iResearch and the GDPR

iResearch Services Is GDPR-Ready

At iResearch Services, nothing is more important than our clients’ data protection and success. With clients in nearly every country in the world, we strictly adhere to the European General Data Protection Regulation (GDPR), which expands the privacy rights granted to European individuals and requires certain companies that process their personal data to comply with a new set of regulations. In particular, the GDPR may apply to companies that process the personal data of European individuals with an EU presence (for example, offices or establishments) and companies without an EU presence that target the European market (for example, by offering goods or services to the European market) or monitor the behavior of European individuals. We’re here to help our clients in their efforts to comply with the GDPR.

What Is the GDPR?

Enforced in May 2018, the European Union’s General Data Protection Regulation (GDPR) established a structured and comprehensive framework for collecting, processing, using, and sharing personal data in order to protect the privacy rights of EU data subjects. The GDPR generally applies to any organizations operating within or outside the EU that offer goods or services to clients or businesses in the EU and process the personal data of EU-based individuals.

The GDPR expands the privacy rights granted to European individuals and is designed to protect their data protection rights by strengthening the security and protection of their personal data and improving their control over how it is handled.

In the UK, parts of the GDPR were incorporated into local law by the enactment of the Data Protection Act 2018. On 31 December 2020, the remaining provisions of the GDPR were incorporated into local UK law, creating what is known as the “UK GDPR.” Currently, the UK GDPR contains requirements very similar to the EU GDPR, with some provisions that may be different and more business-friendly. When we refer to “the GDPR,” we are referring to both the EU GDPR and UK GDPR.

Roles and Responsibilities

The GDPR distinguishes between two main types of roles regarding the processing of personal data: “data controller” and “data processor.” A data controller determines the purposes and ways that personal data is processed, while a data processor is a party that processes data on behalf of the controller.

Clients using the services of iResearch Services to process personal data for their own purposes and means will typically be considered the “data controllers” and are primarily responsible for meeting all applicable GDPR requirements. iResearch Services serves as its clients’ “data processor,” processing such personal data on behalf of its clients.

Compliance With the GDPR

Our legal and privacy teams regularly monitor and review our practices in order to ensure ongoing and full compliance with the GDPR by:

  • Reviewing and strengthening our security infrastructure and practices, data encryption in transit and at rest, backups, logs, and security alerts.
  • Conducting periodic risk assessments and data mapping processes, embedding them into our change management processes to ensure proper personal data management in accordance with the GDPR’s requirements.
  • Regularly monitoring guidance around GDPR compliance and ensuring ongoing compliance through our internal procedures, processes, and controls and recurring training sessions for the team.
  • Enabling our clients to respond to data subject requests to exercise their privacy rights and deleting data upon data subject request.
  • We have received an internationally recognized security certification for ISO 27001 ISMS (Information Security Management System) & BS10012 PIMS (Personal Information Management System) from BSI.
  • Ensuring appropriate contractual terms are in place to perform our role as a data processor for our clients while complying with the GDPR.
  • We have revised our Data Processing Addendum to ensure the protection of personal data according to customary industry standards and such appropriate lawful mechanisms and contractual terms in compliance with the GDPR following the invalidation of the Privacy Shield Framework.
  • Allowing our clients to enter into Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021 (Controller-to-Processor) for the international transfers of personal data, including an Annex intending to cover transfers of personal data from the UK to third countries (see Annex III). We have supplemented the SCCs with Additional Safeguards (see Annex IV) to further strengthen the rights and freedoms of data subjects.
  • Regularly performing security and privacy assessments of our sub-processors to ensure their adherence to GDPR principles.
  • Designating a representative in the EU and the UK and appointing a Data Protection Officer (DPO) to monitor and advise on iResearch Services’ ongoing privacy and data protection compliance and serve as a point of contact for individuals and supervisory authorities concerning data protection and privacy matters.
  • Having procedures for handling suspected breaches concerning personal data, limiting the use, disclosure, and retention of personal data, and regularly conducting privacy training for all relevant staff members.

If you have any questions concerning iResearch Services’ privacy program and our compliance with the GDPR, please feel free to contact our Data Protection Officer & Privacy Team at [email protected].