The General Data Protection Regulation (GDPR) is European wide data protection legislation that requires organisations working with individuals based in the European Economic Area to meet certain requirements regarding the collection, processing, security and destruction of personal information.
As we undertake research that collects or evaluates personal information about a living person who can be identified from the information they have provided we aim to ensure compliance with the General Data Protection Regulation.
This policy sets out how fineline market research and its supplier partners/Associates will seek to ensure compliance with the legislation.
This policy applies to fineline’s dealings with respondents, clients and third parties that may be involved in processing personal information. It covers the way personal information will be obtained, used, shared, physically stored and destroyed.
The General Data Protection Regulation (GDPR) governs the processing i.e. obtaining, holding, organising, recording, retrieval, use, disclosure, transmission, combination and destruction) of personal and senstitive data (i.e. information relating to a living individual – the data subject) and sets out the rights of individuals whose information is processed in manual or electronic form or held in a structured filing system. There are six principles that describe the legal obligations of organisations that handle personal information about individuals. These Principles are:
in relation to the individual.
The information we gather about an individual will be collected in a way where they are fully informed how we intend to use that information, for what purposes and how we will share it.
We will explain why we need the information we are collecting and not use it other than for those purposes.
We will only collect the information we need to provide the services required.
The information we collect will be accurate and where necessary kept up to date. Inaccurate information will be removed or rectified as we become aware of the changes.
We will not hold information for longer than is necessary.
We will make sure that the personal information we hold is held securely to ensure that it does not become inadvertently available to other organisations or individuals.
fineline market research fully supports these principles.
The General Data Protection Regulation creates specific rights of individuals. These include:
The first and second principles require fineline market research to acquire and process personal information lawfully, fairly and in a transparent way. fineline market research therefore is clear at the outset about the purpose for which information is obtained and processed. Fineline market research aims to ensure that:
Appropriate records will be maintained to demonstrate compliance with the above-mentioned requirements.
Under the Privacy and Electronic Communication Regulations (PECR) there are specific requirements relating to unsolicited direct marketing communications. A solicited communication is one that is actively invited, either directly by the customer or via a third party. An unsolicited communication is one that the customer has not invited but they have indicated that they do not, for the time being, object to receiving it. If challenged, businesses would need to demonstrate that an individual has positively opted in to receiving further information from us.
fineline market research understands that it is unlawful to contact customers or organisations that have informed us that they do not wish to receive unsolicited marketing material. Therefore, fineline market research are aware of and comply with the following:
Market Research C.A.T.I Centre calls – fineline market research ensure that individuals and organisations they wish to contact are not registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) respectively. If they are registered or have directly notified fineline market research or one of our MRS Company Partners, supplier partners, associates not to call, then unsolicited direct market research calls will not be made to them.
Emails and text message – fineline market research will not contact individuals by email or via text message without obtaining prior consent unless the individual’s details have been obtained in the course of previous contact, in-bound and out-bound. Individuals will be given the opportunity to opt out of receiving further marketing emails or texts each time that such contact is made.
The Mailing Preference Service (MPS) is managed by the Direct Marketing Association and supported by Royal Mail to enable individuals to register their names and addresses to limit the amount of direct mail they receive. Unsolicited marketing material will not be sent by post to individuals that have informed fineline market research they do not wish to receive such information, or they have registered with the MPS.
fineline market research will maintain internal logs of individuals and organisations that have indicated that they do not wish to receive unsolicited marketing information from May 2018 and conduct checks against the TPS, CTPS, FPS, eMPS and MPS databases as appropriate.
When data is purchased from third parties for market research or prospecting purposes, fineline market research ensures that the data has been acquired by the third party through fair and lawful means, the data can be used for the purposes of unsolicited marketing activities and that the data has been cross-checked by the third party against the appropriate preference service databases.
Fairness generally requires us to be transparent, i.e. clear at outset and open with individuals about why the information is being collected and how it will be used. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
fineline market research aim to ensure that, in all cases, consent and privacy statements will:
∙ be clear, fair and not misleading;
∙ explain the consequences of providing the required information;
∙ explain how long the information will be kept for;
∙ explain if the replies to questions are mandatory or voluntary;
∙ explain if the information is to be anonymised and how;
∙ explain if the information will be transferred overseas;
∙ explain that if the information will be shared, who with and how they will use it;
∙ explain how individuals may be contacted e.g. telephone, email, SMS, post;
∙ explain the individual’s rights – e.g. they can obtain a copy of their personal information;
∙ explain who to contact if they wish to know more information about how their information is held or to opt-out of receiving further information or if they need to complain; and
∙ explain the individuals’ right to complain to the Information Commissioner’s Office.
fineline market research is responsible for ensuring that the following details are communicated to respondents:
Under the principles of GDPR, and our Professional Trade Association Codes of Conduct, such as the MRS, fineline market research identify the minimum amount of personal data we need to properly fulfil our purpose. We ensure that we hold that much information, but nothing further. If we need to hold particular information about certain individuals, we only collect the information for those individuals and nothing more.
fineline market research does not hold personal data on the off-chance that it might be useful in the future. Typically, we also work with end clients and partner suppliers to protect individual level data by allocating unique survey links and exchange when necessary is under encrypted FTP transmission, private storage spaces, and pass word protected files.
fineline market research will:
An individual has the right to see the information that fineline market research holds about them and can make a request to access this information. Requests must be responded to within 30 days of receipt.
In line with the GDPR, fineline market research will request certain information before responding to a request:
In the event of an individual making a subject access request via a third party, fineline market research will request written consent from the individual to confirm that the third party can request and receive information on the individual’s behalf.
An individual who makes a request is entitled to be:
The General Data Protection Regulation includes exemptions, which allow personal information to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the information, and regardless of the purpose for which the information was originally gathered. fineline market research will release personal information to law enforcement agencies if required to do so.
fineline market research has appropriate security measures to prevent personal information held being accidentally or deliberately compromised. In particular, fineline market research:
Fineline market research recognise that information security breaches may cause real harm and distress to the individuals if their personal information is lost or abused (this is sometimes linked to identity fraud).
fineline market research have procedures in place if we use third parties to process information to ensure that we:
fineline market research requires third parties that it works with to ensure that there are adequate security measures in place to secure the information that is being held.
If personal information is accidentally lost, altered or destroyed, attempts to recover it will be made promptly to prevent any damage or distress to the individuals concerned. In this regard fineline market research consider the following:
∙ containment and recovery – the response to the incident includes a recovery plan and, where necessary, procedures for damage limitation.
∙ assessing the risks – assess any risks and adverse consequences associated with the breach, as these are likely to affect how the breach needs to be contained.
∙ notification of breaches – informing the Information Commissioner’s Office or other relevant Supervising Authority as necessary (within 72 hours), law enforcement agencies, data controllers on whose behalf we are working and individuals (whose personal information is affected) about the security breach is an important part of managing the incident.
∙ evaluation and response – it is important to investigate the causes of the breach, as well as, the effectiveness of controls to prevent future occurrence of similar incidents.
∙ Additionally, fineline market research would also look to ensure that any weaknesses highlighted by the information breach are rectified as soon as possible to prevent a recurrence of the incident.
To comply with information retention best practice, fineline market research establish standard retention periods for different categories of information, keeping in mind any professional rules or regulatory requirements that apply and ensuring that those retention periods are being applied in practice. Any personal information that is no longer required will either be archived or deleted in a secure manner.
fineline market research’s retention periods for different categories of personal information are based on individual business needs and contractual obligations.
fineline market research understands the difference between permanently deleting a record and archiving it. If a record is archived or stored offline, it will reduce its availability and the risk of misuse or mistake. If it is appropriate to delete a record from a live system, fineline market research will also delete the record from any back-up of the information on that system, unless there are business reasons to retain back-ups or compensating controls in place.
All electronic files are destroyed by deletion and then the use of an electronic file shredder. This ensures that all electronic information is deleted permanently and cannot be recovered.
Once the retention period expires or, if appropriate, the customer or business information is no longer required; paper records are disposed of in a secure manner. All paper records containing customer or business information are disposed of by our in-house shredding equipment. This includes all archived records.
All used computers, printers and any other electronic equipment that may contain or that will have stored customer or corporate information in electronic format must be disposed of in an appropriate manner after the information has been completely wiped off. An external provider will be used to ensure that the memory on the devices is completely clean of information before the item is disposed of.
fineline market research takes its responsibilities with regards to ensuring training is undertaken seriously. We know that having policies and procedures in place provides a solid base for our training program and we aim to undertake training in accordance with the role and seek specialist advice as and when required. All training is documented and reviewed regularly.
fineline market research does not at this time meet the requirements for a dedicated Data Protection Officer but this is kept under review as the type of work and range of clients/respondent’s changes. We are committed to meeting the needs of the General Data Protection Regulation and if our business requires a DPO, we will seek to appoint one.
This policy will be reviewed periodically considering changing business priorities and practices and to consider any changes in legislation
Date of this policy update: 03.01.2023.
Here are just a few of our lovely clients…
Fresh ideas from marketing research to your inbox
Newark Beacon, Cafferata Way, Newark NG24 2TN