Privacy & Data Protection Policy
People Blueprint Ltd t/a ENGAGE (“we”) are committed to protecting and respecting your privacy. The following notice explains what kind of personal data we collect from you, why and how we collect it, what we do with your data and what rights and choices you have when it comes to your personal data. This policy adopts the fundamental principles of the EU’s General Data Protection Regulation (“GDPR”) as the minimum standard to which ENGAGE, its employees and suppliers must adhere.
The collection and analysis of personal information about individuals (data subjects) is crucial to the delivery of ENGAGE’s products and services. Maintaining the confidence of individual participants, clients and partners in the responsible processing of this data is of the highest importance to us. Everyone who works for ENGAGE has some responsibility for ensuring personal data is collected, stored and handled appropriately. It is everyone’s responsibility that personal data is handled and processed in line with this policy and its data protection principles and employees are supported in this through effective training, systems and processes. ENGAGE also expects its suppliers, associates and partners to comply with the principles as set out below.
All personal data must be dealt with properly, irrespective of how it is collected, recorded and processed. ENGAGE adheres to the principles relating to the processing of personal data found in the GDPR:
- Lawful, fair and transparent processing – personal data must be processed and collected lawfully, fairly and in a transparent manner in relation to the data subject. The data subjects must be informed of how their data is being handled
- Purpose limitation – personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimization – personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. It must be determined whether and to what extent the processing of personal data is necessary to achieve the purpose for which the processing is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized data must be used instead of personal data.
- Accurate and up-to-date processing – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard for the purpose for which it is processed, is erased or rectified without delay.
- Limitation of storage in a form that permits identification – personal data must not be retained in a form which permits identification of data subjects for longer than is necessary for the purpose for which the personal data are processed. ENGAGE’s data retention policy permits variance in retention period in a project-by-project basis.
- Confidential and secure – personal data must be processed in a manner that ensures appropriate security of the personal data from being revealed, disseminated, accessed or manipulated.
- Accountability and liability – personal data must not be transferred to other countries (
- that do not offer an adequate level of protection.
ENGAGE collects and processes personal data from a number of source; this list is not exhaustive:
- When individuals interact with our website, we collect certain information which allows us to analyse website traffic and user behaviour
- When individuals register or sign-up to receive marketing communications and / or ENGAGE publications, we collect basic contact and profile details
- When individual complete online and offline research exercises, we often collect personal data to help with the analysis of the attitudinal and behaviour information
- When individuals provide content on social media or other digital platforms
- When clients transfer personal data to ENGAGE (often in the form of a sample)
- When employees, suppliers, partners, associates and clients generate personal data as part of their contractual arrangements
ENGAGE complies with all data protection requirements in both its role as a data controller and data processor. All requirements are transferred to any third parties used by ENGAGE to collect, process and store personal data.
ENGAGE collects, processes and uses personal data under the following legal bases:
- Personal data can be processed following consent by the data subject. Before giving consent, the data subject must be informed in accordance with the transparency principle as set out above. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone communication, consent can be given verbally. In all cases, the granting of consent must be documented. Any consent will only be valid if it constitutes a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of the personal data relating to them
- Personal data can also be processed if it is the legitimate interests of the data controller and that there is no threat to the right and freedoms or the interests of the data subject.
Every data subject has the following rights. Any exercise of their rights is to be handled within 30 days by the relevant ENGAGE employee and may not result in any disadvantage to the data subject. Where the relevant personal data has been transferred to ENGAGE by a client, the relevant client contract must be consulted in respect of any process to be followed and the client has to be informed about such request immediately.
- Right to information: extensive information including on all rights, contact details, source, retention period, purposes, categories and recipients. Where the relevant information is not included in this policy, data subjects will be provided with this information on a case-by-case basis (e.g. for a specific piece of client research)
- Right to withdraw consent: it must be as easy to withdraw consent as to give consent
- Right to access data: a right to access data within 30 days and for free
- Right to port data: a right to request personal data be provided in a usable, transferable format to allow data to move between platforms or suppliers
- Right to erasure / “be forgotten”: a right to request data be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons
- Right to object to processing: a right to object to data being processed; the protection of the data subject’s interest takes precedence over the interests of the data controller
- Right to not be evaluated by automated decision-making: this applies where the automated decision has legal or significant effects. ENGAGE does not envisage that any decisions that will have a legal or other significant effect will be taken using purely automated means
- Right to rectification: right to have records corrected or supplemented
- Right to restrict processing: a right to request that processing be restricted where data cannot be deleted
The data subject may exercise any, or all, of these rights by using the contact details below. Once the request has been submitted, ENGAGE may contact the data subject to request further information to authenticate their identity or to help us to respond to the request. Except in rare cases, ENGAGE will respond within 30 days of receiving this information or, where no such information is required, after we have received full details of the request. It is worth noting, that while some rights apply generally, some are only available in certain circumstances. Where this is the case, ENGAGE will inform the data subject along with the reason for the decision.
414/416 Metal Box Factory
30 Great Guildford Street
020 3176 4531
Personal data is subject to data secrecy. Any unauthorised collection, processing, or use of
such data is prohibited. The “need-to-know” principle applies; ENGAGE employees, partners, associates, suppliers and clients may have access to personal data only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as limitation, of roles and responsibilities. ENGAGE employees, partners, associates, suppliers and clients are forbidden to use personal data for their own private or commercial purposes, to disclose them to unauthorised persons, or to make them available in any other way. All ENGAGE employees, partners, associates and suppliers are made aware of, and trained, in their responsibilities relating to data protection.
ENGAGE will process all the personal data it holds in accordance with its Data Security Policy and take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
The ENGAGE management team are responsible for data processing; they are required to ensure the legal requirements, and those contained in this policy for data protection are met. Management are responsible for ensuring that organisational, people and technical measures are in place so that any data processing is carried out in accordance with these data protection requirements.
ENGAGE’s appointed Data Protection Officer can be contacted on the following:
414/416 Metal Box Factory
30 Great Guildford Street
020 3176 4531
Data subjects have the right to lodge a complaint with a data protection regulator in Europe, or in within the country in which they work or live, where their legal rights have been infringed or where their personal information has or is being used in a way that they believe does not comply with data protection policy. The contact details for the Information Commissioner’s Office (“ICO”), the UK’s independent regulatory body that upholds information rights, are available on their website, which also contains details on how to make a complaint.
ENGAGE reserves the right to change this notice at any time. If any material changes are made we will provide notice to you via email or any other appropriate means to give you the opportunity to review the changes before they become effective.
Effective: 25 May 2018