Introduction and background
In the run up to the enforcement of the EU’s GDPR (General Data Protection Regulation) from May 25, 2018 as well as EU ePrivacy regulatory changes, Merit is following a strategy that will ensure our clients’ data and that of their customers and prospects is compliant when new regulations come in to effect.
There are three core areas within this strategy, which are all focused on the personal data Merit handles:
With business interests in the UK, and as a legal entity registered in the UK, we play the role of a Data Controller. As an entity that processes data of EU citizens (as part of client requirements) we also play the role of a Data Processor. Therefore, Merit has dual responsibility in terms of ensuring regulatory compliance.
The main objectives of all GDPR related initiatives at Merit are based on the data protection principles mandated by the regulation – i.e. Regulation (EU) 2016/679 of the European Parliament and the Council published April 27, 2016.
The processes and systems around GDPR at Merit are created based on the following key principles of the regulation:
The processes and systems also take into account the key aspects of handling personally identifiable information, namely:
High Level GDPR related initiatives at Merit
Process Specific GDPR Activities
Specific processes around GDPR requirements, relating to personal data handling (either web or voice researched at Merit), are as follows:
1. Data Sources
As a ‘Data Processor’ it is integral to most of our core service offerings to process limited personal data of people in the EU/UK. As part of this process, EU/UK contacts’ data is transferred outside of the EU/UK, as all of this data is processed at our offices in Chennai, or Mumbai, India.
We receive various source lists (i.e. personal data) from our clients in the UK that consist of contacts in the EU/UK and their details. The EU/UK contacts could be found in exclusive lists or be as part of larger global lists.
In addition, a large amount of data is sourced or newly built to specific briefs provided by the client. In this case our sources are predominantly publicly available on online websites or portals.
2. Personal Data Fields within the Scope of Merit’s Work
Apart from the five data points listed below, we do not process any other sensitive personal information such as date of birth, photo, device ID, credit card/banking details, health conditions etc.
The above data fields are applicable for the data that we collect or process for most clients by web and/or voice research.
3. Data Profiling
We do not do any data profiling as far as personal data of the contacts racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life and sexual orientation, genetic data or biometric data.
4. Data Processing
As part of our processing we do obtain or validate information using various public online sources or subscribed industry specific or professional networking sources (such as Hoovers, LinkedIn etc). For some clients we also validate the data obtained by web research over calls.
For 80% of our clients we process the data (validated information from client provided sources or any data newly built to a brief) through our central workflow management system called Campaign Manager.
Each record has a unique id with details available on the source from where the information is gathered and also a time and date stamp.
Data received, sourced and processed is stored in an easily searchable central database. Any sources that are received on paper are converted to PDFs and stored in our central folders. The paper copies are stored with designated personnel until the completion of the project and destroyed or returned to the owner as instructed appropriately.
We deal with any complaints relating to opt-out or the right to be forgotten by moving the contact records to a central suppression or a permanent ‘Do Not Contact’ list. All contact records collected are checked automatically against this list (we use fuzzy logic and partial matches for names to make sure that we have covered all possibilities) and make sure that these records are removed from any uploads to our clients. We also disable calling to the numbers in the DNC lists.
For those clients where we do not process information using our systems, we use a VPN connection to process information directly in the client systems. In such a case there is no transfer of data outside of the EU/UK and the data protection liability lies with the client.
Any data that we upload for our clients is collected, processed and stored in Campaign Manager, which has appropriate restriction access for different levels of stakeholders that access this application.
5. Data Transfers
GDPR mandates that any transfer of personal data (especially sensitive data) of EU/UK contacts is done with utmost care and security.
At Merit, data transfer mode and method vary based on specific requirements – this could be by email or FTP uploads or SFTP uploads (with the safest being SFTP uploads).
For some clients we password protect the file if it is sent by Excel and also if it is loaded to the FTP folder with passwords sent separately.
However, as part of our GDPR activities going forward (starting October 2017), our standard operating procedure would include password protecting all Excel files sent via email and files loaded to our FTP.
6. Data Security
As part of Merit’s larger data protection and security initiatives we have built a series of measures which include, but are not limited to, the following:
The liability for consent/opt-in lies with the Data Controller i.e. our clients. Going forward, and in view of the GDPR requirements, obtaining consent or opt-in would solely lie with the client.
In addition to the web and/or voice research that we carry out for the data, for some of our clients we also obtain opt-in for specific services or products on behalf of the client on calls. We do not obtain email opt-ins for any client.
The wording for the opt-in question, in cases where we opt-in contacts, is supplied and signed off by the client.
In such scenarios, we attempt to obtain the consent or opt-in directly from the contact. If this is not possible, consent is obtained at a business level (at reception level, department level or a colleague).
For more information about Merit’s regulatory compliance, please email email@example.com.
We'll read your message and get back to you