Make sure your agency can comply with the IPA’s GDPR Best Practice Principles

The IPA has launched its GDPR Best Practice Principles to help IPA member agencies become GDPR compliant in readiness for 25 May 2018.

The Principles contain a set of six rules summarising some of the key obligations imposed by the GDPR that agencies will need to meet when handling personal data for clients as ‘processors’ under the new law.

The IPA has also produced Guidance which should further assist agencies in understanding how to comply with the Principles and which gives more detail on the obligations on processors under the GDPR. .The six Principles are:

  1. Security and notification of data breaches: Agencies will ensure personal data processed on behalf of clients (“client personal data”) is kept secure using appropriate security measures. Agencies will notify clients without undue delay when they become aware of a data breach.
  2. Accountability and governance: Agencies will ensure (a) responsibility for data protection is allocated internally at the appropriate level, (b) data processing activities are sufficiently documented, and (c) appropriate policies, procedures and training are implemented.
  3. Client instructions and clear contracts: Agencies will follow client instructions when processing personal data. Agencies will offer clients appropriate contractual terms covering data protection.
  4. Client approval of subcontractors: Agencies will not subcontract data processing for clients without the client’s consent and will ensure an appropriate contract is put in place with any subcontractor.
  5. Helping clients comply with their obligations under the GDPR, as required by the GDPR: Where required by the GDPR, agencies will assist clients with their obligations under the GDPR (such as responding to requests from individuals regarding their rights under the GDPR).
  6. Data Retention: Agencies will either delete or return client personal data on expiry or termination of the relevant project.

Says Richard Lindsay, Director of Legal & Public Affairs, IPA; ”The various obligations on businesses when acting as data processors are scattered throughout the GDPR. They are hard enough to find, let alone understand and implement. I hope that by gathering some of the key rules together in a short set of Principles, agencies will find it easier to work out what they need to do if processing personal data for clients. Clients can only use processors which provide sufficient guarantees of their GDPR compliance, so agencies adhering to the Principles should be in a good position to demonstrate to clients that they meet that requirement.”

Download the IPA GDPR Best Practice Principles and further guidance.

Visit our data protection hub for the full collection of the IPA’s GDPR guidance for members.

Last updated 21 January 2022