Kudos Research has a comprehensive Personal Identifiable Data Policy in place that ensures the confidentiality of Personal Data is maintained and the highest standards of security are upheld. Our projects are conducted in accordance with the Data Protection Act 1998, the Market Research Society (MRS) Code of Conduct and ISO20252, the international standard for Market Research.
As an MRS Company Partner we hold Fair Data™ accreditation. This is the only mark that allows companies to show best practice in data protection. We collect, store and manage Personal Data in an unbiased and secure way. We only use it for purposes that we have informed subjects about and sought consent for.
Ensuring GDPR readiness
The General Data Protection Regulation (GDPR) takes effect from 25 May 2018 and signals a new era for data protection. As a Fair Data accredited organisation we already operate according to most of the GDPR requirements, and have undertaken an information audit to establish the remaining steps needed to achieve full compliance.
Alongside our sister companies in the Cello Group plc, we expect these changes to go live during March 2018, two months before the GDPR becomes a legal requirement.
Steps identified by our GDPR information audit
As a result of our information audit we have identified the following measures, which we are now taking to achieve full compliance:
- We are designing a GDPR impact assessment, to be conducted at the start of each research project involving the handling of Personal Data. This will establish the legal basis for our processing any Personal Data, and will identify the areas of greatest risk and how to mitigate against these, following the principles of ‘privacy by design and default’
- We are creating a mechanism to track and record Personal Data flows on each project, to ensure its secure transmission and storage; and to ensure data anonymisation (or pseudonymisation) as early as possible in the project timeline
- Our respondent recruitment materials and online privacy notices are being updated to ensure we can provide respondents with the information required to achieve informed consent in a concise, transparent, intelligible and easily accessible way, and that this consent is documented consistently
- Our contracts and service level agreements with clients and suppliers will be updated to include:
- Mandatory GDPR clauses, including text on joint liability for Personal Data security
- Agreement between data controllers and processors as to all Personal Data flows
- Agreement as to the uses to which Personal Data (e.g. videos of focus groups) may be put
- Where customer databases are to be provided by a client for research without explicit customer consent, confirmation that the client’s privacy notice includes research activities as a legitimate interest
- Our policies regarding subject access requests, the right to be forgotten and data breaches will be updated to ensure compliance with the new timescales stipulated in the GDPR
- We do not currently process personal data outside of the EU, but we will continue to monitor guidance as to the impact of Brexit upon the legislative framework in the UK
- Internal training will be updated and delivered before going live, to ensure that all staff are clear as to their responsibilities under the new requirements
Updated company policies will be available from May 2018.