processing data is necessary for the performance of a contract 
  • Legitimate interest


Like a medical consent form, the consent form for data collection must explicitly state why you are collecting the data, what it’s for, how it will be stored, and for how long it will be stored. This consent must be obtained from anyone whose data is being collected. For the channel, consent must be obtained from the customer/prospect, the partner and the vendor if using a data processor, an entity that processes any data you give it according to your instructions. An example would be Mailchimp who processes your contact lists and sends emails to those contact lists.  

Once consent has been obtained, it must be stored by everyone who interacts with that person’s data. For the channel, the vendor, the partner, and the data processor must keep the consent authorization for their records. Consent must also be renewed on a recurring basis and may be revoked at any time. 

Data Processing 

Under GDPR, data processing includes collecting, recording, storing, etc…pretty much anything you do with data would be considered data processing under GDPR. Examples would be

  • Collecting emails for a mailing list
  • Storing IP addresses for security purposes
  • Storing contact information in a marketing automation platform

Data processing must occur for a specific purpose such as collecting emails for a newsletter mailing list. You can’t just process data for whatever reason; it needs to be specific and clearly defined when asking for consent. 

Legitimate Interest

This is when your personal data is used in a way you would expect. The data collected for this purpose should be necessary for the organization to collect and the benefits of processing it should outweigh the risks. 

An example of this is someone uploading their resume to a job board such as Indeed. In this case, the person who uploaded the resume can expect recruiters, hiring managers and anyone else looking to fill an open position to contact them based on the information provided in the resume. 

Why is GDPR important to the Channel?

Under GDPR everyone who handles the personal data of European citizens and residents must obtain explicit consent in order to use, process, store, or transfer the data. In the channel, there are typically 3 parties involved in obtaining, using, and storing this data. They are the vendor, the partner, and a data processor such as Hubspot. All 3 of these parties must obtain consent from the prospect/customer. This obtained consent must be stored in each party’s records. This means that consent must be obtained from all 3 parties even though the vendor may not even be located in Europe. 

GDPR is tricky for the channel as obtaining explicit consent means that customer/prospect information has to be shared between the vendor and the partner. This is a large concern when using a through-channel marketing automation system as the partner will be sending the vendors’ campaigns to their (the partner’s) mailing lists. Currently, most marketing automation platforms that the channel uses don’t have the network/software architecture necessary to properly separate the partner’s data from the vendor’s data. This data separation is necessary to be GDPR compliant and since most platforms don’t currently have the separation in place, they run the risk of noncompliance. 

What are the consequences of a GDPR violation?

The penalties for violating GDPR are steep. Fines can be 4% of annual global revenue or more than 20 million euros which is roughly equivalent to $24,000,000. These fines are determined by a number of factors such as whether or not the violation was intentional, how soon it was reported, and whether or not the fined company cooperated with the authorities. 

Since data in the channel is handled by more than one party, it’s possible that if one party such as a partner is found to violate GDPR, the other parties such as the vendor may also be violating GDPR. This is why it’s important to ensure that all parties involved are GDPR compliant. 

How do I know if my partners are compliant?

It’s not just you who has to be GDPR compliant, but your partners too. Rather than leave your partner to navigate GDPR compliance by themselves, you should guide your partners through the process of becoming compliant. 

  1. Be on top of regulatory changes

Make sure to keep up to date with any GDPR and other regulatory changes and inform your partners of them in a timely manner. Be sure to check in with your partner at regular intervals to ensure that they remain compliant. These updates can be sent in your regular newsletter. 

  1. Rework your partnership agreement

Your new agreement will need to include a data-sharing clause as GDPR requires any data sharing to be disclosed to the consumer. This clause should outline what data will be collected, how that data will be used, and how it will be stored. It should also state how long the data will be held for and how it will be removed from both parties’ systems.

  1. Educate partners  

There’s a high chance that none of your partners have lawyers on hand to help them figure out how to be compliant. You should educate your partners on what GDPR is, how it affects them, and what the consequences are for violating it. Make sure to share material like checklists that will help them be compliant, host webinars, and provide additional support and training when necessary. 

  1. Establish compliance procedures and metrics

Make sure to lay out some metrics and procedures so that your partners can show you and others that they are GDPR compliant across all their platforms. These procedures and metrics will establish an audit trail that you and your partners can show the authorities if necessary. 

  1. Know when to let the relationship go

It sucks, but sometimes your partners may not want to be GDPR compliant. If that’s the case and you’ve tried everything to make them see that it’s necessary for their business, then it’s time to let them go. There are steep fines for noncompliance and if your partner gets fined, you might get fined as well. This is the last resort step. 


GDPR is the most prominent data protection regulation that affects a large number of companies. Everyone who handles the data of European citizens and residents must comply with it or risk being fined up to 4% of their annual global turnover. Under the regulation, companies must obtain consent to handle a consumer’s data. They must also have a data policy that lays out how they will collect, use, share, store and destroy the data that they obtain. 

For the channel, the vendor, partner, and data processor (ex. A marketing automation platform) must be compliant. Each party must hold a copy of the consumer’s consent and have a data-sharing agreement in place. Vendors can help their partners become compliant by educating partners and establishing compliance procedures and metrics.