Please be informed that the IPA offices will be closed Friday 4th August.
We will respond to you as soon as we return on Monday 7th August.

A quick reminder of IPA GDPR guidance ahead of 25th May

There are only a few weeks to go before the GDPR comes into force on 25th May. The IPA Legal & Public Affairs team has produced various in-house guidance notes and has also worked with law firms to provide additional information and assistance for our members to help them comply with the GDPR.


What is the GDPR?

The GDPR is the most important piece of data protection legislation to be introduced in the EU for the past 20 years and will affect businesses in all sectors – including advertising - across all EU member states. Brexit will not affect the implementation of the GDPR in the UK. The GDPR will give people more control over how companies use their data, with large penalties for those that fail to comply, meaning that it is imperative that agencies are GDPR-compliant when handling their own or a client’s personal data.

For those not already up to speed with data protection issues, the IPA Legal & Public Affairs team produced this beginner’s guide to data protection compliance.

Controllers & Processors

Under the GDPR, agencies may be acting as either controllers’ (the organisation that determines the purposes and means of processing personal data) or ‘processors’ (the organisation that is responsible for processing personal data on behalf of a controller), depending on the circumstances. The IPA has produced guidance for agencies acting in both situations.

Agencies acting as Controllers

GDPR Pack – Produced in partnership with the law firm Bristows, the GDPR Pack contains notes on 10 key GDPR issues – including supplier contracts - and five template internal data protection policies, to assist agencies when acting as controllers, processing personal data for their own benefit.

Agencies acting as Processors

GDPR Best Practice Principles – The Best Practice Principles contain a set of six rules summarising some of the key obligations imposed by the GDPR that agencies will need to meet when handling personal data for clients as ‘processors’. Alongside the Best Practice Principles is additional Guidance which gives more detail on the obligations on processors under the GDPR.

Additional material

The IPA has created additional material for member agencies around the GDPR including:

  • GDPR clauses for agencies and clients, produced jointly with ISBA and the law firm, Lewis Silkin, to help them ensure that their responsibilities under the GDPR for entering into data processing agreements are met. There are two versions, one for ‘data light’ contracts and a second for ‘data heavy’ contracts.
  • A series of three webinars produced in partnership with the law firm CMS Cameron McKenna Olswang LLP:
    • Webinar I - A general overview of the existing law on data protection and what is changing under the GDPR.
    • Webinar II - A closer look at some of the key legal changes that agencies need to know about and what they need to do to comply with them.
    • Webinar III - A look at the draft E-Privacy Regulation and a summary of Webinar II.
  • An employment seminar on GDPR compliance within your own workplace produced in partnership with the law firm Lewis Silkin.

Visit our data protection hub for the full collection of the IPA’s GDPR guidance for members. For more information contact

Last updated 12/04/2018

Contact the IPA

ABCe audit Offical Webby Awards Honoree (2011, 2013)

Website, membership and content management software by Senior
Creative design by Igentics

Institute of Practitioners in Advertising (IPA)
© 2018 IPA. All rights reserved. No part of this
site may be reproduced without our permission.