As part of their standard setting for the industry, ISBA and the IPA have worked together with specialist data protection lawyer Simon Morrissey, of law firm Lewis Silkin to create suggested GDPR clauses to be used as a variation addendum to client/agency contracts.  There are two versions, one for ‘data light’ contracts and a second for ‘data heavy’ contracts.

The suggested clauses represent the minimum requirements in the creation of a Data Processing Agreement (DPA) as required by GDPR. There must be an agreement between the parties and it must contain certain contractual obligations imposed on the data processor. A DPA can be created either as a separate agreement or can be included within an existing client/agency agreement.

Terms can be used to create a DPA for new appointments which come into effect after May 25, 2018; or for existing relationships in force after 24 May 2018 where a variation addendum to the contractual terms can be created.

The clauses are now available to all ISBA and IPA members to download.

Debbie Morrison, Director of Consultancy and Best Practice, ISBA said “Preparing for GDPR is currently high up on the agenda of all ISBA members and ensuring client/agency contracts are fit for purpose come May 25th is of paramount importance.  Working collaboratively with the IPA and a specialist lawyer has ensured that the new suggested clauses we have created will at least help both parties set basic standards and ensure each is fully briefed on expectations and importantly that activities are within the law.”

Says Richard Lindsay, Director of Legal & Public Affairs, IPA: “Agencies and advertisers are by now well aware of the GDPR and its start date of 25 May. The IPA approached ISBA and Lewis Silkin some time ago in order that we could work together on creating a set of contractual GDPR clauses for the industry in good time. IPA and ISBA members will be able to use the clauses in their client/agency contracts, in the knowledge that they have been prepared by an expert on data protection issues, Simon Morrissey. Article 28 GDPR demands that controllers and processors enter into written contracts with certain prescribed terms. These two sets of clauses should meet those requirements.”

Find out more about the clauses in our dedicated Contracts Knowledge Library. Members can download both versions and the related cover note via the documents tab.


Press Contact:

Abi Slater Director of Communications

T: 020 7291 9020 M: 07917 048835

ISBA 12 Henrietta Street, Covent Garden, London, WC2E 8LH

Follow us on Twitter: @isbasays

Image of member
Written 04th April 2018
By Abi Slater