Ensuring GDPR readiness
The General Data Protection Regulation (GDPR) takes effect from 25 May 2018 and signals a new era for data protection. As a Fair Data accredited organisation we already operate
according to most of the GDPR requirements, and have undertaken an information audit to establish the remaining steps needed to achieve full compliance.
Steps identified by our GDPR information audit
As a result of our information audit we have identified the following measures, which we are now taking to achieve full compliance:
Updated company policies will be available from 25 May 2018.
We are designing a GDPR impact assessment, to be conducted at the start of each research project involving the handling of Personal Data.
This will establish the legal basis for our processing any Personal Data, and will identify the areas of greatest risk and how to mitigate against these,
following the principles of ‘privacy by design and default’
We are creating a mechanism to track and record Personal Data flows on each project, to ensure its secure transmission and storage;
and to ensure data anonymisation (or pseudonymisation) as early as possible in the project timeline
Our online privacy notices are being updated to ensure we can provide respondents with the information required to achieve informed consent in a concise, transparent,
intelligible and easily accessible way, and that this consent is documented consistently
Our contracts and service level agreements with clients and suppliers will be updated to include:
- Mandatory GDPR clauses, including text on joint liability for Personal Data security
- Agreement between data controllers and processors as to all Personal Data flows
- Agreement as to the uses to which Personal Data (e.g. videos of focus groups) may be put
- Where customer databases are to be provided by a client for research without explicit customer consent, confirmation that the client’s privacy notice includes research activities as a legitimate interest
- Our policies regarding subject access requests, the right to be forgotten and data breaches will be updated to ensure compliance with the new timescales stipulated in the GDPR
- Internal training will be updated and delivered before going live, to ensure that all staff are clear as to their responsibilities under the new requirements