The General Data Protection Regulation issued by the European Union (“GDPR”) and effective 25 May, 2018, is a further step in the protection of the privacy rights of individuals, including tighter restrictions around consent, the right to be forgotten, the type and amount of personal data that can be utilized.
The protection of personal data is an important priority for Knowvanta. Knowvanta aims to comply with all GDPR regulations, and has updated our services and documentation to achieve GDPR compliance by 25 May 2018; we will continue to monitor GDPR and update as the new laws come into effect.
An important aspect of GDPR is how the data is collected and used, specifically increasing transparency of what the data is used for, why it is collected, and also ensuring it is deleted once it has been used for its intended purpose.
Knowvanta continuously investigates ways to provide better transparency to our clients and customers. Working closely alongside our partners, we have reviewed our supplier contracts to ensure GDPR regulations are met throughout our network. Employees must review data privacy and security policies with GDPR specific content to ensure all data is stored securely, with the relevant retention policy.
Knowvanta generally will act as a data controller along with our clients, and our partners as data processors. Knowvanta is compliant with the guidance and requirements of the professional code of conduct applicable to all registered market research companies (ICC/ESOMAR International Code on Market, Opinion and Social Research and Data Analytics) and all current existing local regulations, especially as far as the protection of respondents’ data is concerned.
Specifically, Knowvanta has taken actions to comply with the GDPR, including, but not limited to:
- The nomination of a Data Privacy Officer (DPO). The role of the DPO is to guide and coordinate Knowvanta’s compliance efforts on data protection and privacy, to ensure that personal data is protected and treated appropriately.
- Consent – Data subjects, who participate in research with Knowvanta must consent to processing of their personal data by clearly agreeing either by a statement, or positive action. Consent must be given specific to the market research study in question, and repeated for subsequent or additional contacts.
We have in place the ability for data subjects to withdraw consent to processing at any time; withdrawal is honored in a timely fashion.
- Data Accuracy – We work to keep personal information in our possession accurate and complete, based on the most recent information made available to us by you and/or by our client.
- Anonymized data and access security – Under GDPR our panelists and respondents have the right to view data stored about them as a person. We are able to honor such requests.
Anonymizing personal data is already the standard case for good market research practices and data collection. No personal data is handed on to the clients of our market research projects. Any project data shared is at an aggregate level, or anonymously if at an individual level, not containing details connected to an identifiable person. This minimize risk to us, and to our clients, and is in accordance with CASRO and market research ethics.
- Data retention and removal – Personal data will be deleted according to the required deadlines or at the request of specific users. Requests can be sent any time to the contact listed at the end of this document for data deletion, all requests will be immediately evaluated and confirmation will be supplied to the requestor after sufficient permission checks have been performed via standard due diligence.
In the case of participants in surveys, or client lists, this is usually the closure of the market research project plus a certain qualifying period (for example, for questions regarding the aggregate report).
- Employee training ensures a high level of data protection awareness and data protection adherence for our employees and partners.
- We ensure a secure environment to protect confidential information through implementation security technologies such as network security, data encryption, risk management and access controls. Data encryption has been implemented on employees’ laptops. We encrypt panel details, client lists, as well as databases containing special (sensitive) categories of personal data such as data concerning health and contact information.
- Suppliers and partners verify their ability to comply with requirements of data protection and privacy, including GDPR, as required of them as data processors. This means that suppliers must sign an agreement that appropriate data protection clauses are in place, and no supplier can transfer any personal data outside the EEA unless they agree to appropriate safeguards and obtain customer consent. Additionally, our suppliers cannot subcontract part of the personal data processing services to sub-processors without our prior approval.
- Knowvanta implemented policies and encryption procedures for any data transfers across country borders. Knowvanta ensures that EU Standard Contractual Clauses are in place ensuring protection of the personal data. We remain committed to protecting the personal data of its customers, clients, respondents and employees.
If you have any questions, requests, or require any further clarification, please contact our Data Privacy Officer, Michael Ricker, firstname.lastname@example.org.