Flamingo GDPR statement
The General Data Protection Regulation (GDPR) is coming into force on May 25 2018 and Flamingo has been reviewing and addressing the new requirements for over six months.
Working with the ICO guidance, Market Research Society (MRS) industry steer and our own team (including a qualified GDPR practitioner), we are confident that we will be ready well before the May deadline. We have outlined how we are affected by GDPR and the steps we have taken to be compliant below.
Flamingo are Data Controllers:
Under the GDPR definitions, when we conduct research we usually act not just as Data Processors but Joint Data Controllers (with the client) as we jointly determine the purposes and manner in which the data is used, we use our expertise to consult with clients on methodology and reporting techniques, and we add insight to findings rather than purely conducting a predetermined survey with data only as a response.
For our latest progress against GDPR please see the following based on the ICO’s 12 steps to readiness:
1. Awareness. We have a GDPR team, headed by our Managing Director, and made up of a multidisciplinary team covering all aspects of requirements.
2. Information held. We have conducted an information and data processing audit. Part of this work is reviewing current pseudonymisation and encryption policies and destruction and deletion protocols.
3. Communicating privacy information. Respondent privacy policies have been reviewed in light of GDPR changes. These will be added to our website and linked to our various means of asking for respondents opinions.
4. Individuals Rights. We are drafting a Subject Access Request (SAR) policy, and this will have new Rights of Data Subjects: including rectification, erasure, restriction, data portability wherever these are applicable.
5. Data Subject Access Requests (DSAR). As above, this policy is to be updated.
8. Children. We follow ICO guidelines for researching children.
10. Data Protection Impact Assessments. We have reviewed the need for producing Data Protection Impact Assessments, but currently do not feel this is required. However, this process is in action now and will continue for any future new processes or products.
11. Data Protection Officer. As we process large amounts of data, we have identified the need for a DPO, and we have subcontracted the role to an experienced data protection practitioner.
Questions? Email us: firstname.lastname@example.org