wpp data privacy & security charter · • the development of a culture of accountability for...

WPP Data Privacy & Security Charter

Private & Confidential – 1 – © WPP

WPP DATA PRIVACY & SECURITY CHARTER Version 2.0

WPP Data Privacy & Security Charter Section 1: WPP’S DATA PRIVACY & SECURITY CHARTER


1 WPP’S DATA PRIVACY & SECURITY CHARTER

The Privacy Charter (the Charter) confirms WPP and its operating companies’ approach to the data it holds, accesses and processes, whether on behalf of clients, suppliers, employees, shareowners or otherwise. The obligations included within the policies that form the basis of this Charter must be adopted by all operating companies as a minimum standard to be attained.

Further, WPP employees must ensure:

• The development of a culture of accountability for the data used by operating companies, which encourages care and confidentiality, and includes appropriate training of staff; and

• The adoption of appropriate policies and procedures that provide a robust governance framework for data security and management.

All of the policies in this document apply to WPP and its operating companies and are included in this Charter:

1 WPP’S DATA PRIVACY & SECURITY CHARTER ........................................................................ 2

2 WPP DATA CODE OF CONDUCT ................................................................................................. 3 3 WPP ARTIFICIAL INTELLIGENCE (AI) AND DATA ETHICS STATEMENTS ............................... 4 4 WPP PRIVACY POLICY ................................................................................................................. 5 5 WPP INFORMATION TECHNOLOGY POLICY ............................................................................. 9 6 WPP ACCEPTABLE USE POLICY .............................................................................................. 24 7 WPP SOCIAL MEDIA POLICY ..................................................................................................... 26 8 WPP DATA HANDLING AND RETENTION POLICY ................................................................... 29 9 WPP BUSINESS CONTINUITY POLICY ..................................................................................... 33 10 WPP INCIDENT RESPONSE POLICY ..................................................................................... 35 11 WPP DATA SUBJECT RIGHTS POLICY ................................................................................. 39 12 CONTACTS FOR THE WPP PRIVACY CHARTER ................................................................. 53 13 VERSION CONTROL TABLE ................................................................................................... 54

The contents of this Charter may be shared with clients where an Operating Company confidentiality agreement is in place.

WPP Data Privacy & Security Charter Section 2: WPP DATA CODE OF CONDUCT


2 WPP DATA CODE OF CONDUCT

2.1 Our Principles WPP, its companies and its people are committed to responsible collection, management, use and protection of data.

WPP recognises its obligations to all its stakeholders including share owners, clients, its own people, suppliers and consumers.

WPP works with many categories of data and uses the term ‘data’ in its broadest sense. We include within this definition client data, consumer data and all information and data related to the operation of our businesses.

2.2 Our Practices We will be transparent with consumers.

We will treat data in accordance with all applicable laws, regulations and treaties.

We will implement fair and reasonable data policies and procedures.

We will treat data as confidential.

We will understand not only what data we hold but also its relevance to stakeholders.

We will secure, collect, process, use and store data appropriately.

We will ensure that data is retained appropriately.

We will implement necessary and appropriate technical measures to secure data.

We will delete data when required to do so.

We will ensure our people understand their role in upholding these principles and practices.

WPP Data Privacy & Security Charter Section 3: WPP ARTIFICIAL INTELLIGENCE (AI) AND DATA ETHICS STATEMENT


3 WPP ARTIFICIAL INTELLIGENCE (AI) AND DATA ETHICS STATEMENTS

3.1 Artificial Intelligence (AI) Statement AI systems should be designed and operated so they are compatible with human rights and freedoms, so they empower people in their work at WPP and across the group and allow for human choice.

AI systems need to be resilient, sustainable and safe, and built with cyber security protections as standard.

Rigorous governance should be applied to ensure our use of AI is appropriate and reliable.

Data used to power AI must comply with applicable privacy laws and WPP policies.

We will train our people on the use and impact of AI.

Data gathering, development processes and algorithms should be documented to ensure that AI systems are traceable and auditable.

When AI is utilized, we should be transparent about its use and consider its impact on our people, clients, investors partners, the wider community and the environment

AI should be used to create systems that are inclusive, regardless of an individual’s gender, socio-economic background, nationality, race, ethnicity, disability or sexual orientation.

3.2 Data Ethics Statement Ethical data use at WPP is everyone’s responsibility.

Ethics-by-design drives our data use.

Data ethics evaluation is built into every stage of our data use.

We recognise that there is no ‘one-size-fits-all’ approach to data ethics and we will consider the benefits of processing against any impact on individuals, the wider community and the environment as well as our people, clients, and investor partners.

We acknowledge our responsibility to understand both the limitations and possibilities of data and to ensure that any processing is proportionate to our needs.

We encourage our people to challenge data use and speak up if they have a concern.

We will be transparent regarding our ethical decision-making process and will educate our people on ethical data use.

WPP Data Privacy & Security Charter Section 4: WPP PRIVACY POLICY


4 WPP PRIVACY POLICY Our Data Code of Conduct states:

“WPP, its companies and its people are committed to responsible collection, management, use and protection of data.”

How you use data and personal information not only reflects on you as an individual but also on us as an organisation. This policy applies to all full and part time employees and contractors of WPP who handle data and personal information or use WPP’s information systems.

4.1 What is Personal information? Personal information is any information or an opinion relating to an identifiable person including name, address, telephone number, email address (including work email address), national identification number or other such identifiers. The sources of personal information vary considerably and include:

• email and attachments;

• databases and/or online systems containing personal information, social media or other mass communication tools, etc;

• websites - online employee directories, online survey data collection, etc;

• CCTV and physical access to sites - data stored on electronic key cards, location tracking, etc;

• paper documents – employee and client contracts, letters, memos, reports, etc; and

• photographs – office badges, security passes, employee records, etc. The definition of personal information varies significantly based on country-specific data protection laws. For example, in the EU the term “personal data” includes online identifiers, such as cookie IDs, social media handles, device fingerprints and other IDs used for online tracking. Also, be aware that some client contracts may include a definition of personal information relating to that client that is broader than the legal definition. WPP operating companies must work closely with clients to ensure that personal information is handled and protected in a way that is consistent with the contract.

4.2 What is Data Privacy? Data Privacy is:

• protection of personal information – restricted access and security of data;

• the expectation that personal information collected, used and shared with others will be obtained, protected, used and disclosed in a way that the local and regional laws allow;

• being transparent with individuals about what data is being collected about them, how that data will be used and who it will be shared with;

• limiting the personal information collected, and the period of time for which it is stored in identifiable form;

• keeping personal information accurate and up-to-date;



• a system of reasonable processes to prevent release, use of or access to personal information without a lawful basis – we should always make sure that we are relying on the lawful basis that is most appropriate (sometimes this means obtaining the individual’s informed consent, but this is not always the case, and some countries – particularly the EU – have strict requirements that must be met when relying on consent);

• complying with individuals’ rights in relation to their personal information, such as rights to have access to their information, to have their information deleted and to have incorrect or out-of-date information corrected – these rights vary between countries according to local data protection laws; and

• a balancing act between sharing information while protecting individual information and identities.

4.3 Why is it important? • Legal compliance - We need to be compliant with applicable privacy and data

protection laws, regulations and treaties (“Applicable Laws”). Companies cannot be compliant in one region but do business and be non-compliant in another. If we are found not to have complied with Applicable Laws, this can have serious consequences for WPP, such as harm to our reputation and substantial financial penalties.

• Clients – More multi-national clients are including data protection and privacy terms and requirements in the contracts we sign. Our operating companies need to understand what these terms mean, be able to demonstrate compliance with additional requirements and understand how they impact on our existing technology infrastructures. We also need to understand the implications of these terms when proposing new research techniques, marketing, digital applications or other products to clients that involve personal information.

• Consumers – We need to make sure that we always communicate with consumers in an appropriate manner. What is appropriate will vary by country and you should be aware of the legal requirements and individuals’ rights where you do business. “Appropriate” may mean informing consumers in a timely manner where their information is stored, who can access it and how it is used. Operating companies should communicate with consumers transparently. In some cases, Applicable Laws may require WPP operating companies to obtain specific types of consent from consumers and it is the responsibility of each WPP operating company to ensure it can comply with its legal obligations.

• Data Management – To run our operating companies more efficiently, we are consolidating greater amounts of personal information on behalf of our employees (e.g. centralized HR systems) and our clients (e.g. access to customer relationship management systems and/or consumer data collected for direct marketing, call centres or market research). This means that robust data management and data governance are more relevant than ever to our operating companies.

4.4 Policy and Awareness WPP operating companies should implement fair and reasonable privacy policies and procedures and action them. If you are responsible for a website (including on behalf o f a client) you should ensure that you are aware of the cookies and other tracking technologies that operate on that website. Websites operated by WPP operating companies should contain appropriate information and disclosures for website users including an up-to-date privacy policy and where appropriate seek consent from users of the website.



We must be aware of Applicable Laws, including those relating to government contracts, and implement the required procedures. Applicable Laws should be considered in contract reviews and internal business processes and systems.

4.5 Security Wherever they are located in the world, WPP operating companies should have in place reasonable, appropriate controls to prevent unauthorised access to WPP sites and systems.

WPP operating companies should comply with the WPP Information Technology Policy and take reasonable and practical steps to ensure the confidentiality, integrity and availability of personal information. You should consider the following protections:

• appropriate restriction and protection (including encryption) of personal information stored on mobile computing devices and equipment including but not limited to laptops, smartphones or mobile phones, tablets, and memory sticks;

• prevention of unauthorised remote and local access to systems storing personal information, documenting, where applicable, use of firewalls, anti-virus software, patching and user account management;

• prevention of unauthorised physical access to systems storing personal information, documenting, where applicable, access controls pertaining to server rooms, HR and finance files, client files and physical site access; and

• prevention of the transfer of personal information to unauthorised individuals or groups, including client and intra-company data transfers, and especially covering transfers of personal information across national borders.

WPP operating companies, in considering appropriate controls to protect data, sites and systems should not limit the threat considerations to external actors only. It should be noted that under many Applicable Laws, if an operating company fails to take appropriate measures to safeguard personal data, as detailed above, and an employee takes advantage of this to process personal data in an unlawful manner, the operating company will itself be directly liable for the underlying breach of the Applicable Laws. If you have any questions regarding this, please contact [email protected].

If you have any questions regarding data security, please contact:

• WPP Chief Information Officer; or

• WPP Chief Information Security Officer.

If you encounter any loss of any personal information or any attempt to gain access to your computer systems, you must inform WPP immediately (in accordance with WPP’s Incident Response procedures) and no later than 24 hours after the incident.

Any loss of information or hacking that is detected must be reported immediately to:

• WPP Director of Internal Audit

• WPP Chief Information Officer

• WPP CISO

• WPP Group Chief Counsel & Head of Sustainability

• WPP Chief Privacy Officer & General Counsel Commercial

• Where the incident occurred in the USA or involves client services provided in the USA please additionally contact the Group Chief Counsel for the Americas.



4.6 Retention of Personal Information All personal information must be retained in accordance with WPP’s Data Handling and Retention Policy, and any local legal minimum period.

You should also refer to data retention terms in client contracts (this may be longer than the legal minimum).

4.7 Disposal of Personal Information Any personal information that is no longer needed and/or required to be kept by Applicable Laws must be disposed of in a secure and confidential manner and in accordance with the WPP Data Handling and Retention Policy.

4.8 Transfer of Personal Information Human resources and client-related personal information is transferred periodically across group companies and to WPP offices in London and New York. Data is also frequently shared with vendors to provide services to clients and employees. Operating companies may need to enter into additional contractual terms with vendors or other members of the WPP group before personal information can be transferred between countries (such as from the EU to most other countries).

Group companies should ensure that transfers are necessary for legitimate business purposes, such as the delivery of group wide benefits or in performance of a specified client contract.

Appropriate methods and protocols should be in place to transfer personal information securely. Adequate security helps to reduce breaches, loss, and access by unauthorized parties.

WPP Data Privacy & Security Charter Section 5: WPP INFORMATION TECHNOLOGY POLICY


5 WPP INFORMATION TECHNOLOGY POLICY

5.1 Introduction WPP is a data driven business and it is critical that it ensures that data is always used and protected appropriately.

The purpose of this Information Technology Policy (“Policy”) is to set out best practice principles in relation to Information Technology operations for WPP’s Operating Companies (“Operating Companies”).

The Policy applies to all Operating Companies wherever they are located in the world and regardless of how their IT service is provided (either internally or externally). Operating Companies should designate a person to take responsibility for compliance with this Policy.

All WPP staff are expected to read and adhere to the Policy as it applies to their job function.

5.2 Physical Security Physical security is at the heart of any organisation’s successful security strategy. Operating Companies wherever they are located in the world should have in place reasonable and appropriate controls to prevent unauthorised access to Operating Company systems and to prevent loss of data.

Whilst WPP recognises that the physical and environmental security challenges will vary between Operating Companies, the controls outlined below are recognised as good security protocols to have in place and Operating Companies should develop and document physical and environmental security processes and procedures that incorporate controls such as those identified in this Policy.

5.2.1 Physical Security Plan

Operating Companies must have a plan for physical security that is reviewed and updated (on no less than an annual basis) by an individual nominated by the Operating Company.

5.2.2 Physical Security Access Controls

Operating Companies must operate an access control system to its site(s) e.g. swipe cards, combination door locks, lock & key, and video recording to ensure that only authorised persons are able to access Operating Company premises. Office management or equivalent must maintain records (including electronic logs where possible) of persons entering Operating Company sites and securely retain this information for at least twelve months. The purpose of retaining access information is to record who enters and leaves Operating Company sites and may have gained access to confidential, proprietary, sensitive or critical information.

Particular emphasis and planning should be given to areas within the Operating Company where confidential, proprietary, sensitive or critical information is stored e.g. an IT server room or segregated work area and if appropriate, additional access controls should be implemented. Restrictions on IT server room access are set out in more detail in Section 5.6 of this Policy.

5.2.3 Outgoing Staff and Physical Security

Whenever an Operating Company member of staff or freelancer leaves, all physical security access must be removed, deactivated and logged and access passes or equivalent returned. In cases where a member of Operating Company staff is serving their notice, the physical security access rights for that individual must be reviewed by appropriate senior management to ensure that any access permitted during the notice period adequately protects Operating Company and client information.



A list of authorised Operating Company staff that may access the Operating Company site(s) must be maintained, reviewed, and updated by the individual in charge of physical and environmental security at the Operating Company on a monthly basis.

5.2.4 Visitors to Operating Company Sites

Visitors to any Operating Company site must be escorted at all times when in areas where there is confidential data.

In the event that any visitor is granted access for more than 1 visit to any Operating Company site such access should be provided for a fixed time period and on a limited basis.

5.2.5 Security Alarm Systems

All Operating Companies must be equipped with fire systems as required by law and physical intrusion alarm systems.

5.2.6 Physical Security of Operating Company Assets and Media

It is the responsibility of WPP staff to take care of Operating Company computers and associated equipment when using them both inside and outside Operating Company premises. WPP staff should take reasonable precautions to ensure that their laptops and other equipment (including mobile devices and memory sticks) are not left unsecured in unoccupied vehicles, hotel rooms, restaurants etc. Care should be taken to prevent physical damage, loss or theft.

5.2.7 Restrictions on Operating Company Server Room

Access Restrictions on IT server room access are set out in more detail in Section 5.6 of this Policy.

5.2.8 Clear Desk Policy

Operating Companies should adopt and implement a clear desk policy which will apply to all staff. Where appropriate, staff should be provided with lockable storage for documentation and equipment in order to comply with the clear desk policy.

5.2.9 Physical segregation

Physical segregation of teams may be required by client contracts, discuss your client’s requirements with senior management.

5.3 Network Access Security Network access security is absolutely critical to safeguarding WPP data. Reasonable measures must be in place to protect all networks from unauthorised access. WPP recognises that the controls may vary between Operating Companies and the controls outlined below are recognised as good security protocols to have in place. Network access security processes and procedures should be developed and documented that incorporate the controls outlined below.

5.3.1 Access to Operating Company Networks, Data and Devices

Appropriate controls must be operated where providing access to any Operating Company network or system. The following should be implemented at Operating Companies:



5.3.1.1 Where systems are supplied with default vendor user name and passwords, these must be changed before the system is put into production use.

5.3.1.2 Access should be provided to Operating Company staff based on their need and their role in the company and the department/team in which they work; the principle of least privilege must be applied.

5.3.1.3 Staff should not have unrestricted access to all Operating Company systems, data and devices except in the case of certain IT administrators where it is required as part of their role. Administration access must be limited, documented and controlled. Administrators must only be provided access if they can demonstrate they are: • certified in the technology; • certified in the WPP implementation of the technology; or • have been educated on and have committed to follow on the change protocol.

5.3.1.4 Such elevated access must be only granted through a standard approval process. When access is given to, or accounts created for, freelancers, other temporary staff or vendors: • particular care should be given to the level of access that they are given; • named accounts should be created with a termination date matching their agreed

engagement period; • it must be clear in the account configuration that the account belongs to temporary staff

or a third party; and • all such accounts should be subject to regular review.

5.3.1.5 When access to a system, data or a device is given to an employee for a specific project, particular care should be given to the level of access that they are given and named accounts should be created with a termination date matching their agreed engagement period.

5.3.1.6 When someone (whether employee or temp) leaves the organisation, their email and data associated with their account should be preserved for a minimum of 12 months.

5.3.1.7 When someone (whether employee or temp) re-joins the business after leaving their old account can be used but their new rights and access rules should reflect their new role only.

5.3.1.8 Generic accounts for use by multiple people must not be used.

5.3.1.9 Users must not share their account credentials or passwords with other users. Where a user may be required to share their password to receive IT support, user must change their password once the issue is resolved.

5.3.1.10 For all new systems, end-user password configurations should be in accordance with current official guidance issued by the UK National Cyber Security Centre (NCSC).

5.3.1.11 For legacy or existing contracts password configurations should be in accordance with WPP mandated length and expiration cycles set out below:

• Password Expiration: 60 days.

• Minimum Password Length: 8 characters.

• Must contain both alpha and numeric characters.

• Account Lockout Trigger: 5 attempts.

• Account Lockout Duration: until unlocked by IT.



• Minimum # Passwords Before Reuse: 40 cycles.

• Must contain both uppercase and lower case characters: (A-Z).

• Need to consider the use of a symbol (e g @, $, *) as required.

• Certain applications may not support this particular list of criteria; in that case this list is to be used as good practice and complied with so far as is possible.

5.3.1.12 Any additional authentication token (for example the private key from a public/private key pair) which may replace a password as a means of authenticating a user must have appropriate levels of protection around the token itself. A digital token (such as an private key used to authenticate against an SSH server) must, at a minimum, be protected by a compliant passphrase.

5.3.1.13 No accounts with privileged access rights should be accessible via a non-password based authentication mechanism without a discrete “what you have and what you know” security boundary which can clearly be used to record “who” accessed “what”.

5.3.1.14 Accounts with privileged access rights should be given only to individuals suitably qualified and based upon validation of their understanding of the appropriate policies and procedures associated with those rights. Privileged accounts should only be distributed based upon the principle of least privilege and the number of privileged accounts should be in line with vendor and industry best practice where feasible.

5.3.1.15 A list of those accounts with privileged access rights along with justification for those accounts should be maintained and kept updated.

5.3.1.16 Regular, documented reviews of privileged access rights (both user and service accounts) should be undertaken and accounts that have not been used in 90 days should be disabled. In addition to password configuration requirements, privileged access account passwords should be unique (ie no password should be the same), Passwords and other login criteria should not be given to other staff.

5.3.1.17 When an employee who has access to services accounts leaves the business, all passwords to which they had access should be changed upon their leaving.

5.3.2 Mandated Security Measures to Prevent Unauthorised Access by External Parties

Firewalls and other protective security technologies must be operated at the boundary between Operating Company systems and the outside world. This should be achieved through measures such as:

• Implementing firewall policies.

• Only allow services and ports where there exists a clear, explicit and approved business need.

• Checking firewall status regularly.

• Periodic review of logs.

• Maintenance of full configuration documentation

• Ensuring that the protective security technology software and firmware is patched in accordance with manufacturers’ recommendations.



5.3.3 Malware Prevention and Monitoring

Malware includes viruses, Trojans and other malware including spam emails containing rogue attachments and/or internet links to spoofed websites. The following measures are required to be implemented to limit the risk of malware:

• Any system with an infection of any sort is to be removed from the network immediately to prevent further infection and negative impact to the business.

• All files must be scanned for vulnerabilities.

• All systems should be automated to scan for vulnerabilities regularly.

• All data should be scanned for vulnerabilities prior to being received in the business.

• E-mail attachments and files from external sources must be scanned by anti-virus software before they are loaded onto WPP systems.

• The latest security-update program must always be applied.

• Users must be provided with appropriate anti-virus support, including relevant information and preventive and remedial measures.

• Anti-virus software must be updated in accordance with manufacturer recommendations.

WPP has developed specific protocols to assist Operating Companies with incident handling and these are set out in Section 10 of this Charter.

5.3.4 Intrusion Detection Monitoring and Prevention systems

Appropriate intrusion detection and/or prevention systems must be implemented. Such implementation should be based upon a risk assessment and in particular considering the type of data the Operating Company is handling on behalf of your clients. If you become aware of an incident you should handle it in accordance with the WPP Incident Response Policy.

Intrusion monitoring - critical network access points, internal systems that store confidential, proprietary, sensitive, or critical information and are internet facing systems should be monitored and security events raised wherever detected.

Intrusion Prevention – Intrusions should be prevented through whatever means are available. This might include the configuration of security controls or Intrusion Prevention Systems.

5.3.5 External Connectivity

External connection to clients and third parties should be restricted and limited to minimise risk of exposing Operating Company systems to computer vulnerabilities.

Any permanent network connectivity to third party site (e.g. Site to Site VPN), whether client or otherwise, as well as direct access to our networks by third parties, must be configured and operated securely, utilise multi factor authentication, and must have the express permission of the Operating Network CIO.

Controls must be in place to ensure that any permanent network connectivity to our networks by third parties can be disabled, if required. Regular reviews should take place of such external connections and redundant connections removed or disabled.

Direct access to our networks by third parties is restricted to those approved by WPP and have been through an appropriate security assessment. Access by staff from other businesses should only be provided when written approval is obtained from WPP’s Director of Internal Audit or WPP’s CIO.



5.3.6 Remote Network Access Security & Personal Equipment

Operating Company staff are provided with WPP approved remote working tools such as VPN or Citrix which are designed to be secure. Operating Company staff are only permitted to access Operating Company networks using their personal computers where using approved, secure remote working tools.

Personally owned storage devices such as USB sticks and hard drives must not be used as storage for Operating Company information and Operating Companies should make it clear to Operating Company staff that the Operating Company reserves the right to inspect personal storage devices at any time to ensure that any Operating Company owned and/or client data has not been stored on such devices.

5.3.7 Network Device Security Patches

All network connected devices must be patched in accordance with manufacturers’ instructions and periodic checks for updates are mandatory.

5.3.8 Local Firewalls on Network Connected Devices

All PCs and laptops (including Macs) access should have a local firewall enabled.

5.3.9 Use of Wi-Fi hotspots

Non-WPP approved wireless networks should not be set up connected to the corporate network (eg wifi hotspots).

5.4 Security Testing Penetration testing of externally available services which contain confidential or personal information, should be tested before going live and revisited when appropriate, typically annually. Such testing should include applications, platforms, networks and infrastructure.

Where critical security vulnerabilities are found remediation activity should start immediately.

Penetration testing may not be conducted directly by clients on Operating Company systems. However, penetration testing to an agreed scope with a client, may be performed by (i) WPP or (ii) by reputable companies directly engaged by and under contract with WPP or the Operating Company. Upon agreement with WPP Legal and Security functions, a summary report of the tests may then be shared with the client. Similarly, upon agreement with WPP Legal and Security functions, a redacted report may be made available for inspection during an onsite audit. If a client requests this type of testing you should discuss it with the WPP CISO or nominated.

5.5 Encryption WPP has negotiated group-wide licences for encryption. Encryption technologies must not be purchased from other suppliers without the prior approval of the WPP CIO. The group-wide licences enable Operating Companies to encrypt the hard disks of desktops and laptops (including Macs).

5.5.1 Desktop and Laptop Encryption

All computers and laptops (including Macs) must be encrypted using approved WPP encryption technologies – this is a mandatory requirement and no exceptions will be granted. Other encryption technologies must not be used as WPP must always be in a position to decrypt and secure Operating Company machines. WPP must hold all encryption keys.



5.5.2 Secure Transfer of Files

If you are transferring data relating to Operating Companies, people or clients that is confidential, this should be done by using secure FTP or similar, this means that your files will be encrypted and appropriately secured. Third party services can be used where the service is WPP approved e.g. OneDrive.

5.5.3 File Server Encryption

Encryption of data on file servers, SANs and other central systems is not currently part of the scope of the WPP encryption project. However, if there is a legal or regulatory requirement or the data is deemed high risk (medical records or client product data for example); a file server encryption solution may be sourced via WPP Group IT. Operating Companies should contact the WPP CIO if they need further guidance or information on file server encryption. Where highly sensitive data is being handled and the platform supports it, operating companies should make use of encryption to restrict data to specific recipients, with copy prevention and tracking enabled.

5.5.4 Portable Storage Encryption

Portable media drives including USB sticks should not be used, except where they are appropriately encrypted and password protected.

5.6 Restrictions on Server Room Access and Server Room Audits Operating Company server rooms house a large amount of confidential, proprietary, sensitive and critical information. This information must remain confidential within the Operating Company. Each Operating Company owes a duty of care to protect the information of its staff, officers, shareholders, clients, suppliers and advisors, and inappropriate access to server rooms may lead you to breach legal or contractual duties owed to any of these parties. Access to server rooms should therefore be strictly limited.

5.6.1 Restrictions on General Access to Operating Company Server Rooms

Permanent access to Operating Company server rooms or any third party space used to host WPP computer systems, should only be provided to staff who are responsible for activities inside the server room e.g. add/remove/change of systems, backup and restore and facilities management.

Temporary access may be granted to third parties in limited circumstances as set out in Section 5.6.2 below.

5.6.2 Restrictions on Server Room Access by Third Parties

Clients or client auditors must not be granted access to server rooms. The only parties (external to the applicable Operating Company), accompanied at all times, who may be permitted access to server rooms are as follows:

• WPP Internal Audit or WPP assigned auditors (e.g. Deloitte). These audits will allow Operating Companies to meet regulatory requirements (SOX and statutory audits for example) and contractual obligations with clients; and

• Authorised maintenance, service and installation engineers working under a signed contract with WPP and/or an Operating Company.

5.6.3 Meeting Client Expectations & the Data & IT Security Audit Process

Audits and audit rights should be in line with the WPP Policy for Audit Provisions in Client Contracts.

If your client is subject to a particular regulatory framework which permits audits by any regulator or its representative, you should seek advice from WPP Legal.

https://inside.wpp.com/insidewpp/communities/accord/2014/march/policy-for-audit-provisions-in-client-contracts/?prompt=1



5.7 Confidential Information: Security & Best Practice Operating Companies receive a large amount of confidential, proprietary, sensitive and critical information. This information must remain confidential within the Operating Company.

WPP recognises that the controls may vary between Operating Companies and the controls outlined below are recognised as best practice. Operating Companies must develop and document processes and procedures that include controls outlined below.

5.7.1 Confidentiality Agreements

WPP staff, freelancers and consultants etc. must sign a confidentiality undertaking as a condition of their engagement. This should be included within the employment agreement itself where applicable and for consultants/freelancers this may be either via a non-disclosure agreement or consultancy agreement.

5.7.2 Operating Company and Client Confidentiality

This topic is of critical importance to WPP, its Operating Companies and its clients. The definition of confidential information will vary depending upon the nature of the relationship between various parties, but may include strategic and development plans, Operating Company/client plans, records, client lists, spending amounts, project records, market reports, employee lists, Operating Company/client manuals, policies and procedures, information related to processes, technologies or theory, images, new products, prototypes, trade secrets and other information which may be disclosed as a result of or in connection with a client engagement.

WPP’s principles on client confidentiality are as follows:

• Confidentiality agreements between clients and Operating Companies should be mutually binding.

• Confidential information should not be disclosed to third parties, directly or indirectly, without obtaining the prior written consent of all parties.

• Provision of confidential information should be restricted to those people with a specific need to be provided with the information (any third parties should sign an NDA in advance of receipt of the information), and if so should obtain confirmation that adequate security controls are operating to safeguard data in accordance with agreements, policies and local laws.

• Data Classification - Confidential, proprietary, sensitive and critical information must be protected in line with legal, regulatory and contractual requirements. This may include adherence to client specific classification and handling requirements.

• Access to and use of confidential information should be structured in order to adhere to all confidentiality arrangements and needs that have been established by the parties.

• Teams working on conflicting assignments must be physically separated.

• Client data must be segregated by logical measures, or if required by a client for legal or regulatory reasons, physical measures. Implementing physical measures can be costly and further advice and guidance should be sought from either WPP Legal who will escalate to WPP CIO where appropriate.

• Highly sensitive client information is restricted to authorised staff as agreed between the client and the Operating Company.

• Operating Company management will manage reassignment of staff, including considering reasonable “cooling off” periods, if moving between conflicting assignments within the Group.



• Forwarding, downloading and copying of client information to personal devices is forbidden.

5.7.3 Operating Company and Supplier Confidentiality

Prior to disclosing any confidential, proprietary, sensitive and critical information to a supplier Operating Companies should ensure that they have a signed NDA in place.

The NDA should include restrictions on usage, dissemination and return of Operating Company information. If you have any questions on nondisclosure agreements and the form they should take, contact WPP Legal.

Where suppliers have been selected to work with Operating Companies –supplier contracts should contain appropriate, necessary confidentiality provisions including (where possible) a specific clause granting the Operating Company the right to periodically audit and review the supplier’s data handling processes and systems and sites where confidential information is held.

5.7.4 Training

WPP staff and all consultants used by each Operating Company should be briefed on the importance of confidentiality to WPP, its clients and businesses. This should be included in employee inductions and in other training sessions where it is possible and appropriate to do so. Briefings on the importance of confidentiality should take place at least annually. If your Operating Company requires further guidance on training please contact WPP Legal.

5.8 Secure Data Backup & Recovery Backup data and archive data must be stored off-site at a professional data storage facility or a geographically distant second Operating Company managed site, in a secured, environmentally controlled room. Backup media must be encrypted and transported in a secure fashion, including audit trail.

5.8.1 Backups

The configuration of the backup process (i.e. the lists of systems and data) must be documented and must be configured to comply with Section 8 of this Policy - the WPP Data Handling and Retention Policy.

Failed backup jobs must be tracked and the cause and remediation documented.

Back up jobs must be configured so that current-month financial data can be restored within 1 business day (assuming that the IT infrastructure is fully operational).

5.8.2 Restore Testing

Regular backup and data restoration tests must be performed for all servers storing financial, HR, payroll, data from clients where the contract requires it, and other business-critical data.

Test results should be documented as well as all corrective action taken for any failures.

Test results of the restore of whole applications and their data sets must be documented and reviewed for improvement to restoration procedures.

5.9 Secure Data Disposal Operating Company data must be stored in accordance with Section 8 of this Charter - the WPP Data Handling and Retention Policy. In the event that any Operating Company data is no longer needed and/or required to be kept by law it should be disposed of in a secure and confidential manner.



WPP recognises that the controls may vary between Operating Companies. The controls outlined below are recognised as best practice where disposing of Operating Company data, but should you have further questions or concerns please contact the WPP CIO.

5.9.1 Return of Client Information

Information may be disposed of by returning it to its originator in a secure manner. Client contracts frequently require Operating Companies to return information at the end of projects and Operating Companies should put in place appropriate procedures to ensure that client data is returned securely and in a timely manner (preferably at the client’s cost). Note: It may not be possible to return all data to clients – please see Section 8 – WPP Data Handling and Retention Policy for further guidance on this topic.

5.9.2 Secure Shredding

Operating Companies should have a secure way of shredding confidential, proprietary, sensitive or critical information.

5.9.3 Wiping Electronic Data

Simply deleting files from devices (e.g. USB drives, external hard drives, memory cards, zip disks, etc.) and emptying the ‘Recycle Bin’ does not make electronic data unrecoverable. There are sophisticated data recovery technologies available on the market today that can recover data that has been deleted, reformatted or damaged. To delete electronic data securely, it must be disposed of using technology that performs a series of successive data writing & erasing in a random pattern and/or low level reformatting that ensures that the electronic data is completely irrecoverable. Note: Electronic data of senior management (CEO and CFO) should not be wiped from any machine or device for a period of 12 months following departure.

As a guide, all data disposals should align to NIST Special Publication 800-88 Revision 1 Guidelines for Media Sanitization (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf). If you need more information and guidance on secure disposal of Operating Company information contact the WPP CISO.

With the above in mind, Operating Companies must ensure practices are in place to ensure compliance with the following:

• Understand the cost of sanitisation and add it to procurement costs. Set aside budget to address sanitisation.

• Data should be erased securely or medium destroyed, if that is not verifiable.

• Retain the manufacturer manuals so you know how to sanitise your media when you need to.

• Record the lifecycle of your storage media (what is it being used to store, where, and for how long?).

• Use trusted third parties for the sanitisation of data and hold them to recognised standards.

• Obtain destruction certificates from third party destruction services.

• Ensure destruction processes and equipment are periodically tested.

• Verify that your data is being sanitised appropriately.

• Before disposal of physical assets, remove all labels or markings that indicate ownership of the device (or the nature of the data contained).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf



5.10 Mobile Device Security Operating Company staff frequently work on the move and use mobile devices such as mobile phones and tablets. Ensuring that the information held on those devices is protected appropriately is very important. WPP requires Operating Companies to ensure that mobile devices are secured appropriately.

5.10.1 Mobile Device Security

Mobile devices that hold Operating Company data should be secured and protected. These devices often contain valuable information such as emails and contact lists which could be damaging or cause a loss to the Operating Company if lost or stolen. Only approved mobile devices can be used with the Operating Company mail system. The following is mandatory for all mobile devices:

• Devices must have a PIN/Password with a minimum length of 4 alphanumeric characters.

• More than 10 successive invalid login attempts to a mobile device must result in the data on the device being automatically erased and/or locked.

• All devices must have an inactivity time-out limit which is set to lock the device after a maximum of 15 minutes of inactivity.

• Devices must have remote wipe capability.

5.10.2 Theft or loss of Mobile Devices

If your mobile device is lost or stolen the user should contact their local help desk or IT support immediately. Not reporting the device lost or stolen, at the first possible opportunity is a violation of the Policy and may result in disciplinary action up to and including dismissal.

If a device is lost or stolen the device should be wiped to protect the Operating Company from data loss. Please note: this would include both personal and company owned data stored on the device.

5.10.3 Mobile Device Termination Procedure

When an employee leaves an Operating Company all mobile devices that contain Operating Company information for the individual must only be wiped by the Operating Company IT support team. This is done to ensure all personal data and all information related to corporate activity is removed from the device. This process should be undertaken in consultation with the Operating Company HR team.

5.10.4 Bring Your Own Device (BYOD)

Only WPP IT Security approved, and centrally procured, methods, approaches and technologies may be used to enable personal devices (“BYOD”) for access to corporate resources.

Such controls will at a minimum utilise data at rest encryption and compartmentalisation, block access to controlled data (such as clipboard data), enforce an additional password and/or PIN for access to data and allow for the ability to remotely wipe such data.

Where required by local law, employees must be made aware of, and consent to, the possibility of security monitoring, remote configuration changes and/or wiping of the device or data prior to having any personal device or account enabled for such access.

Once an approach to leveraging centrally approved “BYOD” technology has been understood and enabled, Operating company IT departments are responsible for ensuring that configuration of such controls matches WPP IT standards and guidance and that such controls are continuously monitored, any exceptions must be agreed in writing with the WPP CIO and WPP CSO.”

WPP does not reimburse employees for any costs incurred or associated with the use of a personal device for business purposes.



5.11 Information Technology Procurement WPP has negotiated group-wide pricing for Operating Companies purchasing IT software and hardware through selected, recommended suppliers. Operating Companies should use recommended suppliers and utilise the agreed group-wide pricing. WPP IT should be contacted for assistance and guidance on hardware and software procurement.

Any contractual commitment with a third party provider of IT services or equipment greater than $500k must be approved in advance in writing by the WPP Group CIO.

5.11.1 Cloud Computing Services

WPP has global agreements in place with Google (GCP and G Suite), Microsoft (Azure) and Amazon Web Services (AWS) for the provision of Cloud services.

All Cloud Service requests must be routed to WPP Cloud Managed Service Partner Cognizant who are responsible for ensuring that all Cloud Services and resources meet WPP’s minimum standards. No Cloud Services should be provisioned using credit cards.

Prior to submitting ANY request for Cloud Services, requestors must read and ensure compliance with the Cloud Controls Notice seeking written approval from the WPP CIO where needed.

For further information or any queries please contact the WPP IT Commercial Services Team at: [email protected]

5.11.2 Purchase of computer software

WPP has put in place Group wide software agreements with Adobe, Microsoft, ProofPoint, and Sophos under their respective corporate contracts. All acquisitions of this software must be made via WPP IT’s Software Asset Management (SAM) Team - [email protected]:

Oracle and any other software requirements should also be discussed with the WPP IT SAM team in the first instance for advice/guidance.

Any exceptions to this policy must be approved in writing by the WPP CIO.

5.11.3 Purchase of Computer Hardware

WPP has agreements in place with Dell and Lenovo for the direct supply of Windows laptops in a number of countries. The Dell and Lenovo WPP portals display the latest approved models and prices. Laptops purchased will be supplied with the WPP image pre-loaded and include a 3 year next business day, keep your hard drive warranty.

Where Dell and Lenovo cannot supply directly then requirements should be directed to GlobalServe. Laptops purchased will be supplied with a 3 year next business day, keep your hard drive warranty.

WPP also has agreements with CDW and Globalserve for the supply of Apple laptops and all other computer hardware/peripheral requirements, note that services may not be purchased.

CDW may only be used in the UK, US and Canada. GlobalServe should be used in the rest of the world. Both vendors supply Apple devices with the WPP discount applied.

For full details of the all supplier hardware portals, how to register and queries please contact the WPP IT Commercial Services Team at: [email protected]

5.11.4 Leasing – General IT

Leasing (whether Operating or Finance) should not be used to acquire IT hardware or software or to fund any technology projects without the written approval of the WPP CIO and the WPP Group Chief Accountant.

mailto:[email protected]

mailto:




5.11.5 Leasing - Printers and Copiers

WPP outsourced its print requirements to Xerox and has standard contracts agreed with Xerox that can be used to acquire printers and copiers as part of a managed print service. These contracts have been designed to ensure that such contracts meet WPP Finance’s requirements regarding treatment as Operating Leases.

There are certain procedures that are required to be followed when taking out these leases – designed to ensure that operating lease criteria are met – which are set out in the relevant section of the WPP Intranet at inside.wpp.com.

The print managed service is a local arrangement that OpCo’s contract for directly with Xerox and should be adopted wherever possible, to meet our sustainability objectives.

For further information or any queries please contact the WPP IT Commercial Services Team at: [email protected]

5.12 WPP Client Hosting Policy

5.12.1 Client Hosting

Operating Companies frequently assist clients with the development of websites with services where the resulting product requires hosting on server infrastructure, for example CRM platforms or websites. Client agreements often contain provisions requiring the Operating Company to host directly, or to engage a third-party hosting services provider as a subcontractor to the client agreement. The policy outlined below identifies how these services should be provided to clients.

1. Operating Companies should not agree to host client content, data, systems or websites directly on Operating Company server infrastructure;

2. Enter in to agreements with hosting services providers on behalf of the client, unless:

a. The Operating Network CIO has approved the exception; and

b. The terms of the client agreement have been completely flowed down to the hosting services provider or the terms of the hosting services provider have been agreed with the client as limiting the extent to which the Operating Company is responsible and liable – the client cannot be offered enhanced terms over and above that from the hosting services provider without exception from WPP Legal; and

c. Charges from the hosting services provider are treated as a pass-through item payable by the client no later than thirty (30) days post invoice; and

d. Appropriate IT controls consistent with all sections of the WPP General Computing Controls (GCCs) are implemented. These will include but are not limited to: patching, backup, password protections, monitoring, change management, physical security and segregation.

The purpose of the policy is not to reduce or stop Operating Companies working with clients but to ensure that the core skills of the Operating Company are appropriately leveraged whilst ensuring that the Operating Company is not taking on an unacceptable level of risk or cost.

5.12.2 Penetration Testing

All client, external facing websites and applications should be penetration tested prior to launch and at regular intervals to be agreed and paid for by the client. WPP has centrally available expertise in this area and can assist Operating Companies with this. Business continuity plans must be updated to include procedures for the third-party hosting environment and be consistent with service level agreements in place with the client.




If your client is subject to specific regulatory controls then we recommend that you contact WPP Legal in first instance.

See also WPP Policy for Audit Provisions in Client Contracts.

5.12.3 Written Documentation

Operating Companies should have written documentation in place prior to the launch and/or hosting of any client website. The documentation must clearly set out the responsibilities of both the Operating Company and client in relation to the website, including but not limited to: responsibility for hosting, the security protocols to be applied to the website and responsibilities for delivering them.

The documentation should include information on the types of data hosted on the website. Websites have the potential to host vast amounts of data – including personal data relating to consumers.

Whilst it is important that all data on websites is treated appropriately, there may be specific (including legal or contractual) considerations in relation to certain categories of data which may vary by country. Operating Companies must be aware of relevant laws and ensure they have adequate procedures in place to ensure that they can meet those requirements (where applicable).

5.12.4 Website Hosting Incident Management

Any suspected or actual breach of the hosting environment or a client website hosted by a third party must be reported to WPP in the same manner as any other security incident and no later than 24 business hours of it occurring. WPP’s Incident Management procedure is detailed in Section 10 of this Charter.

5.12.5 Guidance and Advice

Further guidance and advice on website hosting and how best to approach client requests on this topic can be sought from the WPP CIO.

5.13 Secure Software and Application Development Creating Secure Software for our clients is a significant value-add to WPP and its agencies. It is therefore essential that all software development is done in a secure fashion, not simply through the separation of development and user environments but also through writing the highest quality software.

All software development teams must check their source code and applications for security vulnerabilities, not only during the development lifecycle but also prior to launch. Retesting must be undertaken if any significant change is made to an application after delivery/launch.

All applications must undergo penetration testing using a risk-based approach and scoped appropriately to the scale and impact of the application in question.

For example, an application handling sensitive data must receive a final manual penetration test from an approved third party (see 5.12.2 Penetration Testing) and have any high impact vulnerabilities which are found remediated prior to delivery and/or launch. A high impact vulnerability is one which may significantly impact the Confidentiality of data in the application, the Integrity of the application or the Availability of the application in a negative fashion.

Genuine security benefits can only be realised when delivery teams weave security into their everyday working practices. During design and delivery, continuously ask questions, discuss and identify potential security issues and work together to deliver solutions.

As a company WPP aligns to the development guidance set out by the UK National Cyber Security Centre (https://www.ncsc.gov.uk/collection/developers-collection/principles), however, it is crucial that

https://inside.wpp.com/insidewpp/communities/accord/2014/march/policy-for-audit-provisions-in-client-contracts/?prompt=1

https://www.ncsc.gov.uk/collection/developers-collection/principles



operating company teams are aware of what best practice is for their manner of working and how that practice aligns to secure their product, such as the OWASP "top 10".

Additional industry guidelines and best practice can be found here (but should not be seen as a limited list):

Apple development - https://developer.apple.com/security/

Google development - https://developers.google.com/web/fundamentals/security

Microsoft development - https://www.microsoft.com/en-us/securityengineering/sdl/practices

https://developer.apple.com/security/

https://developers.google.com/web/fundamentals/security

https://www.microsoft.com/en-us/securityengineering/sdl/practices

WPP Data Privacy & Security Charter Section 6: WPP ACCEPTABLE USE POLICY


6 WPP ACCEPTABLE USE POLICY Operating Company staff must use Operating Company IT systems in a responsible and professional manner. Outlined below are the core behaviours all people need to adopt. Failure to act in a responsible and professional manner may result in disciplinary action up to and including dismissal.

6.1 Email Usage Policy All Operating Company staff are responsible for the content of emails which they send or forward from their corporate email account. Operating Company staff must ensure at all times that the content of any email is lawful and in accordance with the WPP Code of Business Conduct, particularly in relation to sexual harassment and offensive behaviour.

All network and WPP email accounts may be monitored from time to time and operating companies will inform all staff and personnel with such accounts of this fact.

WPP and its operating companies shall have the right to access all corporate accounts at any time in particular when unlawful conduct is suspected.

Personnel should not use, store or forward corporate information on any personal email accounts. WPP reserves the right to inspect personal email accounts if it is suspected that corporate information is stored there.

WPP will exercise its rights in this regard in accordance with Applicable Laws and the WPP Privacy Policy.

The WPP Code of Business Conduct can be found on the WPP Intranet at:

https://inside.wpp.com/insidewpp/business/policies/code-of-business-conduct/

Operating Company staff should consider carefully the content of email messages as you would any other form of written correspondence; the effect in law of emailing is the same as sending a letter on WPP’s or your Operating Company’s headed paper. Remember that emails may have to be disclosed under certain privacy laws and as evidence in any court proceedings, litigation, arbitration, tribunals or investigations by regulatory bodies. Inappropriate content contained in emails may damage both your interests and those of WPP.

Consider whether email is the appropriate method for transmitting sensitive or privileged information – think about whether you should use, for example, secure file transfer.

Operating Company staff must not make excessive use of the Operating Company’s email facility for sending or receiving personal email. You must not pass on personal messages containing jokes, pictures or other similar attachments that could cause offence to any colleague and should discourage external contacts from sending such material. Subscribing or registering on websites using your Operating Company email address can lead to unwanted spam email being received and should be avoided where practical.

Care must be taken when using email to avoid potential fraud and phishing attacks, which often involve identity theft. Operating Company staff should not click on links in emails unless they are sure of the source. Be wary of unusual emails from trusted sources.

6.2 Internet Usage Policy All Operating Company staff are responsible for their use of the internet accessed through WPP or Operating Company systems.

Operating Company staff should neither copy, transmit nor download third party owned material without permission as this may infringe copyright.

https://inside.wpp.com/insidewpp/business/policies/code-of-business-conduct/

WPP Data Privacy & Security Charter Section 6: WPP ACCEPTABLE USE POLICY


Operating Company staff must not use the internet to gain unauthorized access to computer systems.

Operating Company staff must not make excessive use of the Operating Company’s internet connection for personal reasons during or outside working hours. Use of the internet may be monitored by the Operating Company and you will be asked to justify excessive use of the facility.

Operating Company staff must not attempt to access or retrieve offensive, pornographic, racist, violent, discriminatory or unlawful material or access any site that breaches the principles of the WPP Code of Conduct, local laws or could damage the reputation of WPP or the Operating Company. Operating Company staff that access these sites may be subject to disciplinary action up to and including dismissal.

6.3 Public Instant Messaging Publicly available instant messaging (e.g. WhatsApp, Facebook Messenger) is not secure and its use should be avoided where possible for confidential, client and business-related communications. Only WPP approved corporate instant messaging systems should be used.

Such public instant messaging platforms may be appropriate in respect of Business Continuity and Operating Companies should document how these platforms would be used as part of their Business Continuity Plan.

In the event employees use public instant messaging services (e.g. WhatsApp) for work conversations, work product or business information, WPP reserves the right to access those messages to recover business or employee information stored there. Operating companies will inform employees that WPP may require access of such messages in these circumstances.

6.4 Use of Public File-Sharing Systems There are a variety of publicly available and often free facilities to transfer large files without using email and to store data “in the cloud”. The use of such facilities should not be used for the transmission or storage of Operating Company data and/or client data. Only WPP approved file sharing systems should be used.

6.5 Use of Operating Company equipment Operating Company staff must not use Operating Company equipment (e.g. storage, servers, equipment) for the storage of personal content including but not limited to music, video files, and images. WPP and Operating Company reserve the right to delete or dispose of data and files without notice that are not related to company work.

Operating Company staff must not attempt to store offensive, pornographic, racist, violent, discriminatory or unlawful material or any content that breaches the principles of the WPP Code of Conduct, local laws or could damage the reputation of WPP or the Operating Company. Operating Company staff that use Operating Company equipment for such purposes may be subject to disciplinary action up to and including dismissal.

WPP Data Privacy & Security Charter Section 7: WPP SOCIAL MEDIA POLICY


7 WPP SOCIAL MEDIA POLICY

7.1 Introduction In this policy “Social Media” means any online communication tool which facilitates the creation, publication, storage and/or exchange of user-generated content. Social Media includes (but is not limited to) Twitter, Skype, Facebook, Myspace, YouTube, Flickr, LinkedIn, Pinterest, Wikipedia, Google+ Tumblr, Snapchat Instagram, Youku, Wechat, Weibo, Renren. We recognise that the range of Social Media available for use is diverse and constantly changing and this is not intended to be an exhaustive list. The definition of Social Media includes all other social or professional networking sites, blogs, microblogs, comment threads or forums and comment spaces or other applications or websites which allow the user to upload, store, publish and/or exchange information.

Social Media is an increasingly influential and powerful way to communicate and we want to harness the possibilities presented by Social Media for our own business as well as our clients’ businesses. At the same time however, employees’ use of Social Media can present a threat to our levels of professionalism and productivity and to our confidential and proprietary information and it has the potential to damage our reputation. As with the internet and email, inappropriate use of Social Media can also create significant financial and legal (even criminal) liability for you personally as well as for WPP. To minimise those risks you are required to comply with this policy.

The policy applies to the use of Social Media for business purposes as well as to its use for personal purposes and whether you are using Social Media during or outside work hours. It also applies irrespective of whether Social Media is accessed and/or used using WPP’s IT equipment

7.2 Use of Social Media When using Social Media at any time your profile and any content you post should be consistent with the professional image you present to colleagues, employees, customers, business partners and suppliers of WPP.

THINK about what you are posting. DON’T:

• Post anything that would or might be offensive to your colleagues or to customers, business partners or suppliers.

• Include content which could be construed – directly or indirectly - as being disparaging, defamatory or offensive, including (but not limited to) discriminatory comments, insults or obscenities.

• Post comments about sensitive business-related topics such as the profits, plans or financial

performance of WPP or any part of the Group, even if you are stating your own personal view and you do not directly identify yourself as an employee of WPP.

• Post or link to sites which may contain viruses which could affect the functioning of WPP’s

IT systems.

• Post anything about colleagues or customers, business partners or suppliers when posting in your personal capacity.

• Disclose any trade secrets or other confidential information or intellectual property or

copyright belonging to WPP or any clients through any form of Social Media. This includes using logos, brand names, slogans or other trademarks.



• Do anything which could amount to misuse or infringement of the intellectual property or copyright of any third party.

• Provide references for any employee or former employee using Social Media because these

references, whether positive or negative, may be attributed to WPP and can create liability for you and WPP.

7.3 Personal Use of Social Media You should ensure that you make a clear distinction between your personal use of Social Media and any pre-approved use of Social Media for business purposes.

In general, what you do in your own time is a matter for you and WPP does not want to place any onerous or unnecessary restrictions on your private usage of Social Media. However – THINK - any information you post will be public and will be accessible potentially for years to come by WPP, your colleagues, your business contacts and the general public.

Even though your use of Social Media may be personal in nature, remain mindful of your obligations as an employee within the WPP group and don’t breach those obligations. In particular:

• You should always make it clear that you are speaking on your own behalf. Include a disclaimer that your views do not represent those of WPP (unless agreed otherwise). If blogging, think about using a pseudonym as this helps protect your own privacy, as well as WPP’s interests.

• You must not use a business email address to subscribe to any non business-related form of Social Media.

• You should not make reference in your personal Social Media content or usage to Social Media content you have created in a professional capacity.

• You should not post details about WPP.

7.4 Business Use of Social Media If you use Social Media in the course of your employment with us for any purpose, consider all content carefully and agree an appropriate content approval process with your manager. This includes both content posted on Social Media for a client or content posted for the public relations purposes of WPP, the Group or your Operating Company.

If you are contacted at any time, via any medium, for comments relating to WPP or any Group company or about anything you have posted, you must not respond without prior approval from the WPP Communications Team or from your company’s own Communications Team.

Contacts made during the course of your employment ("Business Contacts") belong to the Group and details of any such contacts are confidential information belonging to the Group. Where you upload details of your Business Contacts to any form of Social Media, we expressly reserve the right to require you to:

• Adjust the privacy settings of any Social Media site or account where you have added details of Business Contacts in order to protect the confidential status of this information.

• Delete all Business Contacts stored in any form of Social Media at any time if requested and immediately before your employment with us terminates.

• Enter into a contractual agreement preventing you from soliciting or dealing with Business Contacts after the termination of your employment.



7.5 Internal Social Media Internal company blogs or other internal employee online forums (“Internal Social Media”) are frequently used to allow the open exchange of information and to create a platform for new ideas to be shared. When using any form of Internal Social Media:

• Don’t let it interfere with your work commitments.

• Don’t post any content or include links to content which is pornographic, indecent or otherwise offensive, including any content which amounts to a breach of any other WPP policy. WPP may monitor the content of Internal Social Media and WPP may at any time prohibit, discontinue or block access to Internal Social Media and take appropriate action in relation to policy breaches or inappropriate conduct.

• Remember that any personal information or content you include on any form of Internal Social Media will be accessible by and may be used by other employees.

• Remember that all and any content and information included on any Internal Social Media which relates in any way to WPP’s business, remains the property of WPP, and can be used by WPP for any purpose whatsoever.

• WPP will own all original content, ideas, writing, artwork, videos and plans submitted by you to any Internal Social Media and may use the same for any purposes whatsoever.

• You expressly release WPP from any claim based upon your decision to upload information or content or otherwise participate in any Internal Social Media.

7.6 Breach of the Social Media Policy Breach of this policy (or breach of any other policy by your use of Social Media) may be treated as a disciplinary offence and may result in you being subject to disciplinary action up to and including dismissal. You may also be subject to legal action.

If you are found to have uploaded material using any form of Social Media which in the reasonable opinion of WPP may give rise to a legal or commercial risk for WPP or the Group and/or is disparaging of WPP, the Group, or any employee, client of or supplier to WPP, you will immediately be required to permanently remove, or to procure the permanent removal of, such material.

WPP Data Privacy & Security Charter Section 8: WPP DATA HANDLING AND RETENTION POLICY


8 WPP DATA HANDLING AND RETENTION POLICY


The purpose of this Data Retention Policy (“Policy”) is to set out for WPP’s Operating Companies (“Operating Companies”) best practice principles in relation to data handling and retention.

The Policy applies to all Operating Companies wherever they are located in the world, and Operating Companies should designate a person to take responsibility for the implementation and roll out of this Policy.


Best practice at WPP is that data that is no longer required for the purpose for which it was collected should be archived or deleted, as appropriate.

8.2 WPP Data Retention and Information Policy Operating Companies handle large volumes of data in electronic and hard copy form. The sources of such data may be internal or external and can vary considerably. Data includes (but is not limited to):

• paper documents including: accounting documents, letters, contracts, invoices, client confidential information such as product launches or business plans, etc.;

• emails and attachments;

• databases and/or online systems;

• cloud systems such as Azure, AWS and Google Cloud;

• social media or other mass communication tools; and

• websites.

The purpose of the policy is:

• to set out WPP ’s standards in relation to data retention and the length of time that information should be kept by Operating Companies (whatever form the data may take) and;

• to inform staff of their legal and contractual responsibilities in relation to the retention of client data on WPP systems and premises.

Operating Company data may include confidential, proprietary, sensitive, or critical information. This information must remain confidential. Each Operating Company owes a duty of care to protect the data of its people, officers, shareholders, clients, suppliers and advisors.

WPP’s approach to data retention is that the data required to run any Operating Company’s day to day business and provide client services should be available, everything else which does not fall within this category must be archived or deleted as appropriate. Approach on this will vary by Network. Advice should be sought from your Network CIO, WPP CIO or WPP Legal.

Where the platform allows, operating companies should make use of data classification and retention tools to protect WPP and client data. At a minimum this should label and encrypt data and/or files as 'internal' to the operating company and as such only allow access from users with valid operating company identities.



8.2.1 Accounting Records

All information relating to accounting records must be retained for for 10 years and then deleted. This includes information that supports the accounting records including emails and attachments where approvals may have been sought. This is to ensure that Operating Companies are compliant with the requirements of all applicable legislation, including tax legislation, of the Sarbanes-Oxley Act and also WPP accounting policies.

In some countries there may be occasions where the local minimum may be longer than 10 years. Operating Companies must be aware of relevant laws and ensure they have adequate procedures in place to ensure that they can meet those requirements.

8.2.2 Emails

As the default rule, all operating companies must apply a 10 year data retention policy on email and ensure that there is a policy and process implemented to delete email older than 10 years.

There are instances where litigation hold may be required for individuals or particular teams (eg legal functions). In such instances, operating companies must ensure that there is a policy and process to ensure that the emails of those individuals can be retained and are accessible beyond the 10 year retention period.

Operating companies should maintain a record of those individuals and teams that have a litigation hold policy applied and should also review these at least annually to ensure their continued relevance. See also 8.2.6 Action in the Event of Legal Proceedings.

8.2.3 Client Data

Data developed, used or received in connection with a client must be retained by Operating Companies as required by the client contract.

Operating Companies must ensure that all applicable Operating Company staff (i.e. those handling or responsible for client data) are familiar with the client’s contractual requirements relating to the length of time that client data should be kept by Operating Companies and that the Operating Company has adequate procedures in place to ensure that they can meet those requirements. It is important to understand that a client industry requirement (e.g. financial services or pharmaceuticals) may be longer than that of the marketing communications industry.

Client contracts frequently contain specific provisions on how data may be retained, disposed of or returned to the client. Operating Company staff must also ensure that they can comply with those requirements.

If an Operating Company does not have a contract in place or is operating under terms and conditions that do not specifically address data retention it is always good practice to discuss with the client how long it requires its data to be held on Operating Company systems or premises and to record those requirements in writing (which may be via email). Storage beyond 10 years requires specific written consent from WPP Legal.

If client data supports the accounting records, the information should be maintained in accordance with the accounting records’ retention periods and in the event of any conflict with the client contract, the accounting record’s retention periods will prevail.

8.2.4 Data Accessibility

The information and data being maintained do not need to be retrievable instantaneously. It may therefore be archived in bulk off-site. Archival of electronic data must be consistent with the WPP Backup policy - see WPP Information Technology Policy for further details. A response time of 5 working days for retrieval would normally be acceptable, but you should determine this according to your operational needs.



8.2.5 Data Disposal

In the event that any Operating Company’s data is no longer needed and/or required to be kept by law or contractual obligation it must be disposed of in a secure and confidential manner. Data Disposal must be in accordance with the WPP Data Disposal Policy - see section 5.9 for further details.

8.2.6 Action in the Event of Legal Proceedings

If at any stage an Operating Company becomes aware of legal action that involves any area for which the Operating Company has information or data, the Operating Company must take immediate steps to ensure that no such information or data is deleted or destroyed or altered in any fashion until the final settlement of such action or as notified by the WPP Legal team.

Operating Company senior management must communicate the importance of retaining data and information relating to legal actions to all staff and in the event of potential or actual legal action must secure all relevant information and data to prevent its destruction.

Anyone who becomes aware of any investigation or legal proceedings concerning the Operating Company, or contemplated investigation or legal proceedings should contact the Operating Company’s senior management immediately.

In the event that any data or information relating to a legal action is deleted or destroyed (for whatever reason), WPP Legal must be informed immediately.

8.2.7 Sarbanes – Oxley Act

Under the Sarbanes-Oxley Act, it is a criminal violation to knowingly alter, destroy, mutilate, conceal, cover up, falsify or make a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation of any matter within the jurisdiction of any department or Operating Company of the United States, or in relation to or contemplation of any such matter or case. Additionally, there can be adverse consequences to destroying documents that are the subject of legal proceedings. Accordingly, it is critical to retain all documents in the Operating Company’s possession – whether in electronic or hard copy form and whether created and/or maintained by current or former employees – related to an actual or contemplated government investigation or legal proceeding. This includes investigations by the Equal Employment Opportunity Commission, Department of Labor, the Federal Trade Commission, the United States General Accounting Office, etc.

8.2.8 Who is Responsible?

Senior management at Operating Companies must ensure all staff are aware of this Policy and, in particular, the additional ramifications of deleting information in the knowledge of potential or actual legal action. Senior management at Operating Companies must also ensure that they are aware of local laws, including those specific to client contracts and be prepared to demonstrate to the client that they are being met.

WPP Operating Company staff must enforce this Policy for information they use or store, whether electronically or in hard copy form.

8.2.9 Data Health Checkers

All Operating Companies must complete the WPP Data Health Checker annually. The survey must be completed by the Managing Director or CIO of the Operating Company.

8.2.10 Personal Data

Operating Companies must familiarise themselves with local legislation concerning the processing of personal data. Personal data that is no longer required for the purpose for which it was collected should be deleted.



Operating Companies which are based in the European Economic Area (EEA) and Operating Companies which provide services to clients and/or consumers in the EEA must be able to demonstrate compliance with the General Data Protection Regulation (EU) No 2016/679 (GDPR). This includes without limitation:

1. Maintaining records of processing

2. Employing appropriate technical and organisational controls for the protection of personal data

3. Ensuring that public facing websites, microsites, and other forms of interaction with consumers in the EEA where personal data is gathered, display a Privacy Notice, and such notice is reviewed at least annually

4. Ensuring that Data Processing Impact Assessments are completed as required

5. Ensuring that data is handled in accordance with the WPP Data Code of Conduct and WPP Privacy Policy

8.2.11 Further Documentation

Operating Companies must ensure that all employees complete the Safer Data training. Guidance and templates are available via Safer Data on insideWPP, and all employees must familiarise themselves with the GDPR and applicable laws in their own jurisdiction.

WPP Data Privacy & Security Charter Section 9: WPP BUSINESS CONTINUITY POLICY


9 WPP BUSINESS CONTINUITY POLICY


The purpose of this Business Continuity Policy (“Policy”) is to set out for WPP’s Operating Companies (“Operating Companies”) best practice principles in relation to the continuity of business operations.

The Policy applies to all Operating Companies wherever they are located in the world, and Operating Companies should designate a person to take responsibility for the implementation and roll out of this Policy.


9.2 Business Continuity Business continuity is critical to WPP Operating Companies. All Operating Companies must have a business continuity plan. Business continuity plans contain confidential, proprietary, sensitive and critical information and copies must never be given to clients or other third parties. WPP understands that requests may be made by clients for copies of these documents and you should seek advice from WPP Legal when this scenario arises.

9.2.1 Business Continuity Plan

Every Operating Company’s business continuity plan must include at least the following:

• A risk-based assessment of the need to provide alternative IT infrastructure, to support, for example: client systems, e-mail, media, production and accounting systems.

• A risk-based assessment of the need to provide off-site working for staff.

• Use of fire and water-proof safes for on-site storage of critical Operating Company documentation, including client media, and accounting records.

• Off-site backup storage and identification of copies of essential Operating Company documentation and accounting records.

• A communication plan covering the following:

• Defined responsibility for communicating actions to staff (Do they stay at home? Do they go to alternative premises?).

• A list of staff, client and supplier contact numbers and defined responsibility for liaising with clients and suppliers.

• The “approved” style and content of communications to be given to staff, clients and other third parties.

The above list is not exhaustive and should be adapted as appropriate. Some of these actions are very inexpensive to implement (for example the communication plan). Others may be solved with a cross-agreement with another Operating Company (such as off-site backups). Others may require greater expenditure and hence the cost/benefit of potential actions must be considered in conjunction with your operational needs and risk assessment.

Once in place, the plan should be tested annually to ensure that it functions as intended and that staff remain familiar with the procedures and so that it may be revised in light of changing conditions.

WPP Data Privacy & Security Charter Section 9: WPP BUSINESS CONTINUITY POLICY


Further guidance is contained on https://inside.wpp.com, including general guidelines, a risk map template and an example of a business continuity plan under these guidelines.

The risk map should help you document the key risks specific to your Operating Company and hence to develop response plans to mitigate the risks. These may include client or personnel issues as well as loss of IT or building facilities, for whatever reason.

9.2.2 Insurance

Appropriate insurance cover should be in place. Each Operating Company must purchase adequate insurance policies to cover their local risks, taking into account the worldwide policies negotiated centrally through the WPP Risk Officer. Where possible, Operating Companies should use Marsh as their insurance broker to put in place these policies. If further information is required this should be obtained from the WPP Risk Officer.

9.2.3 Service Providers

Where an Operating Company is reliant on a Service Provider for its operations or in support of client requirements, for example hosting providers, facilities such as conference venues, the Operating Company must ensure that the Service Provider offers Business Continuity and/or Disaster Recovery planning proportionate to the services delivered, and as part of the service charges.

9.2.4 Relevant Documentation

Operating Companies must review and where appropriate complete the following documentation:

• WPP Business Continuity Plan May 2018

• WPP Business Continuity Risk Map May 2018

• WPP Business Continuity Planning – Key Considerations May 2018

• WPP Pandemic BCP Guide May 2018

9.2.5 Force Majeure

Many supplier and client agreements will contain Force Majeure provisions, which if invoked may give rise to business continuity plan being put in to effect. Operating Companies must check with WPP Legal prior to declaring an event as Force Majeure.

WPP Data Privacy & Security Charter Section 10: WPP INCIDENT RESPONSE POLICY


10 WPP INCIDENT RESPONSE POLICY

10.1 Purpose WPP is committed to protecting the privacy of our employees’, clients’, and business partners’ Personal Data as well as any consumer Personal Data we might process on behalf of our clients. WPP also must protect its confidential business information which does not relate to individuals (e.g. business plans, unreleased publications, client information, financial statements etc.).

The purpose of this policy is to increase the security level of WPP data and information assets and to support and enhance the WPP Information Technology Policy through the effective management of Security Events.

The intent of this document is to:

• Describe the process of responding to an incident.

• Educate users.

• Build awareness of security requirements.

• Take steps to prevent another incident from occurring.

Implementation of this policy will help facilitate quick and efficient response to incidents, decrease the risk level from potential threats, and limit the impact of threats while protecting WPP’s information and assets.

10.2 Scope; User Reporting Responsibilities This policy applies to all employees, contractors and others who process, store, transmit, or have access to any of WPP’s confidential information or assets (“WPP Users”). Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Any WPP User who suspects that a Security Event has occurred must report the matter to their local management, WPP Legal and log a ticket with the Service Desk. You can do this via the link below:

https://wppit.service-now.com/service

Depending on the nature of the Security Event, WPP may be subject to contractual and legal obligations that are extremely time-sensitive. In particular, in some cases involving Personal Data, we may have a legal obligation to notify data protection authorities within 72 hours and/or to promptly notify a client if the Security Event relates to Personal Data we have been processing for that client.

It is therefore vitally important that we react quickly to any suspected Security Event, so WPP Users’ prompt reporting of suspected incidents is essential.

10.3 What is a Security Event? Security Event means any incident that could compromise the privacy, security, confidentiality or integrity of WPP Data. This would include the unauthorized access to, unauthorized acquisition, disclosure or use of, or loss of WPP Data.

Examples of Security Events include:

• A WPP user is tricked into opening an attachment sent via email that is actually malware.

https://wppit.service-now.com/service



• The theft or physical loss of IT assets including laptops, storage devices (such as USB keys), or mobile devices that contain WPP Data.

• The theft or physical loss of paper records containing WPP Data such as loss or theft of a bag or file containing papers with WPP Data.

• High volumes of connection requests sent to a web server, causing it to crash (Denial of Service).

• A server known to hold WPP Data which is accessed or otherwise compromised by an unauthorized party.

• Improper disposal of records, media or equipment containing WPP Data.

• Accidental or intentional transmission of WPP Data to the wrong person, such as an unencrypted file containing individuals’ Personal Data that is emailed to the wrong recipient.

• A WPP User provides or exposes sensitive information or WPP Data to others through peer-to-peer file sharing services.

10.4 Company Emergency Response Team (CERT) WPP have established a Company Emergency Response Team to work with Operating Companies in the event of a Security Event:

Team. The Company Emergency Response Team (“CERT”) is a predetermined group of WPP in-house staff that is responsible for responding to Security Events. The CERT should be prepared to act quickly in the event of a Security Event. The role of the CERT is to manage and oversee both proactive and reactive vulnerability and incident management processes and activities. In practice, this means activities, such as setting up and maintaining protections, conducting vulnerability and incident analysis as well as response activities to the WPP Information Technology infrastructure.

Redundancy. When feasible, the CERT should maintain personnel redundancy and should have team members in different geographical locations.

Authority. Through this policy, WPP authorizes the CERT to take reasonable and appropriate steps necessary to mitigate and resolve Security Events, in accordance with the escalation and notification procedures defined in this policy. CERT members will have the authority to confiscate or disconnect equipment, to monitor suspicious activity and to have access to WPP’s information assets in order to investigate, analyse and recommend security measures to mitigate Security Events.

Operating Companies will be required to work closely with the CERT during and after a Security Event to ensure effective resolution.

10.5 Incident Response Process When the CERT is alerted to a Security Event, the incident response process will involve the steps below. More detailed guidance is available in WPP’s CERT Procedures.

• The CERT will document the Security Event in its tracking system.

• The CERT will send notifications to the affected departments or divisions identifying the nature of the Security Event.

• An affected department or division must acknowledge the notification and work with the CERT and the IT support staff to contain the incident as soon as possible.



• The CERT must work with the department or division to investigate and update the tracking system with details of the investigation.

• The CERT, using details from the investigation, will determine the severity of the Security Event.

• The CERT and the IT support staff must update the tracking system when the incident is resolved and close the applicable ticket, when appropriate.

10.6 Prioritization of Security Events Prioritizing the Security Event is perhaps the most critical decision point in the incident handling process. The CERT uses the following factors to prioritise the handling of the Security Event, as appropriate:

• Functional Impact of the Incident. Incidents targeting IT systems typically impact the business functionality that those systems provide, resulting in some type of negative impact to the users of those systems.

• Information Impact of the Incident. Incidents may affect the confidentiality, integrity, and availability of the company’s information. For example, a malicious agent may exfiltrate sensitive information. An incident that results in the exfiltration of sensitive information may also affect other companies/organizations if any of the data pertained to a client or partner organization.

• Recoverability from the Incident. The size of the incident and the type of resources it affects will determine the amount of time and resources that must be spent on recovering from that incident. In some instances, it is not possible to recover from an incident (e.g., if the confidentiality of sensitive information has been compromised) and it would not make sense to spend limited resources on an extended incident handling cycle, unless that effort was directed at ensuring that a similar incident did not occur in the future.

10.7 Detecting a Security Event Security Events can include both the “unauthorized access” and “unauthorized acquisition” of WPP Data.

Characteristics of “unauthorized access” include:

• Evidence (e-mail, system log, etc.) of disclosure of WPP Data or other unusual activity.

• System alerts.

• Unexpected changes or use of resources.

• Increased response time.

• System slowdown or failure.

• Changes in default or user-defined settings.

• Changes to or appearance of new system files.

• New folders, files, programs or executables added to system.

• Unexpected enabling or activation of services or ports.

• Protective mechanisms disabled (e.g., firewall, anti-virus).

Security Events involving “unauthorized acquisition” include:



• Theft of computer equipment containing WPP Data.

• Loss of storage media (e.g., CD, DVD, flash drive, etc.).

• Printed materials containing WPP Data are mishandled or improperly destroyed.

• Suspicious or foreign hardware is detected on the WPP network.

• Usually-secured storage areas are found unsecured.

• Disabled security cameras or alarms or locks on cabinets or areas containing WPP Data are broken or damaged.

10.8 Notification Requirements If there is a possibility that a Security Event involves the unauthorized disclosure or acquisition of WPP Data, the CERT will notify WPP Legal. WPP Legal will direct notification to appropriate WPP personnel, law enforcement and other parties. No reporting can be made to any third party without the express written authorisation of WPP Legal.

10.9 Containment, Eradication & Recovery After verification of a Security Event the next step is to choose the right mitigation strategy in order to stop the incident from spreading and to prevent further damage to systems. This is highly dependent on the initial analysis results and the prioritization level of the incident. The next step is to gather evidence and handle the incident, in order to develop and recommend the correct measures for the effective mitigation and containment of the incident. After the successful containment of the incident, eradication may be necessary to eliminate components of the incident. During eradication, it is important to identify all affected hosts within the company so that they can be remediated. In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.

10.10 Post-Incident Activity One of the most important parts of incident response is to learn and improve from previous incidents. Lessons learned is a key activity after the completion of an incident response where all relevant company’s stakeholders should be involved in order to improve the security measures and the incident handling process itself. Additionally, all incident data during the response must be documented, analysed and reviewed for further evaluation.

WPP Data Privacy & Security Charter Section 11: WPP DATA SUBJECT RIGHTS POLICY


11 WPP DATA SUBJECT RIGHTS POLICY

11.1 Introduction This policy explains how WPP companies should deal with requests by data subjects to exercise their rights under the EU General Data Protection Regulation (GDPR). It explains what data subjects’ rights are, the circumstances in which those rights apply, and the process that WPP companies need to follow when dealing with a request from a data subject.

If the jurisdictions where the Operating Companies are based have similar or other requirements with respect to requests of data subject, such Operating Company must abide by the relevant Applicable Laws, regardless of whether the Operating Company is subject to GDPR.

NOTE: The California Consumer Privacy Act (CCPA) allows California residents similar rights to the GDPR and these are detailed along with the response process in the WPP CCPA Toolkit.

If you have any questions about this policy, please contact Vicky Brown or Gareth Burkhill-Howarth via the email [email protected].

11.2 What are Data Subjects’ Rights under GDPR? Data subjects have a number of rights under GDPR. The key rights are set out in Chapter III of the GDPR, and are:

• Right of access (Article 15)

• Right to rectification (Article 16)

• Right to erasure (the ‘right to be forgotten’) (Article 17)

• Right to restriction of processing (Article 18)

• Right to data portability (Article 20)

• Right to object (Article 21)

• Rights in relation to automated decision-making (Article 22)

Some of these rights (such as the right to data portability) are new under GDPR. Other rights already existed in EU data protection law, but are expanded under GDPR.

In this document, we use the term “Data Subject Request” to refer to a request by a data subject to exercise any of these rights.

Responsibility for complying with these rights rests with the controller. This means that if a WPP company holds personal data as a processor on behalf of a client, it is not obliged to respond to a Data Subject Request (and it may be a breach of the company’s contract with the client for the company to respond directly). If a WPP company receives a Data Subject Request in relation to personal data in respect of which the company is a processor, it should forward the request to the client. Companies should be aware that the contract may specify a timeframe within which the request must be forwarded to the client, and how the request should be forwarded.

See ‘What’s happened to controllers and processors?’ in the WPP GDPR Toolkit for further information on when a WPP company will be acting as a controller or as a processor. Visit the Safer Data page on InsideWPP to view the Toolkit.

https://inside.wpp.com/insidewpp/business/saferdata/us/

https://inside.wpp.com/insidewpp/business/saferdata




11.3 Recognising a Data Subject Request Some national data protection laws prior to GDPR required data subject access requests to be made in writing. GDPR does not require a Data Subject Request to be made in any particular form – it could be made by email or letter, or via other means such as a Direct Message over a social network.

It is important that all channels that a WPP company uses to communicate are monitored for Data Subject Requests, and that all Data Subject Requests are logged and processed in accordance with this policy. If you are in any doubt about whether a communication needs to be treated as a Data Subject Request, please contact [email protected].

11.4 What should we do when we receive a Data Subject Request? Step 1: Log the request. Every WPP company should maintain a log of all Data Subject Requests received, including (i) the name of the data subject, (ii) the type of request (e.g. access or erasure), (iii) the date on which it was received, (iv) the date of response and (v) a description of the response history (e.g. request actioned, request denied or further information requested). If the WPP company has a Data Protection Officer (DPO) and the Data Subject Request was not sent directly to the DPO, the DPO should be notified about the receipt of the Data Subject Request.

The normal deadline for responding to a Data Subject Request is one month from the date of receipt. It will usually be helpful to assign an individual who is responsible for dealing with the Data Subject Request, and to set an automatic reminder to make sure the deadline isn’t missed. See Section 11.13 – How long do we have to respond?, below.

Step 2: Decide whether the Data Subject Request needs to be referred to WPP Legal. Routine Data Subject Requests should not need to be referred to WPP Legal and should be dealt with by the relevant WPP company. However, certain types of Data Subject Requests present particular risks and should be referred to WPP Legal for advice:

• Requests from a current/former employee who was dismissed for cause, or who has brought or threatened proceedings against the WPP company.

• Requests from journalists.

• Requests from known privacy activists or privacy advocacy groups.

Step 3: Decide whether the data subject is entitled to make the Data Subject Request (see Do we have to comply? below).

Step 4: Decide whether further information is required to verify the identity of the data subject (see Verifying the Data Subject’s Identity, below).

Step 5: Clarify the scope of the request, if necessary. If the data subject has not been clear about the personal data he/she is seeking, or about the action he/she wishes the WPP company to take, the WPP company should clarify with the data subject the scope of the request. If the request is expressed in broad terms, the WPP company should consider asking the data subject to narrow the request, such as by topic, date range or information held by certain custodians. However, the data subject is not required to narrow the scope of the request – it is permissible to make a request for all personal data held by the WPP company, and if the data subject refuses to narrow the scope of the request then the WPP company will need to carry out the request in relation to all of the personal data held (subject to the exceptions described below).

Step 6: Identify which personal data about the data subject is held by the WPP company, by carrying out searches of relevant systems. Seek advice from WPP Legal on this where you have concerns. It may be possible to eliminate data at this stage (e.g. data that is obviously outside the scope of the request, or that would obviously be exempt even if it fell within the scope of the request, could be excluded from searches on this basis).



Step 7: Review the search results and decide:

• Which information (if any) falls within the scope of the request.

• Whether any exemptions apply – see Do we have to comply?, below.

In the case of a Data Subject Request that involves disclosure, whether information should be withheld on other grounds (such as information relating to people other than the data subject – see paragraphs 11.8to 11.10, below).

Step 8: Complete the handling of the Data Subject Request, by providing the information requested by the data subject or taking the other actions requested by the data subject (taking into account any exemptions or other grounds for withholding information under Step 7) or, as appropriate, by informing the data subject of the reasons for not complying with his/her request. The outcome should be recorded in the company’s Data Subject Requests log (see Step 1).

If the request is to rectify or erase data, or to restrict processing, the WPP company must also communicate the rectification, erasure or restriction to any third party to whom the relevant personal data has been disclosed, unless this is impossible or involves disproportionate effort.

If the WPP company is refusing to comply with the Data Subject Request, it will need to explain this to the individual within one month from receipt of the request, and inform the individual that he/she can complain to a supervisory authority and/or seek a judicial remedy.

11.5 Do we have to comply? In general, yes. WPP companies cannot refuse to comply with a Data Subject Request because it would be time-consuming or difficult, or because complying with a request would involve providing information that may be embarrassing to the company or prejudice its position in legal proceedings. However, there are some important points to bear in mind.

Data subject rights under GDPR apply only to companies within the scope of GDPR

A WPP company is required to comply with a Data Subject Request under GDPR only if that company is subject to GDPR Broadly, this will apply in one of two cases:

a) The company is established in an EU Member State, and the processing of the relevant personal data relates to that establishment. If this is the case, the WPP company must comply with the Data Subject Request irrespective of the location of the data subject.

b) The company is established outside the EU but processes the personal data in relation to offering goods or services to the data subject in the EU and/or monitoring the behaviour of the data subject in the EU. If this is the case, the WPP company must comply with the Data Subject Request. Most WPP companies engaged in online behavioural advertising who track the activities of individuals in the EU will be subject to GDPR on the basis that they monitor the behaviour of data subjects in the EU.

See ‘Is the GDPR a global law?’ in the WPP GDPR Toolkit for further information on the territorial scope of GDPR. Visit the Safer Data page on InsideWPP to view the Toolkit.

If the WPP company is a member of the Privacy Shield program, note that the Access principle gives individuals certain rights to obtain access to their data. However, this is more limited than the right of access under GDPR.

Sometimes a Data Subject Request will reference other companies, such as by requesting a controller to provide personal data held by it and/or by other WPP companies, or by asking a controller to identify other WPP companies who hold personal data about the data subject. As a general rule, a controller receiving a Data Subject Request is not required to comply with these




requests. Note, however, that a controller does have certain obligations to notify third parties to whom it has disclosed personal data of any erasure, rectification or restriction, and to identify other WPP companies from whom it has obtained, or to whom it has disclosed, personal data.

11.6 Some data subject rights are qualified Some rights under GDPR apply only in certain circumstances. For example, the right to erasure is not a general right for a data subject to have all of his/her personal data deleted – it applies only in certain specific circumstances and is subject to certain exemptions.

11.7 On what legal basis is the personal data being processed? Some rights under GDPR apply only when personal data is being processed on the basis of specific grounds under Article 6 of GDPR (for example, the right to data portability applies when personal data is processed on the basis of consent or contractual necessity, but not when it is processed on other grounds such as legitimate interests).

See ‘Principle 1 – Lawfulness, Fairness and Transparency’ under ‘What are the principles relating to data processing under GDPR?’ in the WPP GDPR Toolkit for further information on the grounds for processing personal data under Article 6 of GDPR. Visit the Safer Data page on Inside WPP to view the Toolkit.

However, some rights – such as the right of access – apply irrespective of the basis on which the personal data is processed.

Section 11.15 sets out the data subject rights under Chapter III of GDPR and the legal bases for processing that trigger their application.

Section 11.16 sets out further details of the circumstances in which the data subject rights apply and exemptions under GDPR.

11.8 Data relating to other people GDPR makes clear that the right of access must not adversely affect the rights and freedoms of others.

In general, information about other individuals should not be provided in response to a subject access request if those individuals could be identified from the information and if it would be unreasonable to provide that information to the data subject. If it is possible to anonymise the information by removing names or other ‘obvious’ identifiers then that should be done before any information is provided to the data subject. However, the individual’s identity may be obvious (even if only to the data subject making the request) even with these identifiers removed, and in these cases the information should not be provided at all.

It is important to distinguish this from exemptions (see below). To the extent that an exemption applies, a WPP company does not have to comply with the request (although it will usually choose to rely on the exemption). To the extent that personal data relates to other people and it would be unreasonable to provide it, a WPP company must not provide that information in response to a request – to do so is likely to contravene the company’s obligations under GDPR.

Example: An employee (A) makes a request for a copy of his personnel file. The file includes a complaint by another employee (B) that he heard A boasting about making false expense claims to a group of co-workers in the staff canteen.

In these circumstances, it would be reasonable to remove B’s name from the information provided to A.




Example: An employee (A) makes a request for a copy of his personnel file. The file includes a confidential complaint by a client (B) about A’s conduct, in which a number of specific instances of alleged misconduct are raised. Those allegations relate to A’s conduct in dealing with B.

In these circumstances, it would be reasonable to remove details of the complaint from the information provided to A since, even with B’s name removed, A would be able to tell that the complaint was made by B, and B made the complaint with a reasonable expectation that it would be kept confidential and not disclosed to A.

11.9 Excessive Requests GDPR provides that a company does not need to respond to Data Subject Requests if they are “manifestly unfounded or excessive, in particular because of their repetitive character”.

This should generally be reserved for repeated requests in which the data subject is making successive requests for the same or similar information, or in which it appears that the data subject is merely seeking to harass the WPP company with numerous requests. It cannot be relied upon merely because a single request is expressed in broad terms (a data subject is entitled to ask a controller to provide a copy of all personal data held by the controller), or because it appears that the data subject’s motive is to obtain information that may be helpful in actual or potential litigation.

11.10 Member State Exemptions GDPR permits Member States to add further exemptions in their national law. For example, the UK legislation will exempt various kinds of information from the right of access, including information subject to legal professional privilege, confidential employment references and information about the company’s intentions in negotiations with the data subject (if providing that information would prejudice those negotiations).

Note: These exemptions vary between Member States, and so for any non-routine requests it is important to check whether any exemptions apply in national law before responding to a Data Subject Request.

11.11 Verifying the Data Subject’s Identity It is critical that a WPP company verifies the identity of the individual making a Data Subject Request. This is important for all Data Subject Requests, but particularly so with subject access and portability, which could, without the proper identity checks, result in personal data being disclosed to the wrong person.

WPP companies need to strike the right balance between properly verifying the individual’s identity and appearing unreasonable or obstructive. For example, if a current or former employee makes a request using a postal or email address that the company knows to be the employee’s, it would not be reasonable to request a proof of address from the individual. However, when there is any doubt about the identity of the person making a request, or if the person making a request uses details that the company does not recognise (for example, a new address), the company should request a copy of an identity document bearing the data subject’s signature and address (such as a driver’s licence).

Requests are sometimes made by third parties on behalf of a data subject – such as a firm of solicitors. Requests from solicitors are likely to indicate that information is being sought in connection with legal proceedings, and should be referred to WPP Legal. In any case, the WPP company should request a signed authorisation from the data subject, together with a copy of an identity document bearing the data subject’s signature and address (such as a driver’s licence).



11.12 Dealing with Requests by Online IDs More complicated issues may arise where an individual makes a request by reference to an online identifier (such as a cookie ID that the individual has found in his/her browser’s storage). GDPR makes clear that personal data includes information about an individual who can be identified using an “online identifier”, so information associated with a unique cookie ID is in principle personal data. However, it may be difficult or impossible for a WPP company to verify that the person making a request is in fact the person to whom the cookie ID (and any associated data) relates, because the company will probably not recognise the other identifying information supplied by that person (such as a name or email address). This means that there is a risk that the WPP company will inadvertently disclose information relating to another person.

WPP companies need to take a fact-sensitive approach, taking into account both the level of confidence that the request is genuine and any potential harm that might result from wrongful disclosure. In general, if the company is satisfied that it has verified the identity of the individual making the request, it would be reasonable to provide general information associated with the identifier (e.g. broad demographic segments to which the identifier has been allocated), but not highly detailed information (such as details of specific websites visited).

WPP companies should not automatically refuse to respond to requests made by reference to an online identifier, if they are satisfied about the identity of the person making the request. This is likely to be a contravention of the individual’s rights under GDPR. Companies should also be mindful of the possibility of a regulatory complaint if they unreasonably refuse to comply with a request. However, the threat of a complaint should never result in a company releasing information if it is not satisfied about the identity of the person making the request.

In all cases when dealing with a request made by reference to an online identifier, the WPP company should ensure that the person making the request has completed a declaration in the form set out in section 11.17 ‘Form of Data Subject Request Declaration’. Whilst a company cannot normally require a Data Subject Request to be made in a particular form, a company is entitled to demand reasonable evidence as to the identity of the person making the request.

11.13 How long do we have to respond? The normal requirement is to respond to a Data Subject Request without undue delay and within one month from the date of receipt of the request. (This is shorter than the period provided in some EU Member States’ national laws prior to GDPR.) Don’t forget the requirement to respond “without undue delay” – supervisory authorities will very rarely take action if a response is sent within the one-month deadline, but WPP companies should aim to respond promptly rather than on the last day of the one-month period.

For complex or large-scale requests the period can be extended by up to two further months. This should be reserved for exceptional cases only, and not relied on routinely. WPP companies should expect to be challenged by supervisory authorities where they have extended the time period, and be prepared to justify the extension. Companies must also inform the data subject within the initial one-month deadline if they intend to extend the period for a response, and must explain the reasons for the extension.

11.14 Can we charge a fee? Some national data protection laws prior to GDPR allowed data controllers to charge a fee for responding to a data subject access request. Under GDPR, a WPP company cannot normally charge a fee for complying with a Data Subject Request.

There are some exceptions:



a) If a data subject makes a data subject access request and requests additional copies of his/her personal data, the WPP company can charge a reasonable fee for providing those additional copies. The additional fee must be based on the company’s own administrative costs.

b) If a data subject makes excessive requests – for example, if the requests are repetitive – the WPP company can charge a reasonable fee for dealing with those requests. Again, the fee must be based on the company’s own administrative costs. However, GDPR also permits a company to refuse to act on a request that is excessive, and that will normally be the preferred course of action.



11.15 Data Subject Rights – which legal grounds?

Art Right Legal Grounds 15 Access All

16 Rectification All

17 Erasure All – but see notes. Notes: • One of the grounds (that the data subject has withdrawn

consent) applies only if the data is processed on the basis of consent.

• One of the grounds (that the data subject has objected under Art 21(1)) applies only if the data is processed on the basis of public interest or legitimate interests

18 Restriction All, but see note. Note: One of the grounds (that the data subject has objected under Art 21(1)) applies only if the data is processed on the basis of public interest or legitimate interests

20 Portability Only if processing on the basis of consent or contractual necessity

21 Objection – to processing for direct marketing purposes (Art 21(2))

All

Objection – to processing for research purposes (Art 21(6))

All

Objection – other cases (Art 21(1))

Only if processing on the basis of public interest or legitimate interests

22 Automated decision making

All, but see note. Note: The restriction in Art 22(1) does not apply if the automated decision is necessary for entering into a contract with the data subject, or necessary for performance of a contract with the data subject, or if it is based on the data subject’s explicit consent.



11.16 When do the Data Subject’s Rights apply? Note: The exemptions listed below are those in GDPR. GDPR permits Member States to add further exemptions in their national law. It is important to check whether any additional exemptions apply before responding to any non-routine Data Subject Request.

Art Right When/how does it apply? Legal grounds Exemptions in GDPR

15 Access The data subject is entitled to a copy of his/her personal data, and also to an explanation of: • The purposes of the processing • The categories of personal data

processed • The recipients (or categories of

recipients) to whom the personal data has been or will be disclosed

• The applicable retention period (or, where that is not possible, the criteria by which the retention period is determined)

• The data subject’s rights to request rectification, erasure or restriction, and the right to object to processing

• The right to complain to a supervisory authority

• Any available information about the source of the personal data (where the data was not collected directly from the data subject)

• Information about any automated decision-making that has legal effects on the data subject or significantly affects him/her in a similar way, or that is based on

All • Data relating to other people should not be provided where it would adversely affect them.

• A WPP company does not need to provide information to the extent that would compromise the company’s or a third party’s trade secrets or intellectual property (including rights in software used to process personal data)




processing special categories of personal data

• Where the personal data is transferred to a country outside the EEA, details of the safeguards adopted (e.g. model clauses)

Data must be provided in a commonly-used electronic form, if the request was made electronically

16 Rectification The data subject is entitled to have inaccurate personal data rectified, and to have personal data that is incomplete completed

All The right to have incomplete data completed “[takes] into account the purposes of the processing”

17 Erasure The data subject is entitled to require that his/her personal data be erased if: • The personal data is no longer

necessary for purposes for which it was collected or is processed

• The data subject withdraws consent and there is no other legal ground for processing

• The data subject objects under Art 21(1) and there are no overriding legitimate grounds for processing

• The data subject objects to direct marketing under Art 21(2)

• The personal data has been unlawfully processed

• The personal data has to be erased for compliance with a legal obligation under EU/Member State law

All, but see table in 11.16

• Processing is necessary for exercise of right of freedom of expression

• Processing is necessary for compliance with EU/Member State law

• Processing is necessary for reasons of public health

• Processing is necessary for archiving in the public interest, scientific or historical research purposes or statistical purposes, to the extent that erasure would render those purposes impossible or seriously impair them

• Processing is necessary for establishment, exercise or defence of legal claims




• The personal data was collected from a child through an information society service (e.g. a social network)

18 Restriction The data subject is entitled to require that the processing of his/her personal data be restricted if: • The data subject contests the

accuracy of his/her personal data – this applies only while the controller verifies the accuracy of the data

• The processing is unlawful and the data subject requests restriction rather than erasure

• The controller no longer needs the personal data, except for establishment, exercise or defence of legal claims – in this case, the continued processing is limited to these purposes and strictly limited additional purposes

• The data subject has objected to processing under Art 21(1) – this applies only while the controller determines whether it has overriding grounds for continuing the processing


20 Portability The right applies only to personal data “provided to” the controller by the data subject. Note that the A29WP has taken a broad view of this, to include data generated by and collected from the

Only if processing on the basis of consent or contractual necessity

Data relating to other people should not be provided where it would adversely affect them




activity of users (e.g. search history or location data) The data has to be provided to the data subject in a structured, commonly-used and machine-readable format (e.g. CSV) Where feasible, the data subject has the right to ask for his/her personal data to be transmitted directly to another controller

21 Objection – direct marketing

The data subject has an absolute right to object to his/her personal data being processed for direct marketing purposes

All

Objection – research purposes

The data subject can object where his/her personal data is processed for scientific or historical research purposes or statistical purposes, “based on grounds relating to the [data subject’s] particular situation” – this means that the data subject may have to justify why his/her situation justifies the objection

All The right does not apply if the processing is necessary for performance of a task carried out for reasons of public interest

Objection – other The data subject can object to the processing of his/her personal data “based on grounds relating to the [data subject’s] particular situation” – this means that the data subject may have to justify why his/her situation justifies the objection

Only if processing on the basis of public interest or legitimate interests

The right does not apply if the controller demonstrates compelling legitimate grounds that override the data subject’s interests, or if the processing is necessary for establishment, exercise or defence of legal claims Note: The data subject can ask for processing to be restricted while the controller’s compelling legitimate grounds for continuing processing are verified




22 Automated decision making

The data subject has the right not to be subject to a decision taken solely by automated means and that produces legal effects in relation to the data subject or significantly affects him/her in a similar way


• The decision is necessary for entering into, or performance of, a contract with the data subject

• The decision is based on the data subject’s explicit consent

• The decision is authorised by EU or Member State law



11.17 Form of Data Subject Request Declaration

To (insert full company name): ……………………………………………………..

I hereby confirm that:

1. I am, and have at all times been, the lawful owner and the sole user of the computer or other device on which the following cookies are stored.

2. To the best of my knowledge, the following cookies relate only to me and not to any other person.

The cookies are:

[LIST COOKIES]

I understand that seeking to obtain data relating to another person without that person’s consent is unlawful and may be a criminal offence.

I enclose certified copies (not photocopies) of (1) a photographic identification document (such as a passport or driver’s licence) and (2) a proof of address dated within the past three months.

Name: ………………………………………………………………………….

Telephone: ………………………………………………………………………….

Email address: ………………………………………………………………………….

Postal address: ………………………………………………………………………….

………………………………………………………………………….

………………………………………………………………………….

Signed: Date:

WPP Data Privacy & Security Charter Section 12: CONTACTS FOR THE WPP PRIVACY CHARTER


12 CONTACTS FOR THE WPP PRIVACY CHARTER WPP Group Chief Counsel & Head of Sustainability [email protected]

WPP General Counsel, Commercial & Chief Privacy Officer

[email protected]

WPP Group Chief Counsel for the Americas [email protected]

WPP CIO [email protected]

WPP CISO [email protected]

WPP Director of Internal Audit [email protected]

WPP Risk Officer (Insurance) [email protected]

WPP Data Protection Officer [email protected]

WPP Data Privacy & Security Charter Section 13: VERSION CONTROL TABLE


13 VERSION CONTROL TABLE Version Date Purpose

0.1 May 2018 Initial draft

0.2 August 2018 Revised following review feedback of draft

0.3 September 2018 Revised following addition of Social Media policy and reissued for review

0.4 September 2018 Revised following review feedback of draft

1.0 October 2018 Version launched

1.1 March 2019 Revised following internal review and feedback.

2.0 June 2020 Version created to include AI and Ethics Statements, section on Secure Software Development, revisions to the Subject Rights Policy to reflect CCPA, changes to the Acceptable Use Policy and other minor and formatting changes.

wpp data privacy & security charter · • the development of a culture of accountability for...

Documents