TSR Research Practices Are Now GDPR Compliant!


Touchstone Research is GDPR Compliant

You may have noticed over the last couple of weeks your favorite websites have been sending you e-mails regarding updates to their privacy policies and terms of use.  These updates are likely due to the requirements of the General Data Protection Regulations (GDPR) that go into effect this Friday, May 25, 2018.

So, What is the GDPR?

In short, the GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals within the European Union (EU).  Most importantly, the GDPR allows individuals more control over their personal information. This means all individuals in the EU must provide consent to a third-party using their data, and they have the right to access their data or have the data erased.  Additionally, under GDPR, controllers and processors of personal data must have measures in place to ensure that all personal information is collected, processed and stored securely.

Touchstone’s Path Towards GDPR Compliance:

Touchstone Research believes in providing a transparent means of collecting data and ensuring data security to protect our research participants, partners and clients.  Here are some of the steps we have taken to adhere to GDPR:

Updated Privacy Policy – All panels managed by Touchstone Research have a revised Privacy Policy that clearly outlines all data collection, processing and retention policies.  Panel members and research participants can also submit subject access requests (SARs) right from our Privacy Policy (required under GDPR).

Participant Consent Process— Prior to participating in our research studies, participants will see a consent form that outlines, in clear and unambiguous terms, what personal data is being collected and the purpose for processing.  Participants must then opt-in to provide consent and take part in the study.  Opt-out links are also included in all project communication, making it easy for participants to withdraw consent at any time.

Partner Agreements—Touchstone has Data Processing Agreements (DPAs) with all partners that we conduct research with in the EU.  The DPAs clearly lay-out the roles and responsibilities of the controllers and processors of personal information.  We also have partners complete a vendor diligence form which includes their security standards and procedures for full transparency and data mapping.

Inventory of Data-processing Activities—The GDPR requires the data controller and processor to understand and map its processing activities.  This means an understanding of how and where data is transmitted and stored.  Touchstone has completed and maintains an inventory of all processing activities which tracks this information.

Incident Response Policy—Touchstone has a clearly defined process that will enable us to swiftly and effectively respond to a security incident.  We also have a structured Privacy Impact Assessment (PIA) and Data Protection Impact Assessments (DPIA) which we will use to assess any new processing activities that may be considered high-risk.

Designated an EU Representative—Under the GDPR, companies without a physical establishment in the EU need to appoint a representative located in the EU.  We have designated an EU representative that will operate on behalf of Touchstone as a local point of contact for data subjects and EU data protection supervisory authorities.

Designated a Privacy Officer—Touchstone has designated a privacy officer whose responsibilities include, but are not limited to:  educating employees on compliance requirements and procedures; conducting regular reviews to ensure compliance; serving as the point of contact between the company, the EU Rep, and GDPR supervisory authorities; managing personal data protection related inquiries, etc.

If you have an upcoming international project and want to make sure the research is being conducted in compliance of GDPR, please contact us at [email protected] for information on how we can assist.