Flamingo GDPR statement

nick-hillier-339049-unsplash.jpg

The General Data Protection Regulation (GDPR) is coming into force on May 25 2018 and Flamingo has been reviewing and addressing the new requirements for over six months.  

Working with the ICO guidance, Market Research Society (MRS) industry steer and our own team (including a qualified GDPR practitioner), we are confident that we will be ready well before the May deadline. We have outlined how we are affected by GDPR and the steps we have taken to be compliant below. 

Flamingo are Data Controllers:

Under the GDPR definitions, when we conduct research we usually act not just as Data Processors but Joint Data Controllers (with the client) as we jointly determine the purposes and manner in which the data is used, we use our expertise to consult with clients on methodology and reporting techniques, and we add insight to findings rather than purely conducting a predetermined survey with data only as a response.    

For our latest progress against GDPR please see the following based on the ICO’s 12 steps to readiness:

1. Awareness. We have a GDPR team, headed by our Managing Director, and made up of a multidisciplinary team covering all aspects of requirements. 

2. Information held.  We have conducted an information  and data processing audit. Part of this work is reviewing current pseudonymisation and encryption policies and destruction and deletion protocols. 

3. Communicating privacy information. Respondent privacy policies have been reviewed in light of GDPR changes. These will be added to our website and linked to our various means of asking for respondents opinions.    

4. Individuals Rights. We are drafting a Subject Access Request (SAR) policy, and this will have new Rights of Data Subjects: including rectification, erasure, restriction, data portability wherever these are applicable.

5. Data Subject Access Requests (DSAR). As above, this policy is to be updated.  

6. Legal basis for processing personal data.  For survey data, our legal basis is consent.  We always introduce surveys with transparent intentions on data collection.  We have also updated our Privacy policy as above.

7. Consent. We are following industry standards on giving sufficient information to our interviewees before they consent to interview – these are affirmative tick boxes to terms with links to the privacy policy on online platforms - a layered approach of information both before and after survey. These methodologies are already or will be in place before the May deadline.

8. Children. We follow ICO guidelines for researching children. 

9. Data breaches. We are creating a Data Privacy Policy which will include a Security Incident Response Process to account for data breach reporting within stipulated timescales to the ICO.

10. Data Protection Impact Assessments.  We have reviewed the need for producing Data Protection Impact Assessments, but currently do not feel this is required.  However, this process is in action now and will continue for any future new processes or products. 

11. Data Protection Officer. As we process large amounts of data, we have identified the need for a DPO, and we have subcontracted the role to an experienced data protection practitioner.  

12. International. The ICO will be our lead supervisory authority.  We work with our international regions and although rare, where we have data transfers outside the EEA, we are looking at due diligence and ensure we have adequacy arrangements. Respondents are informed of this in consent statements and privacy policy. 

Questions? Email us: enquiries@flamingogroup.com

Ben BurtonGDPR, Data