The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and applies to all businesses that use personal data.
As a research business we are often required to handle personally identifiable data, whether that is in the handling and processing of customers lists from our clients, in the recruitment of research participants for qualitative and quantitative research projects or for the purposes of our own business development activities. As such, The Buzzz is committed to GDPR compliance and the following gives an overview of the steps we are taking to ensure compliance.
Personal Data Audit
We’ve undergone a personal data audit to understand what personal data we hold and how we use it in our business. We’ve documented what personal data we hold, where it came from and who we share it with. We have also documented the different situations in which we might collate, store or process personal data in the future.
Consent under the GDPR must be freely given, specific, informed and unambiguous. There must be a positive opt in, that is, consent cannot be inferred from silence, pre-ticked boxes or inactivity. In addition, an individual must be able to withdraw their consent easily.
We are updating our research participant recruitment screeners and questions to ensure that new consents will satisfy the requirements of GDPR.
We’ve updated our Data Retention Policies and Procedures to ensure any data we hold is not retained for longer than necessary and we are updating our Personal Data and Privacy Policies to reflect this.
Data Protection Officer
Given the size of the business and the scale of personal data processing carried out by The Buzzz, we do not require a Data Protection Officer although responsibilities for GDPR compliance are assigned to a designated person.
Current members of the business are aware of the company’s responsibilities under GDPR.
We are aware of our responsibilities to report data breaches to the Information Commissioner, any people whose personal data we suspect has been breached and where applicable, any other data controllers affected, and to investigate these immediately.