This policy sets out Enventure Research’s data protection and handling of data, in line with the General Data Protection Regulations (GDPR).
Enventure Research collects personal information from people through market research work on behalf of its clients. This information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means.
Enventure Research has always, and will continue, to regard the lawful and correct treatment of personal information as very important to its successful operations and to maintaining confidence from its clients and those taking part in its research.
Enventure Research is committed to working within stringent processes when managing personal data and are bound by several procedures and measures. This is evident as we hold ISO 9001:2008 Quality Management System, where we have procedures in place for collecting, handling, storing and disposing of personal data. We also work to the Market Research Society’s Code of Conduct and are registered with the Data Controller (registration number Z9605417).
General Data Protection Regulations
The GDPR protects personal data (which is any form of information relating to an identifiable person directly or indirectly identified in particular by reference to an identifier, e.g. name, identification number, location data or online identifier).
Sensitive personal data is based on special categories of personal data ie, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data and for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
GDPR applies to ‘controllers’ and ‘processors’ who access and process personal data (data subjects i.e. consumer, customer, respondent, individual).
We (Enventure Research) can be a data controller, joint data controller and/or processor of data depending on each of the project requirements we undertake.
Depending on the specific requirements of the project and how it has been set up, the controller may be Enventure’s client. In this instance, the client is responsible to ensure compliance with GDPR.
The GDPR has six principles that must be adhered to.
Lawfulness, fairness and transparency – Data must be processed lawfully, fairly and in a transparent manner in relation to individuals.
Purpose limitations – Data must be collected for the specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistic purposes shall not be considered to be incompatible with the initial purposes.
Data minimisation – Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy – Data must be accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitations – Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
Integrity and confidentiality – Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Storing and deleting data
We will ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- Paper files and other records or documents containing personal/sensitive data are kept in a secure, lockable environment
- No personal data will be left on desks unattended
- Personal data held on computers and computer systems, is protected by the use of secure passwords, which where possible have forced changes periodically
- Individual passwords will be created so they are not easily compromised
- All electronic data is held on servers situated in the UK
Retention period of data
All data stored at Enventure Research is in line with our Data Retention Policy.
Any personal data collected during research projects is disposed of within three months from the end of the research project, unless a different timescale is required by the client.
Any personal data collected for employment or sub-contractor purposes, is retained for seven years for legal reasons. This includes personal data collected via paper or electronically.
Paper copies containing personal data is destroyed using a confidential waste shredding service and electronic information is deleted from the server.
The destruction of personal data (electronic and paper) is recorded.
Action following a data breach
As a research agency that handles personal data in a responsible manner, we are confident that personal data will be managed in line with GDPR. If, however, we discover there has been a data breach, we will notify ICO immediately in line with the regulations and will work with ICO to agree a breach management plan, which will include:
Containment and recovery – our response to the incident will include a recovery plan and, where necessary, procedures for damage limitation.
Assessing the risks – we will assess any risks associated with the breach.
Notification of breaches – inform people about an information breach such as the individuals concerned; the ICO, other regulatory bodies and other third parties such as the police and banks.
Evaluation and response – we will investigate the causes of the breach and if necessary, update policies and procedures accordingly.
Data sharing agreements with sub-contractors and clients
Where we will receive or provide personal data to/from a sub-contractor or client, we will have in place a data sharing agreement.
As all data collected is based on consent our protocols are to be fair, clear, and unambiguous. We aim to ensure all individuals are provided with sufficient clear information at the onset and ensure consent is granted throughout the process.
Any individual approached is provided with the background information to the research programme and what they are being asked to take part in. We are clear that the information we are collecting is for market research purposes only and any data collected is combined with other individual’s data. At no point do we share an individual’s data to the client or any other third party, unless the individual provides consent to do so. All participants are informed the purpose for processing, the type of data collected and their right to withdraw consent.
Explicit consent is required for high risk processing activities in relation to any sensitive data collection. We will ensure all participants are fully informed and they grant explicit consent to what data is collected, why it is being collected, how long it will be stored and when/how it will be removed/destroyed. All consent will be clearly documented.
Responding to subject access requests
Individuals have the right to access their personal data and supplementary information. Right of access allows individuals to be aware of and verify the lawfulness of the processing. They have the right to obtain: confirmation that their data is being processed, access to their personal data, and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
Individuals have the right to have their personal information rectified if they believe it is incorrect. Personal data can be rectified if it is inaccurate or incomplete. Any requests from individuals must be responded to within one month (this can be extended to two months if it is a complex request).
Individuals have the right to have personal data erased. When the individual withdraws consent or objects to the processing and there is no overriding legitimate interest for continuing the processing, we will erase their data. We will inform the individual that this has been completed.
When we receive data which contains personal data, we de-identify it as soon as practically possible, so that an individual’s responses cannot be linked to the individual. Demographic data will, however, be retained for the purposes of analysis.
Use of privacy notices in surveys
In all surveys that we manage, we will include a privacy notice that explains what the information being collected will be used for and how it will be managed and deleted.
Keeping up to date with ICO guidance
We will keep up to date with new guidance and regulations by receiving up to date information direct for ICO via monthly newsletters. Any changes in the regulations will be adopted as required.
If you have any questions, please call our Survey Helpline on 0800 0092 117