IT Compliance Checklist for Advertising & PR Agencies
- 1 July 2025
- Posted by:
- Categories: Blogs, IT Support, News

Introduction
Advertising and PR agencies handle a wealth of sensitive information – from client marketing strategies and press release schedules to consumer data for campaigns. In an era of increasing regulation and client scrutiny, ensuring IT compliance is not just an internal concern but a business imperative. Non-compliance can lead to legal penalties, loss of client trust, or disqualification from lucrative contracts.
For London-based agencies (and indeed any UK/EU agency), compliance spans multiple areas: data protection laws like GDPR, industry standards like Cyber Essentials, and specific client-imposed IT requirements. It might sound daunting, especially for small-to-mid sized agencies without dedicated compliance officers. But achieving compliance is manageable with a clear roadmap.
This article provides an IT compliance checklist tailored for advertising and PR agencies, outlining key areas you should address. Think of it as a roadmap to fortify your agency’s IT practices so that you meet legal obligations and client expectations. We’ll cover data privacy steps, security measures, documentation, and training – all in plain English – to help you audit where you stand and where you might need to improve.
By following this checklist, your agency can demonstrate a strong compliance posture, which can be a selling point to clients and a safeguard for your reputation. Let’s get started on ticking those compliance boxes!
-
Data Protection (GDPR) Compliance
- Identify Personal Data You Handle: List out what personal data your agency collects or processes. Common examples: media contact lists (names, emails of journalists), influencer databases, email newsletter subscribers, client customer data used in campaigns, employee data. Under GDPR, you should have a record of these processing activities – what data, what purpose, where it’s stored, who it’s shared with, how long you keep it. A simple spreadsheet can serve as your Record of Processing Activities (ROPA).
- Lawful Basis and Consent: For each type of personal data, define the lawful basis for processing under GDPR. Often for PR/marketing it might be “legitimate interest” (e.g., using journalist contact info to send press releases) or “consent” (people who opted into a mailing list). Ensure if you rely on consent (e.g., individuals subscribed to newsletters or campaigns) that you have clear records of that consent (signup forms, opt-in boxes ticked, etc.). For any data you hold that you did not collect directly (say a client gave you their customer list for a campaign), ensure the client obtained it lawfully and that you have a Data Processing Agreement in place with them defining your role and responsibilities.
- Privacy Notice: Maintain an up-to-date privacy notice on your website that covers data you collect (both from site users and in your business operations). It should explain what data you collect, why, how long you keep it, how people can exercise their rights, and provide contact details. For a PR agency, it might also mention data collected in the course of providing services to clients, etc. Make sure it’s easily accessible (link in website footer). Clients or prospects may check this to gauge your GDPR diligence.
- Data Subject Rights Procedures: Have a process for handling any data subject requests – like if someone asks “remove me from your database” or “what data do you have on me?” Under GDPR they have rights to access, rectification, erasure, etc. Even if you’ve never gotten such a request, be prepared. This could mean knowing where data is stored so you can retrieve or delete it, and having a template response. Typically you have one month to respond to requests. If you use standard systems (like an email marketing platform or CRM), know how to export or delete a contact from them.
- Third-Party Data Processors: List your key systems that handle personal data (e.g., Mailchimp, CRM software, cloud storage, etc.). Ensure you have Data Processing Addendums (DPAs) in place with them – most reputable SaaS providers have one that commits them to GDPR compliance (check their website or ask). This is important because you as the controller need to ensure your processors handle data legally. Also verify where data is stored – GDPR allows transfer outside EU/UK only with safeguards (many US providers use Standard Contractual Clauses – check that they do). For instance, if you use a US-based PR tool, confirm they adhere to these standards.
- Data Minimisation and Retention: Only keep personal data you need. For example, if you have a media list from 5 years ago with contacts who have since moved on, consider updating or removing it. Don’t hoard old campaign data without reason. Define retention periods (e.g., “We keep campaign data for X years after campaign end”) and enforce them by periodic deletion or archiving. This also reduces risk in case of breach – less data stored is less data at risk.
- Security Measures for Personal Data: GDPR mandates appropriate security. Many items elsewhere in this checklist (access control, encryption, etc.) contribute to this. Check that personal data in particular is well-protected: e.g., client CSVs of customer emails are not sitting unencrypted on a laptop. Use secure passwords/MFA on accounts holding personal data (like social media management tools or CRMs). If you have physical data (unlikely in digital agencies, but maybe printouts of survey respondents?), secure those too or shred when done.
- Appoint a Data Protection Lead: You might not need a formal Data Protection Officer (DPO) unless you do large-scale monitoring of individuals, but have someone in charge of privacy compliance. It could be a director or IT lead. They keep an eye on GDPR news, ensure policies are followed, and act as contact for any data protection queries.
- Training Staff on Privacy: Make sure employees understand basics: e.g., don’t just copy a bunch of journalists in an email (use BCC or mailing tools, to avoid leaking their emails to each other), be cautious with sharing personal data over email (should it be encrypted?), and know what to do if someone requests to unsubscribe or asks about their data. Also stress confidentiality – e.g., client-provided data sets should not be used for anything other than intended purpose, etc.
-
Information Security (Cybersecurity Essentials)
- Access Control & Passwords: Implement access control practices: each employee should have unique logins for systems (no shared accounts). Use strong passwords and ideally Multi-Factor Authentication on all key systems (email, file storage, etc.). As per Cyber Essentials guidelines, ensure default passwords on any devices/software are changed. Consider using a password manager to help staff manage complex passwords. Review user access periodically – if someone leaves, promptly deactivate accounts; if someone changes role, adjust their permissions appropriately. Least privilege principle: people only access data and systems needed for their job.
- Endpoint Security: All company PCs and laptops (Windows or Mac) should have up-to-date anti-malware protection. Cyber Essentials specifically requires malware protection on all devices (this can be AV software or built-in OS protections if configured properly). Ensure firewalls are active – both network (if in office, likely behind a router firewall) and local device firewall (Windows Firewall, macOS firewall). Keep operating systems and applications patched – this means having a process to install updates (could be automatic Windows Update, etc.). Cyber Essentials looks for evidence that security patches are applied within 14 days of release for critical issues, so don’t let months go by without updating.
- Secure Configuration: Check default settings on devices and software. Remove or disable any services not needed. For example, if a laptop has a default admin account with a guessable name, rename or disable it. Uninstall software that isn’t needed to reduce attack surface. On websites or servers, turn off sample files or unnecessary open ports. This aligns with the Cyber Essentials principle of secure configuration – basically, harden your systems out-of-the-box.
- Network Security: If your agency has an office network, secure your Wi-Fi (use WPA2/3 encryption with a strong passphrase; ideally have a separate guest network for visitors). Change default passwords on any network equipment (routers, etc.). Keep network hardware firmware updated. For remote access to any internal resources, use VPNs. Also, make sure that if employees work remotely, they use secure connections. Under Cyber Essentials, you should prevent unauthorized access to your network – so no open Wi-Fi, no weak router passwords, and perhaps use MAC address filtering or other controls if feasible for small networks.
- Backup and Disaster Recovery: Ensure regular backups of critical data (as covered in Mac tips, but here broadly). Not just for IT failure, but also a compliance matter – under data integrity principles, you shouldn’t easily lose data. Backup client projects, financial records, email archives, etc. At least one backup should be offsite (cloud or physical offsite) to cover disasters like fire. And test restores occasionally. Also confirm backups themselves are secure (encrypted if containing sensitive data, and access to them is limited). Some standards require demonstrating you can restore data (important for things like business continuity planning).
- Incident Response Plan: Have a basic plan for what to do in a cybersecurity incident. This doesn’t need to be super elaborate, but at least define: who to inform (internally and possibly clients or authorities depending on severity), immediate steps to contain (e.g., disconnect affected systems, change passwords), and who leads the response. If you have an IT provider, their contact should be handy for emergencies. Also, check if you need to report incidents – under GDPR, a personal data breach likely must be reported to ICO within 72 hours if there’s risk to individuals. So part of compliance is knowing that threshold and having the mechanism to notify (in practice, hopefully you never have to, but be aware).
- Cyber Essentials Certification (Optional but Recommended): Cyber Essentials is mentioned often because it’s a UK baseline standard. Consider actually getting certified. It’s a checklist of much of the above: secure config, access control, patch management, malware protection, network security. Many clients (especially in public sector or larger companies) are starting to require vendors have Cyber Essentials. It’s not expensive to get (there’s an online questionnaire and an external scan). Achieving it gives you a badge to show you take security seriously. It also typically results in you tightening any loose ends in your IT setup. If you’re already doing everything in this checklist, certification should be straightforward.
-
Client Contract Requirements and Industry Standards
- Review Client Contracts for IT Clauses: Often larger clients put in specific requirements in their MSA or contract. This could include clauses like “Agency shall maintain industry-standard cybersecurity measures” or even specifics like “background check your employees” or “use antivirus on all systems” – likely things you do, but make sure to actually read those sections and confirm compliance. Some might require notification in X hours if you have a breach affecting their data. Note them and have a plan to adhere.
- NDAs and Confidentiality: Ensure all staff have signed appropriate confidentiality agreements (usually part of employment contract or separate NDA). This is compliance in the sense of client expectation – you must safeguard their confidential info. Also, train staff to understand what is confidential and how to handle it (e.g., not discussing client campaigns in public before launch, etc.). For freelancers or contractors, get NDAs in place too.
- System Access for Clients: If you grant clients access to any of your systems (like a client portal, or a project management tool to review progress), ensure you create accounts with limited access (they should only see their project, etc.). That’s part of compliance to client requirements – e.g., one client’s data should not be inadvertently accessible by another. Multi-client agencies need robust permission separation in any shared systems.
- Advertising Standards and Data Use: If you’re handling consumer data for targeted ads or campaigns, ensure you follow relevant regulations and self-regulatory codes (like CAP Code in UK for marketing). For instance, if you manage email campaigns, comply with PECR (Privacy and Electronic Communications Regulations) for marketing communications – meaning get consent for B2C emails, include opt-out links, etc. If doing behavioural advertising, be mindful of cookie consent and such if you run websites. It’s a broad area, but since PR/advertising agencies sometimes overlap with direct marketing, know the rules there too.
- ISO or Other Standards (if applicable): Larger agencies might consider ISO 27001 (information security management) certification. It’s a heavy lift, but if aiming to work with enterprise clients, it’s the gold standard. For smaller agencies, that’s likely too much, but at least borrowing principles from it (like having formal policies, risk assessments) can help. Check if any clients ask about ISO or similar. If you see that becoming a trend, you might invest in gradually aligning with it. There’s also the PRCA (Public Relations & Communications Association) or similar bodies that may have guidance on managing data and IT; being aware of industry best practices always helps in compliance conversations.
- Data Processing Agreements with Clients: As an agency, when you receive data from a client (e.g., they give you a customer list to do PR outreach or an employee list for an internal comms project), under GDPR you are often a “processor” on behalf of that client. You should have a DPA in place where you commit to handling their data properly (which is basically everything in this checklist) and assist them in fulfilling their GDPR obligations if needed. Many client contract templates include these clauses now. If not, you can suggest signing a separate DPA. It covers things like what you can/can’t do with the data, how you handle deletion after project, that you’ll notify them of any breach, etc.
- Third-Party Contracts: Similarly, if you subcontract any work or use vendors (maybe a freelance data analyst or an email blasting service), ensure those flows are also governed by contracts for confidentiality and data protection. You don’t want a gap where a freelancer hasn’t agreed to keep client data confidential or a vendor isn’t contractually obligated to secure the data you pass to them. In GDPR terms, if you’re a processor and use a sub-processor, you need to have equivalent DPAs down the chain.
-
IT Policies and Documentation
- Create an IT Security Policy: It doesn’t have to be a magnum opus, but a written policy (even 2-3 pages) that outlines key rules: use of passwords, acceptable use of internet (e.g., no torrent downloads on work network), email usage (don’t click suspicious links, etc.), remote work security (like not using public Wi-Fi without VPN), and incident reporting procedure. Distribute it to staff, perhaps as part of onboarding. Update it annually. This not only helps compliance but also demonstrates to clients/regulators that you have a structured approach. Many Cyber Essentials and other questionnaires ask “do you have a security policy?”. Good to have one to say yes and show.
- BYOD (Bring Your Own Device) Policy: If any staff use personal devices for work (common in small agencies to use personal phones for email or even personal laptops), clarify the requirements: e.g., device must be encrypted, must have up-to-date OS and antivirus, company can request device for security checks or remote wipe work data if lost, etc. You might encourage staff to use company-managed devices only, but reality is often there’s some mix. Document what’s allowed and how it’s managed.
- Password Policy: While we touched on passwords, formally state expectations: e.g., minimum password length, complexity, not reusing corporate passwords on other sites, how often (if ever) to rotate passwords. NCSC (UK security centre) actually suggests not forcing regular password changes unless there’s an incident, as it can lead to weaker passwords, but old habits die hard – either way, decide and document it. And enforce via technical controls where possible (like Azure AD password policy, etc.).
- Incident Response Plan Documentation: As noted earlier, have the plan not just in someone’s head. A simple doc that states “If X happens, do Y” for common scenarios (virus detection, lost laptop, suspected hack). Include a contact list of who to call (IT support, management, possibly legal counsel or PR crisis contact if major). In a stressful incident, a checklist can be a lifesaver to ensure you don’t forget steps.
- Training Records: Keep track of any security or compliance training you give to employees. Even if it’s a 30-minute annual briefing on GDPR and phishing, note the date and attendees or have them sign a sheet. This can prove to clients/regulators that you actively educate staff (a GDPR principle: train those handling personal data). You can even leverage free resources (e.g., ICO has GDPR training modules, or cyber awareness videos from NCSC) – incorporate and log that it was done.
- Business Continuity/DR Plan: What if your office is inaccessible or systems go down? 2020 taught everyone about continuity, but have a basic plan: can your team work from home if needed (likely yes, with cloud tools)? If cloud services fail, do you have backups or alternatives (e.g., if project management tool is down, default to email/phone communications until back)? Who has authority to declare an emergency and communicate with clients about any impact? Documenting this shows a level of preparedness. Some clients ask for it in RFPs.
- Asset Inventory: Maintain a list of hardware and software assets. Know what laptops/desktops you have (serial numbers, who assigned to, etc.), what software subscriptions or licenses in use. This helps compliance by ensuring everything is licensed (don’t use unlicensed stock photos or cracked software – aside from legality, it can bring malware). Also helpful for insurance. Include in the inventory any company mobile devices or USB drives if those carry data. Essentially, keep track of where your data could be and through what devices.
-
Physical Security and Office IT Compliance
- Secure Office Access: If you have an office with servers or even just computers with sensitive data, control access. That could be as simple as keeping the office locked and only staff have keys/cards. If in a shared co-working space, ensure your room or cabinets can be locked. Physical breaches are rarer but a stolen hard drive or document can be as damaging as a hack. Consider screen privacy: maybe use screen filters or position screens away from visitor view if discussing confidential client stuff near reception.
- Device Hardening: We mentioned encryption (Full Disk Encryption on laptops via BitLocker or FileVault – check that it’s enabled on all, that’s a Cyber Essentials checkbox too). Also ensure auto-lock on PCs – set short idle lock times so if someone steps away, the computer locks and requires password. Encourage using locked drawers or cable locks for laptops if in open environment, especially if outsiders come in for meetings. Keep those server/network equipment rooms locked (and ideally ventilated; check that plugs, cables etc., are safe – not a compliance point but prevents downtime due to accidents like someone unplugging the router to charge their phone).
- Clean Desk Policy (Optional): It’s often recommended to have a “clean desk policy” – meaning no sensitive papers left out, lock file cabinets, shred paper waste, etc. In creative agencies, paperwork is less but not nil (client printouts, brainstorm notes). Encourage tidiness from a security perspective: e.g., that notebook with the big client’s strategy shouldn’t be left in a cafe or on a shared desk. Shred or securely dispose of drafts or docs you don’t need. If you still receive physical mail with personal data, treat it like digital data – file or shred appropriately.
- Equipment Disposal: Have a procedure for disposing old computers or drives. Simply trashing a hard drive is a big no – data can be recovered. For compliance, ensure you data-wipe or destroy storage media. Use software to securely erase drives (multiple overwrite passes) or use a professional shredding service for drives. Document that you’ve done so (some companies provide certificates of destruction, which is nice evidence if needed). Same with old USB sticks, etc. One forgotten drive with client data could cause a breach if found by someone unscrupulous.
- Print/Copy Security: If you have a network printer that stores copies of scans/print jobs, be aware it has a hard drive which should be wiped if the device is replaced. Also, consider if prints are left on the tray – better to use “secure print” (where you enter a code at printer to release job) for confidential documents. Not always necessary, but if you share building with others, don’t let sensitive stuff sit in the output tray.
- Compliance Checks and Audits: Finally, periodically audit your own compliance. Maybe quarterly or at least annually, go through this checklist and see if any lapses. It could be a team meeting item: “Let’s ensure we’re up-to-date on patches, test a restore, review who has access to what, and whether any new client requirements have come in.” Document the audit happened and any actions taken – that’s both practical and demonstrates a culture of continuous compliance improvement.
Q: We’re a small agency – do we really need all this formal process?
A: Scale the formality to your size, but yes, even small agencies should cover these bases in some way. You might not have a department for it, but perhaps one person wears the compliance hat and uses checklists like this to keep things in check. Small size doesn’t exempt you from laws like GDPR – regulators don’t say “oh you had only 15 employees, no big deal” if a breach happens. Plus, larger clients will expect even a 10-person vendor to adhere to baseline security. The good news is small size can make it easier: fewer people to train, fewer systems to manage. It might just be a day or two of initial setup and policy writing, then a couple hours a month to maintain.
Q: What if a client’s requirements conflict with our usual practices?
A: Discuss with them. Often requirements are somewhat negotiable or have some flexibility. For example, a client might demand all data be stored in their systems rather than yours – if that’s their rule, you adapt by using their provided tools. Or they may require a certain software (maybe they want you to use their secure file transfer instead of email). Comply where feasible; if something is truly unreasonable or costly, bring it up and propose an alternative that still meets the intent. Document any exceptions in writing. Most client security teams are happy to see you engage on the topic – it reflects well that you’re serious. It’s far worse to ignore it.
Q: How does compliance benefit us aside from avoiding fines?
A: There are tangible benefits: It protects your agency from incidents that could disrupt business or cause reputational damage. It builds trust with clients – some might even choose you because you have, say, Cyber Essentials or clearly know your stuff on data security (it’s a differentiator in pitches these days). Internally, having organised IT processes can improve efficiency (backups means quick recovery from mistakes, policies mean less confusion on what to do in scenarios, etc.). Essentially, compliance often equals good operational hygiene, which is beneficial beyond just “checking a box.”
Conclusion
Regulatory compliance and robust IT practices might not be the exciting part of advertising or PR, but they have become integral to the business’s success and credibility. By working through this checklist, you’ll transform what can seem like a maze of regulations into a manageable set of tasks. Each step strengthens your agency’s security and reliability.
In summary, protect data, secure systems, document what you do, and stay aware. That’s the crux of compliance. It’s an ongoing process, not a one-time project – but once the main pieces are in place, maintaining compliance becomes part of your routine (and hopefully mostly runs in the background, allowing you to focus on creative campaigns).
Keep in mind that the landscape can change: new laws (like ePrivacy Regulation in future), new client requirements, emerging security threats. So review this checklist periodically and update your measures accordingly. Don’t hesitate to seek expert advice, whether legal counsel for data protection issues or IT consultants for technical hardening – investing a bit in compliance expertise can save a lot by preventing incidents or penalties.
By demonstrating strong compliance, you reassure clients that entrusting you with their brand and data is a safe bet. It’s yet another way you show professionalism in your partnership. So tick those boxes, one by one – and get back to doing the great creative work that your agency is known for, with peace of mind that your foundation is solid and secure.
Contact us today to discuss IT compliance or visit our Mini IT Security Audit page to assess your entire IT infrastructure in just 3 minutes.
Leave a Reply
You must be logged in to post a comment.