1. Home
  2. News
  3. Make sure your agency can comply with the IPA’s GDPR Best Practice Principles

Make sure your agency can comply with the IPA’s GDPR Best Practice Principles

The IPA has launched its GDPR Best Practice Principles to help IPA member agencies become GDPR compliant in readiness for 25 May 2018.

The Principles contain a set of six rules summarising some of the key obligations imposed by the GDPR that agencies will need to meet when handling personal data for clients as ‘processors’ under the new law.

The IPA has also produced Guidance which should further assist agencies in understanding how to comply with the Principles and which gives more detail on the obligations on processors under the GDPR. .The six Principles are:

  1. Security and notification of data breaches: Agencies will ensure personal data processed on behalf of clients (“client personal data”) is kept secure using appropriate security measures. Agencies will notify clients without undue delay when they become aware of a data breach.
  2. Accountability and governance: Agencies will ensure (a) responsibility for data protection is allocated internally at the appropriate level, (b) data processing activities are sufficiently documented, and (c) appropriate policies, procedures and training are implemented.
  3. Client instructions and clear contracts: Agencies will follow client instructions when processing personal data. Agencies will offer clients appropriate contractual terms covering data protection.
  4. Client approval of subcontractors: Agencies will not subcontract data processing for clients without the client’s consent and will ensure an appropriate contract is put in place with any subcontractor.
  5. Helping clients comply with their obligations under the GDPR, as required by the GDPR: Where required by the GDPR, agencies will assist clients with their obligations under the GDPR (such as responding to requests from individuals regarding their rights under the GDPR).
  6. Data Retention: Agencies will either delete or return client personal data on expiry or termination of the relevant project.

Says Richard Lindsay, Director of Legal & Public Affairs, IPA; ”The various obligations on businesses when acting as data processors are scattered throughout the GDPR. They are hard enough to find, let alone understand and implement. I hope that by gathering some of the key rules together in a short set of Principles, agencies will find it easier to work out what they need to do if processing personal data for clients. Clients can only use processors which provide sufficient guarantees of their GDPR compliance, so agencies adhering to the Principles should be in a good position to demonstrate to clients that they meet that requirement.”

Download the IPA GDPR Best Practice Principles and further guidance.

Visit our data protection hub for the full collection of the IPA’s GDPR guidance for members.

News

#

IPA reaction to Government plans to push ahead with C4 privatisation

IPA Director General Paul Bainsfair is 'deeply disappointed' by the Culture Secretary’s decision to push forward with plans to privatise Channel 4.

  • Published

    5 April 2022

Blog

tv remote.jpg

How many ads are too many ads?

IPA Media Futures Group Chair Tom George comments on ITV's and Channel 4's call for longer ad breaks.

tom george.jpg (1)

Tom George

5th September 2019

News

#

IPA welcomes Facebook shouldering its DST responsibilities

The IPA has welcomed the news that, unlike Google, at present, Facebook will not be passing on the cost of the 2% Digital Services Tax (DST) to its UK advertisers.

  • Published

    3 September 2020
Last updated 21 January 2022