Privacy Policy & Data Protection Guidelines

I. Foundational Principles and Risk-Based Approach

 

Data protection activities must be executed in alignment with the organization’s established risk appetite and tolerance, prioritizing resources toward the most significant risks identified in the Risk Register.

 

1.1 Mandatory Risk-Based Security Assessment

​

Security measures and controls shall be determined by a risk-based assessment of threats, potential harm, and appropriate mitigation measures relevant to the specific data and project. This prevents the unnecessary imposition of generic security requirements and ensures that security efforts are pragmatic and proportional to the risk involved. For instance, the security schedule incorporated into client contracts must be tailored to the nature of the data and risks.

 

1.2 Accountability and Control Ownership

 

All employees and contractors must understand and adhere to the security policy and are responsible for preserving the availability, integrity, and confidentiality of organizational and client assets.

• Data Owners are responsible for determining the appropriate sensitivity or classification levels for all data assets and defining access privileges.

• Information System Security Professionals are responsible for the design, implementation, and review of security policies, standards, and procedures.

 

II. Market Research Data Handling and Operational Security

 

The processing of primary market research data, which often involves sensitive personal information (PII) or sensitive personal data or information (SPDI), requires strict procedural controls to minimize inherent risk.

 

2.1 Data Classification and Storage

 

All data must be classified according to sensitivity (as determined by the Data Owner), and the following controls are mandatory for sensitive data storage:

• Access Control: Strict access controls must be implemented to ensure that only authorized personnel can access sensitive research data.

• Encryption: Strong encryption protocols must be used for all sensitive data stored both in transit and at rest.

• Backup: Regular, tested backup and data restoration procedures are essential to prevent data loss and ensure system recovery following a failure.

 

2.2 Anonymization and De-identification Protocols

 

For qualitative research data (e.g., audio recordings, interview transcripts) containing explicit identifying information, the following best practices are mandatory to reduce PII exposure:

• Mandatory Pseudonymization: The primary technique for qualitative data protection is the mandatory use of codes or pseudonyms to replace all proper names, locations, and other identifying information. This practice ensures confidentiality for participants (especially if sensitive activities are discussed) and reduces legal risk for the researcher.

• Timing of Control: The de-identification process (pseudonymization) must occur immediately after the transcription process is completed. Implementing this control at the earliest stage reduces the quantum of sensitive PII in circulation, making subsequent processing, transfer, or outsourcing safer.

 

2.3 Secure Transmission of Sensitive Files

 

Due to the often large size and sensitive nature of raw audio, video, and data files, secure transmission is non-negotiable:

• Encryption for Exchange: The company must encrypt all messages and files exchanged with the Customer or external vendors when the content's classification requires it.

• Protocol Requirement: Only strong, tested encryption protocols (e.g., secure SFTP, end-to-end encrypted messaging systems) shall be used for all external and internal transfers of sensitive data.

 

III. Third-Party and Vendor Risk Management (T-PRM)

 

Outsourcing critical functions (such as transcription, translation, or cloud storage) introduces significant supply chain risks. The following best practices must be enforced:

• Pre-contractual Due Diligence: Mandatory vendor risk assessment must be performed before initiating any contract and must be continuously monitored throughout the contract lifecycle.

• Data Processing Agreements (DPAs): All vendors handling sensitive data must execute a Data Processing Agreement (DPA) that explicitly incorporates the security requirements, controls, and clauses mandated by the company’s ISRMAP.

• Enforceable Contractual Controls: Vendor contracts must include specific clauses (SLAs and KPIs) enforcing operational integrity, including:

  • Maintenance of proper Change Management processes to ensure modifications to vendor resources are properly tested and do not introduce integrity or unavailability issues for the client.

  • Guaranteeing the vendor performs adequate backup and data restoration procedures as required by the organization to ensure data recoverability.

 

 

IV. Cross-Jurisdictional Compliance Best Practices

 

When transferring personal data across borders (especially between India, the EU/EEA, and the US), the company must adhere to the strictest applicable standard.

 

4.1 Transfers of EU/EEA Personal Data (GDPR)

 

Since India does not have an adequacy decision from the European Commission, all transfers of EU/EEA personal data must rely on Appropriate Safeguards:

• Standard Contractual Clauses (SCCs): The company must implement the European Commission’s Standard Contractual Clauses (SCCs) for all relevant transfers.

• Transfer Impact Assessment (TIA) Mandate: Adherence to SCCs necessitates performing a documented Transfer Impact Assessment (TIA). This TIA must verify that the local laws and government practices in India do not impinge on the effectiveness of the safeguards guaranteed by the SCCs, requiring the company to voluntarily impose stricter requirements as a compliance baseline.

 

4.2 Handling of California Personal Information (CCPA/CPRA)

 

When acting as a "Service Provider" or "Contractor" for Californian businesses, the company must:

• Honor Consumer Rights: Maintain auditable mechanisms to handle consumer requests efficiently, including the Right to Know, the Right to Delete, and the Right to Opt-Out of Sale/Sharing.

• Handle Historical Requests: Include a means by which the consumer can request Personal Information collected prior to the standard 12-month lookback period, provided it was collected on or after January 1, 2022.

• Avoid "Disproportionate Effort" Claim: Ensure that adequate processes and procedures are implemented to receive and process consumer requests. A business cannot subsequently claim that responding requires disproportionate effort if technical limitations stem from a prior failure to implement adequate processes.

 

4.3 India DPDP Act, 2023

 

While the DPDP Act permits cross-border data transfers, the company must maintain continuous vigilance:

• Blacklist Monitoring: Continuous monitoring of notifications from the Central Government is mandatory to identify any countries that have been specifically restricted or "blacklisted" for data transfer.

 

V. Compliance Assurance and Client Reporting

 

Providing clear and credible security documentation is a core component of client assurance:

• Required Documentation: When closing mid-market and enterprise deals, prospective clients expect tangible proof of security, including:

  • Documentation demonstrating compliance with globally recognized standards (e.g., ISO 27001 certification status).

  • Independent third-party audit reports (e.g., Service Organization Control (SOC 2) reports).

  • Summaries of penetration test results.

• Security Assurance Plan (SAP): For all critical clients, a specific SAP shall be drafted as a contractual annex, detailing mandatory implementation descriptions, performance indicators, and the frequency of control enforcement to guarantee the expected level of security.

• Security Committee Review: All action plans resulting from formal Risk Analyses or Cybersecurity Audits must be reviewed by the Security Committee (SECCO) to ensure accountability and track remediation progress, providing demonstrable evidence of active risk management to clients.