April 2022

On 25 May 2018, the EU put in place the General Data Protection Regulation (GDPR), the most significant new data privacy legislation in more than 20 years.

At Hugo & Cat, the privacy and security of clients, employees and consumers is incredibly important to our business and our reputation, and we are fully committed to helping our agencies and their clients comply with their obligations under the GDPR. That is why we created a robust and comprehensive plan for GDPR compliance across every part of our business.

What is GDPR?

In an increasingly data-driven world, the EU GDPR law was designed to give consumers more control over their data. The GDPR champions individuals’ rights to control how their personal data is used, aligning data privacy laws across all EU countries and replacing previously existing data protection laws across the EU.

The GDPR law, which came into effect on May 25, 2018, impacts 28 countries across the EU, including the United Kingdom. Because it is a regulation, it is directly effective. This means that the GDPR did not have to be adopted into national law through local legislation. The GDPR applies to any businesses processing personal data. Now, anything that is done to or with that personal data—including collecting, deleting, processing, storing, transmitting or using it—is subject to the GDPR.

GDPR Champions Network

Across Hugo & Cat, the company has set up a network of GDPR Champions, GDPR Sponsors and GDPR Project Managers covering all of our agencies. There are more than 200 trained Champions embedded across our agencies in the EU.

The role of our GDPR Champions is to spearhead and coordinate the compliance program at Hugo & Cat agencies on data protection and GDPR matters for our agencies, helping raise awareness of our policies, training and communications.

All Champions receive continuous support and guidance, including updates, FAQs, webinars, workshops and how-to guides. GDPR Champion Forums bring our community of Champions together to share ideas and experiences.

Client-Focused Implementation

We are totally focused on ensuring all our agencies provide GDPR-compliant data processing services to our clients. To achieve this, we have taken a number of steps:

  • Produced a guide for all clients describing the ways that our agencies handle personal data on their behalf to help clients comply with their overarching obligations as data controllers—and assuring them of our understanding of our legal obligations as their data processors.
  • Thoroughly documented our data security practices and IT protocols.
  • Documented the key features of the data processing operations our agencies carry out to keep clients fully informed and aid their compliance with articles 28 and 30 of the GDPR.
  • Created GDPR-compliant Data Processing Agreement templates that are appropriate for different services for use with clients and vendors.
  • Carried out Data Protection Impact Assessments (DPIAs) in key areas of our business.
  • Adapted our established processes for data breach notification to comply with the GDPR.
  • Created a GDPR Vendor Information Pack, which can be found on Interpublic Group’s website.


Extensive Training and Awareness Initiatives

Our robust training and education program is being delivered throughout all our agencies. A GDPR e-learning initiative for all staff was launched in early 2018 to give our people practical guidance on how the GDPR applies to everyday work. Today we have delivered training and refresher training to thousands of employees.

To raise awareness of the GDPR, we also have an extensive communications campaign, which has been rolled out across our EU agencies with commercially friendly and commercially focused language and tips. Regular updates to all staff keep GDPR front of mind, while in-depth specialist training in areas like HR, programmatic media, adtech, and mobile augment these efforts.