Effective from: May 2018
This Policy sets out the obligations of Razor Research Ltd (“we”, “us”, “our”, “the Company”) regarding data protection and the rights of consumers, customers and business contacts (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The procedures set out in this Policy must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Data Protection Officer is responsible for ensuring implementation and compliance with the requirements of the GDPR and this Policy. That role is held by Lesley Salem (Tel: 020 3865 1075, Email: Lesley@razorresearch.co.uk). Any questions or concerns about this Policy should be referred in the first instance to the Data Protection Officer.
Our commitment to data protection
Razor Research takes the issues of data protection and information security very seriously. We are committed not only to the letter of the law, but also to the spirit of the law. We place high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals we work with.
Razor Research is registered with Information Commissioner’s Office as a data controller (registration reference ZA334522). We abide by the requirements of the GDPR and the Data Protection Act (1998) and by professional codes of conduct established by the Market Research Society (MRS) and by the Association of Qualitative Researchers (AQR).
Data is information which is stored electronically on a computer, telephone, voice recorder or other device, or in the cloud, or in paper-based filing systems.
Data subjects for the purposes of this policy include all living individuals about whom we hold personal data. All data subjects have legal rights in relation to their personal data.
Personal data is data which relates to a living individual who can be identified from that data (or from that data and other information in our possession, or which is likely to come into our possession). Personal data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as a performance appraisal).
Special category data (or sensitive personal data) includes information about the data subject’s racial or ethnic origin; their political opinions; their religious or similar beliefs; trade union membership; their physical or mental health condition; their sexual life; their genetics; their biometrics (if used for ID purposes); the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, usually with the express consent of the data subject.
Data controllers are the people or the organisation which determine the purposes for which, and the manner in which, any personal data is processed.
Data users include employees whose work involved using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies at all times.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
The information we collect
Razor Research is a market research agency. We conduct qualitative and quantitative research on behalf of our clients. As part of our business activities, we will collect, store and process personal information about consumers and customers of our clients. This data can be collected directly from data subjects or obtained from third parties.
We conduct qualitative research to explore consumer opinions in detail, in both face-to-face sessions (group and individual) and in online communities and forums. As part of this, we collect personal data during the screening and interviewing processes. Our quantitative survey work involves the sizing and validation of personal level data in large scale surveys, where we collect responses from the general public. This data is aggregated and anonymised, and not attributable to an individual respondent; this type of data therefore does not count as personal data.
Client supplied customer data
We are occasionally required to use client supplied customer data to identify and reach eligible research sample for both qualitative and quantitative research projects. This typically includes customer name and contact details, and occasionally previous purchase behaviours/identified relationship with the client.
Information about our clients
We collect, store and process personal information about our clients, typically in the form of name, job title, email addresses, telephone numbers.
Information about our employees
For our staff, the types of information that we may be required to handle include details of current, past and prospective employees, address and telephone number, and bank account details for payment of salary. This information, which may be held on paper or on computer, is subject to certain safeguards specified in the Data Protection Act 1998 (“the Act”). The Act imposes restrictions on how we may use that information.
Regardless of the source and type of personal data, we will:
Data protection principles
When processing personal data, we comply with the principles set out in the GDPR. According to the GDPR, all personal data must be:
The GDPR sets out the following rights applicable to data subjects:
Keeping you informed
Subject access requests
Any individual whose data is held by Razor Research may make a subject access request (“SAR”) at any time to find out more about the personal data we hold about them, what we are doing with that personal data, and why. All requests must be made in writing to the Data Protection Officer, at Razor Research, 3 Waterhouse Square, 138 Holborn, London, EC1N 2SW. Any member of staff who receives a written request should forward it to the Data Protection Officer immediately.
Responses to SARs will normally be made within one month of receipt, however this may be extended is the SAR is complex and/or numerous requests are made. We will inform the data subject if we need more time to respond to the request.
We do not charge a fee for the handling of SARs. We reserve the right to charge reasonable fees for additional copies of information that have already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
Rectification of your personal data
Data subjects have the right to require us to rectify any of their personal data that is accurate or incomplete. In such instances, we will rectify the data in question, and inform the data subject of the rectification, within one month of the data subject informing us of the issue. This may be extended in the case of complex requests. We will inform the data subject if we need more time to respond.
If any affected personal data has been disclosed to third parties, they shall be informed of any rectification that must be made.
Erasure of your personal data
Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) when:
Unless we have reasonable grounds to refuse the request, all requests for erasure will be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. This may be extended in the case of complex requests. We will inform the data subject if we need more time to respond.
If any personal data that is requested to be erased has been disclosed to third parties, they shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
Restriction of personal data processing
Data subjects may request that we cease processing the personal data it holds about them. If a data subject makes such a request, we will retain only the amount of personal data concerning that data subject that is necessary to ensure that the personal data in question is not processed further.
If any affected personal data has been disclosed to third parties, they shall be informed of the applicable restrictions (unless it is impossible or would require disproportionate effort to do so).
Objections to personal data processing
Data subjects have the right to object to us processing their personal data based on legitimate interests, direct marketing (including profile), and processing for scientific and/or historical research and statistics purposes.
If a data subject objects to our processing their personal data based on its legitimate interests, we shall cease such processing immediately, unless it can be demonstrated that our legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
Where a data subject objects to our processing of their personal data for direct marketing purposes, we shall cease such processing immediately.
When personal data is no longer required (either upon the expiry of stated data retention periods, or when a data subject exercises their right to have their personal data erased), all reasonable steps will be taken to erase or otherwise dispose of it without delay.
For full details of our approach to data retention, including retention periods for specific types of personal data, please refer to our Data Retention Policy.
We will ensure that all personal data collected, held and processed is kept secure and protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Data security – transferring and handling personal data
We ensure the following measures are taken with respect to all communications and other transfers involving personal data:
Data security – storage
We ensure that the following measures are taken with respect to the storage of personal data:
Data security – IT security
We ensure that the following measures are taken with respect to IT and information security:
Data security – disposal
All employees are fully trained and supervised to ensure their compliance with the Policy (i.e. via spot checks). They are reminded to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise. Employees will only have access to, and use of, personal data when required to carry out their assigned duties.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy. Where any agent, contractor or other party working on behalf of Razor Research handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Transferring personal data to a country outside the EEA
From time to time we may transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA. If we do transfer data outside the EEA, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK under the GDPR. This could include (but is not restricted to) asking for your informed consent or determining that the transfer is to a country (or international organisation), or that the European Commission has determined ensures an adequate level of protection for personal data).
Data protection impact assessments
We will carry out data protection impact assessments for new projects or new uses of personal data that involve the use of new approaches, technologies and/or third-party suppliers, and the processing involved is likely high risk in terms of the rights and freedoms of data subjects under the GDPR. Data protection impact assessments will be overseen by the Data Protection Officer.
Data breach notification
All personal data breaches must be reported immediately to the Data Protection Officer.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer will ensure that the Information Commissioner’s Office is informed of the breach within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described above) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
Implementation of policy
This policy is effect as of May 2018. No part of this Policy shall have a retroactive effect and shall thus apply only to matters occurring on or after this date.