A quick reminder of IPA GDPR guidance ahead of 25th May
What is the GDPR?
The GDPR is the most important piece of data protection legislation to be introduced in the EU for the past 20 years and will affect businesses in all sectors – including advertising - across all EU member states. Brexit will not affect the implementation of the GDPR in the UK. The GDPR will give people more control over how companies use their data, with large penalties for those that fail to comply, meaning that it is imperative that agencies are GDPR-compliant when handling their own or a client’s personal data.
For those not already up to speed with data protection issues, the IPA Legal & Public Affairs team produced this beginner’s guide to data protection compliance.
Controllers & Processors
Under the GDPR, agencies may be acting as either ‘controllers’ (the organisation that determines the purposes and means of processing personal data) or ‘processors’ (the organisation that is responsible for processing personal data on behalf of a controller), depending on the circumstances. The IPA has produced guidance for agencies acting in both situations.
Agencies acting as Controllers
GDPR Pack – Produced in partnership with the law firm Bristows, the GDPR Pack contains notes on 10 key GDPR issues – including supplier contracts - and five template internal data protection policies, to assist agencies when acting as controllers, processing personal data for their own benefit.
Agencies acting as Processors
GDPR Best Practice Principles – The Best Practice Principles contain a set of six rules summarising some of the key obligations imposed by the GDPR that agencies will need to meet when handling personal data for clients as ‘processors’. Alongside the Best Practice Principles is additional Guidance which gives more detail on the obligations on processors under the GDPR.
The IPA has created additional material for member agencies around the GDPR including:
- GDPR clauses for agencies and clients, produced jointly with ISBA and the law firm, Lewis Silkin, to help them ensure that their responsibilities under the GDPR for entering into data processing agreements are met. There are two versions, one for ‘data light’ contracts and a second for ‘data heavy’ contracts.
- A series of three webinars produced in partnership with the law firm CMS Cameron McKenna Olswang LLP:
- Webinar I - A general overview of the existing law on data protection and what is changing under the GDPR.
- Webinar II - A closer look at some of the key legal changes that agencies need to know about and what they need to do to comply with them.
- Webinar III - A look at the draft E-Privacy Regulation and a summary of Webinar II.
- An employment seminar on GDPR compliance within your own workplace produced in partnership with the law firm Lewis Silkin.
Visit our data protection hub for the full collection of the IPA’s GDPR guidance for members. For more information contact Legal@ipa.co.uk
Last updated 12/04/2018