Digital Advertising Guidance: data security, retention & storage

The purpose of this guidance is to help educate the digital advertising industry about the legal requirements relating to personal data security, retention and storage - helping companies to understand their obligations and how to comply with them in practice. It is intended as a high-level overview for companies engaged in digital advertising in the UK, based on relevant UK law - namely the UK GDPR, Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

Part one of the guidance provides an overview of organisational and technical security measures that can help enable companies in the digital advertising industry to comply with their personal data security obligations. Part two details specific examples of appropriate security measures in different industry contexts, including practical guidance on risk assessments and how to determine personal data retention periods.

Please note that nothing in this guidance, or any accompanying documentation or resources, constitutes legal advice. Following the guidance is no guarantee of compliance. Companies remain responsible for their own compliance with applicable laws and industry self-regulatory rules, so should take their own legal advice where necessary.