MARKET RESEARCH: How QRS raised the bar on data protection as well as their IT
How market researchers raised the bar on data protection
As a top-five consumer market research agency in the UK, Hertfordshire-based QRS processes masses of personal data daily. Yet new and complex EU & UK data protection laws have tightened up on data use and must be complied with. How could the agency ensure compliance and not risk penalties?
Bank managers do have their uses. QRS Market Research, based in Welwyn Garden City, lives and breathes personal data but, like all other companies linked to the EU, it has had to bring its practices into line with strict new EU-wide laws governing personal data protection. The problem was finding an IT support firm fully clued up on how to comply with the new legislation known as GDPR (General Data Protection Regulation). By chance, the agency’s bank staff had just heard a talk on GDPR from a local IT security and support services firm – it had hit the right note and the bank manager kindly passed on its name – Assign-IT.
“We’d been with our IT company for 25 years but we needed more help on the security side, given GDPR,” says Lee Tomlin, senior director at QRS. “I contacted Assign-IT’s commercial director, Dave Privett, and he started talking about security and how it supports their other core service, IT support. I immediately felt he was saying the right things.
‘I could rely on Assign to identify unknown issues’
“We’ve never had a breach but you know things can always be better, and I felt from the start that I could rely on them to identify the issues with things I might not even know about.”
QRS specialises in customer attitudes, particularly in retail and banking, and often acts as the outsourced data collection arm of other market research agencies. “We also collect data from shoppers on their shopping habits,” says Lee. “We do it via face-to-face encounters on the streets, using around 140 iPads and a 62-station telephone unit, plus spin-off work such as automated satisfaction phone surveys using 1-10 on your keypad. We have 19 full-timers, some 60 staff working in our telephone centre and 1,000 people around the country polling shoppers in the street.”
So what was the deal? Eventual GDPR compliance was the main aim, so the agency opted for a four-pronged package.
First, QRS focused on upgrading security of all its electronically stored information to prevent cyber-attacks by qualifying for the government’s national security standard, Cyber Essentials (CE).
‘Assign realised we weren’t a 9-to-5 standard customer’
Assign-IT, which is Hertfordshire’s first official CE certification body, goes much further than ticking boxes. It actually prepares its clients for certification by assessing, advising on and auditing all hardware and software. “We began working with QRS in October and by Christmas had brought them up to scratch for a successful certification,” says Privett.
Second, Assign-IT would provide QRS with an ongoing managed IT support services package from January this year to support the IT infrastructure used by around 70 users. “It covers Monday to Friday every week and because we often work weekends they have very kindly given us a mobile number for emergencies,” says Lee. “They realised we weren’t a 9-to-5 standard customer – and that was important to us as we work up to 9pm and, in the telephone unit, Saturdays and sometimes Sundays. Dave was open-minded, saying they could be flexible even though it was not their standard offering.”
Third, to add another layer to CE compliance – Cyber Essentials Plus (CE+) – Assign-IT came in shortly before Easter to undertake further exhaustive internal and external scans and additional on-site assessments of the agency’s infrastructure, particularly looking at workstations and mobile devices.
Finally, within the next few weeks, Assign-IT will be advising QRS on how to comply with the new GDPR personal data protection laws (effective from May 25, 2018) by gaining IASME certification (Information assurance for small to medium-sized enterprises). IASME is a set of standards on information security and also certifiable by Assign-IT.
Cyber Essentials forms a key part of IASME
In fact, the two Cyber Essentials certifications make up a key part of IASME, which also covers all the requirements of the GDPR. IASME enforces best practice in information security (‘protection of all electronic and paper information assets in a company’) as opposed to cyber security (‘protection of all electronically stored information from external threats’) covered by Cyber Essentials.
To prepare QRS for IASME certification, Assign-IT took several key steps. First, it created an information asset register that involved data mapping, assessment of risk (confidentiality, integrity and availability issues) and treatment of risk based on the four ‘T’s (treat, transfer, tolerate and terminate), followed by checking organisational and technical (CE) controls.
“They did a full IT audit on everything and they were so thorough,” says Lee.”They didn’t just rely on what we told them but completed their own exhaustive assets register for us as well. I was impressed by the fact they were prepared to do that. And it now means I have a much more up-to-date and detailed record of every single machine than I had before. A complete asset register is a godsend for my insurance!”
‘Our staff access permissions were tightened up’
Assign-IT were very proactive in identifying areas for improvement and talked QRS through what was needed. “They really tightened up our access permissions for staff, and instigated encryption of data which we’d highlighted as a need before they arrived.
“Assign also implemented their own solutions for encryption,” says Lee. “They came up with a very cost-effective software solution priced at £60 compared with an alternative well-advertised software solution which had a £1,200 price tag! They could do it so cheaply because of their knowledge in this field.”
For QRS the combination of CE and IASME is really good value. “We welcome the level of security and data protection provided by CE and IASME,” says Lee. “We’re also highly regulated as we are a member of the Market Research Society. And we carry our industry’s ‘fair data’ kitemark brought in a few years ago and which incorporates the basic principles of GDPR.”
‘Assign only took a day in the office to produce an information asset register’
Lee cannot fault Assign-IT’s smooth-running support work. “We had a series of meetings with them before CE certification, and they only needed a day in the office to produce our asset register and the related risk assessments,” says Lee.
“Most problems can be dealt with remotely during or after a phone call, and if they can’t fix something straight away we’re confident they are still working behind the scenes and doing what they need to do. They are a safe pair of hands, they’ve got your back and are experts in IT security. I’d absolutely recommend them to other people.”