The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and applies to all businesses that use personal data.
As a research business we are often required to handle personally identifiable data, whether that is in the handling and processing of customers lists from our clients, in the recruitment of research participants for qualitative and quantitative research projects or for the purposes of our own business development activities. As such, The Buzzz is committed to GDPR compliance and the following gives an overview of the steps we are taking to ensure compliance.
Personal Data Audit
We’ve undergone a personal data audit to understand what personal data we hold and how we use it in our business. We’ve documented what personal data we hold, where it came from and who we share it with. We have also documented the different situations in which we might collate, store or process personal data in the future.
Lawful Basis
We have identified and documented the lawful basis for the personal data that we process or might process in the future and are updating our privacy policy to reflect this.
Consent
Consent under the GDPR must be freely given, specific, informed and unambiguous. There must be a positive opt in, that is, consent cannot be inferred from silence, pre-ticked boxes or inactivity. In addition, an individual must be able to withdraw their consent easily.
We are updating our research participant recruitment screeners and questions to ensure that new consents will satisfy the requirements of GDPR.
Data Retention
We’ve updated our Data Retention Policies and Procedures to ensure any data we hold is not retained for longer than necessary and we are updating our Personal Data and Privacy Policies to reflect this.
Individual Rights
We understand the requirements under GDPR for individuals to be able to access the personal information we might hold about them as well as the right to be forgotten, the right to object and data portability. Although The Buzzz’s current business activity does not require us to hold personal information for long periods of time, we are able to facilitate individual requests to access personal data and have updated our privacy policy accordingly.
Data Protection Officer
Given the size of the business and the scale of personal data processing carried out by The Buzzz, we do not require a Data Protection Officer although responsibilities for GDPR compliance are assigned to a designated person.
Training
Current members of the business are aware of the company’s responsibilities under GDPR.
Data Breaches
We are aware of our responsibilities to report data breaches to the Information Commissioner, any people whose personal data we suspect has been breached and where applicable, any other data controllers affected, and to investigate these immediately.
