Merit & GDPR

Introduction and background

In the run up to the enforcement of the EU’s GDPR (General Data Protection Regulation) from May 25, 2018 as well as EU ePrivacy regulatory changes, Merit is following a strategy that will ensure our clients’ data and that of their customers and prospects is compliant when new regulations come in to effect.

There are three core areas within this strategy, which are all focused on the personal data Merit handles:

  • Confidentiality
  • Integrity
  • Accountability

With business interests in the UK, and as a legal entity registered in the UK, we play the role of a Data Controller. As an entity that processes data of EU citizens (as part of client requirements) we also play the role of a Data Processor. Therefore, Merit has dual responsibility in terms of ensuring regulatory compliance.

The main objectives of all GDPR related initiatives at Merit are based on the data protection principles mandated by the regulation – i.e. Regulation (EU) 2016/679 of the European Parliament and the Council published April 27, 2016.

The processes and systems around GDPR at Merit are created based on the following key principles of the regulation:

  1. Lawfulness, fairness and transparency
  2. Legitimate purpose for processing
  3. Data minimisation
  4. Data accuracy
  5. Data retention and disposal
  6. Data security

The processes and systems also take into account the key aspects of handling personally identifiable information, namely:

  • Data collection
  • Data transfer
  • Data usage
  • Data storage
  • Data disposal

High Level GDPR related initiatives at Merit

  1. Appointment of a Data Protection Officer and a Steering Committee to oversee the creation, implementation and monitoring of the GDPR activities of Merit
  2. Review and update of all our existing policies and guidelines around data protection in relation to the GDPR requirements and demands
  3. Creation of a data governance framework (document) and the building of a Personal Information Management System (PIMS) specifically taking into account the GDPR requirements
  4. Creation of a centralised data asset register that will hold information on every data set held and used within Merit’s systems
  5. Data Privacy Impact Assessment (DIPA) for all data affected by GDPR
  6. Delivery of a risk assessment for each client with respect to the personal data we hold (in relation to GDPR) or personal data handling related processes specific to their business needs
  7. Creating a comprehensive and robust technical solution (Privacy by Design and Default) to adhere to the requirements and to avoid breaches or any violations of the GDPR. This is in addition to the highly advanced and independent process-specific technical solutions in place to handle personal data related requests and complaints
  8. An ongoing training programme to ensure all Merit staff are trained on GDPR and data usage/privacy
  9. In December 2017, undergoing an audit by the BSI (British Standards Institute) BS10012 standards on data protection specific to GDPR and completing the BSI’s Lead Auditor Training Programme

 

Process Specific GDPR Activities

Specific processes around GDPR requirements, relating to personal data handling (either web or voice researched at Merit), are as follows:

 1. Data Sources

As a ‘Data Processor’ it is integral to most of our core service offerings to process limited personal data of people in the EU/UK.  As part of this process, EU/UK contacts’ data is transferred outside of the EU/UK, as all of this data is processed at our offices in Chennai, or Mumbai, India.

We receive various source lists (i.e. personal data) from our clients in the UK that consist of contacts in the EU/UK and their details. The EU/UK contacts could be found in exclusive lists or be as part of larger global lists.

In addition, a large amount of data is sourced or newly built to specific briefs provided by the client. In this case our sources are predominantly publicly available on online websites or portals.

2. Personal Data Fields within the Scope of Merit’s Work

Apart from the five data points listed below, we do not process any other sensitive personal information such as date of birth, photo, device ID, credit card/banking details, health conditions etc.

  • Person’s Name
  • Office Postal Address (mostly HQ but sometimes the exact location address of the contact)
  • Business email
  • Business phone number (sometimes)
  • Job title (function/role, seniority level)

The above data fields are applicable for the data that we collect or process for most clients by web and/or voice research.

 3. Data Profiling

We do not do any data profiling as far as personal data of the contacts racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life and sexual orientation, genetic data or biometric data.

4. Data Processing

As part of our processing we do obtain or validate information using various public online sources or subscribed industry specific or professional networking sources (such as Hoovers, LinkedIn etc). For some clients we also validate the data obtained by web research over calls. 

For 80% of our clients we process the data (validated information from client provided sources or any data newly built to a brief) through our central workflow management system called Campaign Manager.

Each record has a unique id with details available on the source from where the information is gathered and also a time and date stamp.

Data received, sourced and processed is stored in an easily searchable central database. Any sources that are received on paper are converted to PDFs and stored in our central folders. The paper copies are stored with designated personnel until the completion of the project and destroyed or returned to the owner as instructed appropriately.

We deal with any complaints relating to opt-out or the right to be forgotten by moving the contact records to a central suppression or a permanent ‘Do Not Contact’ list. All contact records collected are checked automatically against this list (we use fuzzy logic and partial matches for names to make sure that we have covered all possibilities) and make sure that these records are removed from any uploads to our clients. We also disable calling to the numbers in the DNC lists.

For those clients where we do not process information using our systems, we use a VPN connection to process information directly in the client systems. In such a case there is no transfer of data outside of the EU/UK and the data protection liability lies with the client.

Any data that we upload for our clients is collected, processed and stored in Campaign Manager, which has appropriate restriction access for different levels of stakeholders that access this application.

5. Data Transfers

GDPR mandates that any transfer of personal data (especially sensitive data) of EU/UK contacts is done with utmost care and security.

At Merit, data transfer mode and method vary based on specific requirements – this could be by email or FTP uploads or SFTP uploads (with the safest being SFTP uploads).

For some clients we password protect the file if it is sent by Excel and also if it is loaded to the FTP folder with passwords sent separately.

However, as part of our GDPR activities going forward (starting October 2017), our standard operating procedure would include password protecting all Excel files sent via email and files loaded to our FTP.

6. Data Security

As part of Merit’s larger data protection and security initiatives we have built a series of measures which include, but are not limited to, the following:

  1. All CD/pen drives or access to any storage device is disabled to all processing agents/staff. Team Leaders and Managers have restricted access, but it is centrally monitored and checked by the central IT team
  2. Mobile phones are not permitted on the call floor
  3. All personal email/social media sites are disabled
  4. All online activities are closely monitored by the central IT team
  5. The building is fitted with security cameras and building access is restricted for authorised personnel only using proximity cards

Consent/Opt-in

The liability for consent/opt-in lies with the Data Controller i.e. our clients. Going forward, and in view of the GDPR requirements, obtaining consent or opt-in would solely lie with the client.

In addition to the web and/or voice research that we carry out for the data, for some of our clients we also obtain opt-in for specific services or products on behalf of the client on calls.   We do not obtain email opt-ins for any client.

The wording for the opt-in question, in cases where we opt-in contacts, is supplied and signed off by the client.

In such scenarios, we attempt to obtain the consent or opt-in directly from the contact. If this is not possible, consent is obtained at a business level (at reception level, department level or a colleague).

For more information about Merit’s regulatory compliance, please email enquiries@meritgroup.co.uk.