To help streamline the steps your organisation needs to take to comply with the new General Data Protection Regulation (GDPR) coming into force on 25th May 2018, the IPA, in partnership with Bristows LLP, has produced a set of useful templates and guidance notes - the IPA's GDPR Pack - to help steer you in the right direction. Visit our data protection hub for the full collection of the IPA’s GDPR guidance for members.

IPA GDPR Top Ten Practical Steps Guidance


On 25 May 2018, existing data protection law across the EU will be replaced by the General Data Protection Regulation (“GDPR”). This Guidance and the GDPR Pack of template documents it includes is intended to help agencies comply with the GDPR by enabling them to update their own internal policies and procedures where they are processing personal data as ‘controllers’ - for example, supplier, client or agency staff information (rather than where they act as ‘processors’ for their clients).

Why the need for this Guidance and the GDPR Pack?

In practice, agencies are unlikely to be processing significant volumes of personal data as controllers. However, the GDPR expressly introduces an “Accountability” principle: agencies will need to be able to demonstrate that they are consistently complying with the GDPR in the ordinary course of their businesses. The GDPR should be embedded throughout your agency, staff trained and, among other things, appropriate data protection compliance policies put in place, hence the GDPR Pack.

Some parts of the GDPR will have more of an impact on some agencies than others, depending on your agency’s size and internal complexity, as well as the volume and sensitivity of the data which your agency holds. For certain agencies, the template policies we have produced for the GDPR Pack may be overly complex. For others they may be overly simple. There is no one size fits all, particularly given the range of agencies which make up the IPA membership.

The GDPR acknowledges that data controllers need only to implement policies and procedures which are proportionate to the data controller’s business and the risks associated with its activities. It may therefore be that certain elements of the template policies making up the GDPR Pack can be scaled down. However, the policies represent the minimum baseline requirements of the GDPR, so caution should be used before making changes.

How to use the GDPR Pack

The template policies making up the GDPR Pack are examples and to be used as starting points only. They are not intended to be used ‘as is’. You should review and customise them to fit your agency’s business. They will not on their own make your agency GDPR compliant – but they should help.

There are various square-bracketed ‘placeholders’ throughout the template policies where the “relevant agency contact” should be inserted. This refers to the individual or department within your agency who will be responsible for data protection compliance and ensuring the relevant requirements of the policy are satisfied. In larger agencies with in-house lawyers, the relevant contact is likely to be the legal team. In smaller agencies with no in-house legal resource, it may be a senior risk manager or someone in the finance or HR team. (For agencies with no in-house lawyers, you should consider seeking external legal advice where necessary.)

The template policies are designed to work in conjunction with each other as well as any other policies and procedures your agency may have. Where the names of other policies are referred to in the various documents, they have been put in bold and underlined to indicate that you could make them accessible via a link (for example if the policies are made available on your agency’s intranet). They also include highlighted guidance notes and square-bracketed words. These should be read and dealt with and then removed before implementing the relevant policy. Each also includes some background guidance notes in red at the start of each document to help explain the purpose of the document to you. These red notes should also be removed before implementing the final, clean version of the policy.

The Structure of this Guidance

This Guidance is set out in the following 10 sections which cover some – not all - of the most relevant areas of the GDPR and it includes the various template policies and other documents making up the GDPR Pack. Each section is written as a stand-alone note, following a similar format (and containing identical instructions in places). Each gives a brief explanation of what the law requires, what you actually need to do and how the IPA can help.

  1. Supplier Contracts
  2. Client Contracts
  3. Accountability and Governance
  4. Records of Processing Activity
  5. Data Protection Impact Assessments
  6. Data Retention
  7. Individual Rights
  8. Data Breaches
  9. Privacy Notices
  10. Consent

To launch the IPA's GDPR Pack, Sacha Wilson of Bristows LLP hosted a seminar for agencies to outline it's contents. Watch the full seminar.

In addition, the IPA has previously issued various guidance notes and updates regarding the GDPR. In particular, see the IPA Legal Guidance Note - Data Protection for Advertising (May 2016) which gives a brief overview of some of the key terminology in the GDPR (such as “personal data” and “processing”), as well as the distinction between “data controllers” and “data processors”, and the IPA Legal Guidance Note - Data Protection Compliance Note for Agencies – Beginners Guide (March 2017). The IPA has also produced three webinars regarding the GDPR.

If you have any questions regarding this guidance or the supporting documents please contact the IPA Legal Team.

With special thanks to Sacha Wilson at Bristows LLP for his work in helping to produce the IPA’s GDPR Pack.

Last updated 01 May 2024