Kudos Research has a comprehensive Personal Identifiable Data Policy in place that ensures the confidentiality of Personal Data is maintained and the highest standards of security are upheld.
Our projects are conducted in accordance with the Data Protection Act 1998, the Market Research Society (MRS) Code of Conduct and ISO20252, the international standard for Market Research.
As an MRS Company Partner we hold Fair Data™ accreditation. This is the only mark that allows companies to show best practice in data protection. We collect, store and manage Personal Data in an unbiased and secure way. We only use it for purposes that we have informed subjects about and sought consent for.
Ensuring GDPR readiness
The General Data Protection Regulation (GDPR) taking effect from 25th May 2018 signals a new era for data protection. The aim of this law is to ensure all personal data relating to living EU citizens (including the UK) is protected and the companies who work with such data are held accountable for its protection. As a Fair Data accredited organisation we already operate according to most of the GDPR requirements, and have undertaken an information audit to establish the remaining steps needed to achieve full compliance.
Responsibility for achieving compliance rests with the Data Protection Officer (Andy Dallas), supported by the Corporate Information Security Officer (Mark Haines). Approval of the revised Personal Identifiable Data Policy is vested with Managing Director, Chris Smith, and Head of Quality Assurance, Ann-Marie Greensmith.
Steps identified by our GDPR information audit
As a result of our data audits we identified the following measures, which we are now taking to achieve full compliance:
- We have reviewed all existing data policies and procedures to make sure they adhere to new legislation and uphold the highest standards of privacy and protection of personal rights
- We have audited all personal data that we hold and created information asset registers
- We have designed a risk assessment tool, which will be used to identify the level of risk in relation to GDPR compliance at the start of each research project involving the handling of Personal Data. This will establish the legal basis for our processing any Personal Data, and will identify the areas of greatest risk and how to mitigate against these, following the principles of ‘privacy by design and default’
- We are creating a mechanism to track and record Personal Data flows on each project, to ensure its secure transmission and storage; and to ensure data anonymisation (or pseudonymisation) as early as possible in the project timeline
- Our respondent recruitment materials and online privacy notices are being updated to ensure we can provide respondents with the information required to achieve informed consent in a concise, transparent, intelligible and easily accessible way, and that this consent is documented consistently
- Our contracts and service level agreements with clients and suppliers are being updated to include:
- Mandatory GDPR clauses, including text on joint liability for Personal Data security
- Agreement between data controllers and processors as to all Personal Data flows
- Agreement as to the uses to which Personal Data may be put
- Confirmation that the client’s privacy notice includes research activities as a legitimate interest (where customer databases are to be provided by a client for research without explicit customer consent)
- Our policies regarding subject access requests, the right to be forgotten and data breaches are being updated to ensure compliance with the new timescales stipulated in the GDPR
- We have reviewed our existing processes that cover data breach reporting and made necessary adjustments to accommodate GDPR regulations
- We have implemented the necessary Data Protection Impact Assessments for projects that may involve high risk processing as covered under GDPR
- Internal training is being updated and delivered before going live, to to complement their existing training on data protection and ensure that all staff are clear as to their responsibilities under the new requirements
We do not currently process personal data outside of the EU, but we will continue to monitor guidance as to the impact of Brexit upon the legislative framework in the UK.
We are confident that our knowledge and preparation should ensure there is no disruption to our day to day delivery of work.
If you have any questions or concerns relating to our GDPR preparations please contact one of our team.