1.  Introduction

The purpose of this document is to detail the GDPR (General Data Protection Regulations) laws and principles Face Facts agrees to comply with whilst conducting any research project.

2.  Information

The GDPR protects personal data (which is any form of information relating to an identifiable person directly or indirectly identified in particular by reference to an identifier).

2.1  Personal identifier ie, name, identification number, location data or online identifier. 

2.2  Sensitive personal data is based on special categories of personal data ie, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data and for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

3.  GDPR Definitions

3.1  GDPR applies to ‘controllers’ and ‘processors’ who access and process personal data (data subjects ie, consumer, customer, respondent, individual).

3.2  We (Face Facts) are a controller, joint controller and/or processor of data depending on each of the project requirements we undertake.

3.3  A ‘Controller’ (Client/Agency) determines the purposes and means of processing personal data. As a controller you/they are obligated to ensure compliance with GDPR. 

4.  GDPR Principles

The GDPR principles state that data must be: 

4.1  Processed lawfully, fairly and in a transparent manner in relation to individuals.

4.2  Collected for the specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistic purposes shall not be considered to be incompatible with the initial purposes.

4.3  Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4.4  Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

4.5  Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

4.6  Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

5.  Rights for Individuals

The GDPR provides the following 8 rights for individuals:

5.1  The right to be informed

5.1.1  The need for transparency over how personal data is used.

5.2  The right of access

5.2.1  Individuals have the right to access their personal data and supplementary information.

5.2.2  Right of access allows individuals to be aware of and verify the lawfulness of the processing.

5.2.3  They have the right to obtain: confirmation that their data is being processed, access to their personal data, and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.

5.3  The right to rectification

5.3.1  Individuals have the right to have their personal information rectified.

5.3.2  Personal data can be rectified if it is inaccurate or incomplete.

5.3.3  Any requests from individuals must be responded to within one month (this can be extended to 2 months if it is a complex request).

5.4  The right to erase

5.4.1  Individuals have the right to have personal data erased.

5.4.2  Where data is no longer necessary in relation to the purpose for which it was originally collected/processed.

5.4.3  When the individual withdraws consent or objects to the processing and there is no overriding legitimate interest for continuing the processing.

5.4.4 The personal data has to be erased in order to comply with a legal obligation.

5.5  The right to restrict processing

5.5.1  Individuals have the right to ‘block’ or suppress processing of personal data.

5.5.2  When processing is restricted, can store the personal data but not further process it.

5.5.3  Allowed to retain just enough information about the individual to ensure that the restriction is respected in the future.

5.6  The right to data portability

5.6.1  Allows individuals to obtain and reuse their personal data for their own purposes across different services.

5.6.2  Allows them to move, copy or transfer personal data easily from one IT environment to another in a safe & secure way, without hindrance to usability.

5.7  The right to object

5.7.1  Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

5.7.2  Direct marketing (including profiling) and

5.7.3  Processing for the purposes of scientific/historical research and statistics.

5.8  Rights in relation to automated decision making and profiling

5.8.1  The GDPR has provisions on: automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).  

6.  ISO:27001

6.1  Our commitment to GDPR ensures that all data collected follows the GDPR principles which is further supported by our certification to ISO:27001. 

6.2  The ISO standard demonstrates good security practices. It ensures adequate and proportionate security controls that protect information in line with rigid regulatory requirements and GDPR.

6.3  Face Facts are subject to ISMS regular reviews and internal audits that establish the controls are working as intended.  

7.  FTP

Any data received by Face Facts is provided via our secure FTP (File Transfer Protocol) and then secured in line with ISO27001 on our secure network.

7.1  Instructions are given to each client/supplier on how to upload to the secure FTP.

7.2  Each client/supplier has a secure private log in and can only access data relevant to their project and internal teams.

7.3  The FTP is regularly audited to ensure that any data is only kept for the purpose intended. 

8.  Privacy Notice

8.1  Our compliance with GDPR and any information relating to how we process data is documented in our privacy notice which is shared on our website

9.  Research Data Consent

9.1  As all data collected is based on consent our protocols are to be fair, clear, and unambiguous. We aim to ensure all individuals are provided with sufficient clear information at the onset and ensure consent is granted throughout the process.

9.2  Any individual approached is provided with the background information to the study and what they are being asked to take part in.  We are clear that the information we are collecting is for market research purposes only and any data collected is aggregated and no personal identifiable information is shared, or forwarded on to any third party.  All participants are informed the purpose for processing, the type of data collected and their right to withdraw consent.  

9.3  Explicit consent is required for high risk processing activities in relation to any sensitive data collection. We will ensure all participants are fully informed and they grant explicit consent to what data is collected, why it is being collected, how long it will be stored and when/how it will be removed/destroyed. All consent will be clearly documented.

10.  Controller Responsibilities

Data provided by the Client/Agency must be compliant with these GDPR principles.  All individuals must have consented to their data being used for the purpose intended i.e. for research purposes and more specifically for that particular project.  Each individual must have fully consented (i.e. actively opted-in that their data can be passed on to a third party (processor) for the purpose identified.

The controller (Client/Agency) must ensure that the individuals are aware of their rights (see section 5).

11.  Face Facts Responsibilities

As a supplier we confirm that we are GDPR compliant.  

We will only act on the written instructions provided and ensure that anyone in our organisation is fully trained and adhere to GDPR in light of any research project.

We will not engage a sub-contractor/processor without prior consent from yourselves.

Any data stored by ourselves will be stored securely with encryption and back up.

We ensure we keep records of all processing activities carried out and will also comply with the GDPR Rights for Individuals and subject access requests.

As per our Data Breach Policy – we confirm we would notify you of any data breaches without any undue delay. We are aware that these must be escalated to yourselves no later than 72 hours after the breach made. 

12.  Data Retention and Data Disposal

All data stored at Face Facts is stored in line with our Data Retention Policy. 

Any personal data collected is disposed after 3 months.  Any paper documents ie, paper questionnaires (any PI personal identifiers are removed before storage) and the paper questionnaire retained for 12 months.

We ensure that we dispose of personal, confidential and businesses critical information in a secure manner.  

    • Paper Information – confidential waste bins are provided and managed/disposed of off-site by McCarthy’s Safe Shred. McCarthy’s Safe Shred are ISO 14001 & BS EN 15713 accredited.

    • Electronic Information – end of life DVDs/CDs/PCs, Laptops, Smartphones, Tablets and Servers are disposed of off-site by Revive IT. Revive IT are the highest accredited IT recycling/data destruction company in the UK with UKAS ISO 27001, BS 7858 and BS EN 15713 accreditation.