Skip to content
English - United Kingdom
Get In Touch
  • There are no suggestions because the search field is empty.

How Do Best Companies Align With Data Protection Regulations?

Protecting the personal data that clients share is extremely important to us. In this article we provide frequently requested information about Best Companies GDPR compliance. 

Organisations choose to work with Best Companies to measure, recognise and improve workplace engagement. All our services start with a b-Heard survey, for which clients will be required to share fields of data for their employees to enable us to deliver the survey and be able to report on the current levels of employee engagement within the organisation. The personal data requested and shared has been considered as the minimum required for the processing, to help organisations in meeting with the data minimisation principle. 

Our Privacy Notice detailing how we process data is available on our website:

www.b.co.uk/privacy-notice 

Registration with the Information Commissioner’s Office (ICO)

Every organisation that processes personal information is required to register with the Information Commissioner’s Office (ICO) unless they are exempt. 
 
Best Companies Limited is registered with the ICO. 
Registration Number: Z8349843 

Who does GDPR affect?

To strengthen an individual's rights to privacy, the European Union (EU) brought about the General Data Protection Regulation or GDPR, fortifying existing directives on data protection. The Regulation issued by the European Union applies to businesses processing personal data of European residents and has been in force since 25th May 2018. 
 
The GDPR applies to organisations located within the EU and organisations located outside the EU, where they are processing personal data of individuals residing in the European Union, regardless of where the organisation is located. 
 
Best Companies is committed to protecting the data we hold. No matter where in the world your organisation is located, we extend the same rights to all our clients. 

What is our stance on compliance with GDPR now that the UK has left the EU?

The UK left the EU on the 31st January 2020. 
 
The UK Data Protection Act 2018 enshrines the requirements of the GDPR in UK law with some relatively minor deviations, therefore, UK organisations will still be bound to comply with GDPR legal obligations within the ‘UK GDPR’. The EU GDPR may still apply to organisations who operate in the EEA, offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. 
 
With regards to the flow of data, the UK confirmed that it will treat the EEA countries as adequate for the purpose of transferring personal data from the UK to the EEA, however this will be kept under review. 
 
On the 28th June 2021, the EU approved an adequacy decision after determining that the UK had an “essentially equivalent” level of data protection to the EU, meaning that data can continue to flow between the EU and UK as it did before, in the majority of circumstances. This decision is expected to last until the 27th June 2025, however the European Commission must monitor developments in the UK on an ongoing basis. 
 
Best Companies is located in the UK and our data processors that are assisting us in processing personal data, are located within the UK and the EEA. No personal data will be transferred outside of the UK/European Region. As part of the service provision some of the data processors may transfer the data to a different country for Geo-redundancy. For the avoidance of doubt the transfer will only be within the European region. 
 
As part of our considerations, Best Companies has instructed Ametros Group as our EU Representative in accordance with Article 27 of the GDPR for EU supervisory authorities and EU citizens. Individuals situated in the EU wishing to request their individual rights may either contact Best Companies directly or Ametros Group. 

Frequently Asked Questions:

Does Best Companies have a Data Protection Officer (DPO)? 

Yes, Best Companies employs an in-house full-time DPO who can be contacted directly by emailing privacy@b.co.uk.  Our DPO is registered with the Information Commissioners Office and reports directly to the highest management level at Best Companies. 
 
The DPO's reporting arrangements meet the requirements of GDPR Articles 37 – 39, including: 

  • Independence 

  • Direct access to top management 

  • Adequately resourced 

  • Competent (knowledge of data protection laws and regulations) 

  • Informed (and up to date with current developments) 

  • Knowledgeable about cyber security

  • Involved properly and in a timely manner, in all issues which relate to the protection of personal data at Best Companies

Does Data Protection have top level support at Best Companies? 

Yes. The Senior Management Team (which includes the CEO and Directors) have received the EU General Data Protection Regulation Foundation (EU GDPR F) Training Course which provides a comprehensive introduction to the EU GDPR, and a practical understanding of the implications and legal requirements for organisations of any size, to ensure reasonable knowledge and competence. The board of directors understands the need for continual review to demonstrate compliance in order to meet with the accountability principle and has nominated an accountable director for compliance oversight. Data Protection features on each Senior Management Team meeting agenda, where they receive regular audit reports and updates from the Compliance Department and the Security Team.  

Is Best Companies a data processor or a data controller? 

Dependent on the data processing activity, we have responsibilities as either a data processor or data controller. Our standard terms of service, which are accepted as part of the client registration process, have been created to accurately reflect our position as a data controller or data processor dependent on the processing. 
 
The terms of service confirms that the client retains overall control of the personal data provided; this protects the personal data from Best Companies processing outside of what would be deemed compatible, and allows you to dictate when we are to accept data subject requests or to decline where it affects your legitimate interest. Clients can also ask us to anonymise the personal data we hold at any point after the provision of services as we only retain the personal data up to the three years following the lapse of the subscription term to protect the organisations invested interests, as a data processor. 
 
As per the terms of service, any personal data collected directly from an individual (the data subject) does not become part of the client dataset. Best Companies is sole controller of this data to protect the individual who has directly provided us the information in relation to the services. 
 
The terms of service include the mandatory GDPR clauses required between a controller and processor, as well as documenting that Best Companies has responsibility for some of the processing as a data controller. These activities, where we act as a controller in making our own decisions include the provision of the Lists, surveys, additional services, and research to the extent that we become a data controller within that process. (This processing is conducted as a separate controller, not joint and conducted on the basis that it is compatible with the original purpose.) We have, as expected, sought independent legal counsel to ensure that our terms include everything required for our specific processing. 

Are all employees and sub-processors committed to confidentiality? 

All Best Companies employees are subject to confidentiality clauses within their employment contract. As part of our supplier checks, we also ensure our data processors employees are also subject to contracts of confidentiality. 

How do you monitor sub-processors compliance? 

We conduct due diligence on all our suppliers. When required, we also conduct a data protection impact assessment. We assess data processors on their GDPR compliance, contractual obligations, use of appropriate technical and organisational measures and location(s) of data processing. We reassess data processors periodically to ensure they have at a minimum, maintained existing standards/ certifications, and consider any new security features they have released that we may be able to make use of. 

How does Best Companies maintain a culture of data protection? 

Responsibility: Best Companies maintains a culture of data protection and every employee across the business is responsible for data protection. The board of directors has nominated an accountable director for compliance oversight, and we have a full-time, in-house Data Protection Officer (DPO), to monitor internal compliance, inform and advise on our data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority. 
 
Ensuring Compliance: There is an established Security Team, who regularly review our technical and organisational security measures to ensure there is appropriate safeguarding in relation to the sensitivity of the data and to ensure we are continually improving our information security posture. The Security Team meets quarterly to manage and track progress; all work is documented within the department roadmap and scheduled for completion. Data Protection is included within the board agenda and all recommendations are discussed and endorsed by the board. 
 
Training and Awareness: There is a mandatory staff awareness programme, which includes training on data protection, data handling, company policy, data protection law and cyber security as part of Induction, classroom and online training at least quarterly. To ensure continuous awareness, we have regular updates to the company intranet where all employees are encouraged to post content in relation to information security and data protection: news, videos, reviews, and awareness etc. The Senior Management Team and functional managers involved in data processing decisions, in addition receive specific training to ensure reasonable knowledge and competence. 
 
A number of Best Companies employees have attended the EU GDPR Foundation (EU GDPR F) course. Employees who pass the included exam are awarded the ISO 17024-certificated EU GDPR Foundation (EU GDPR F) qualification by IBITGQ which is also certificated by the Institute of Information Security Professionals (IISP) and satisfies the IISP Skills Framework requirements at Level 1. 

Do you have documented processes in place to report all security incidents to affected clients? 

Yes. When reporting an incident to the client we will provide: 

  • description of the nature of the personal data breach including, where possible 

  • the categories and approximate number of individuals concerned; and 

  • the categories and approximate number of personal data records concerned. 

  • the name and contact details of the data protection officer or other contact point where more information can be obtained. 

  • a description of the likely consequences of the security incident; and 

  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects. 

Where we have not yet established all the facts, we will provide the required information in phases as and when they become available.

A security Incident will always be prioritised and given the adequate resources required. 

Do you have cyber insurance?

Yes, we have cyber insurance with event management, ensuring we are able to react in the event of a large-scale incident within the required timeframes. 

Do you have documented procedures and provided training to your employees for recognising data subject requests? 

Yes, we have documented procedures and training has been delivered to all Best Companies employees.

Please be aware, objection and erasure requests can impact the administration of the b-Heard survey service and are a contest to a client’s Legitimate Interest. Accepting an erasure or objection request may harm; response rates; the quality of the reporting and services being provided by us; and in the interests of consistent and fair competition, the ability to be considered for a Best Companies accolade. 
 
We can provide with consent, access to the personal data that has been provided to us directly to the data subject on a client’s behalf. 
 
As controller of the data we have collected directly from the individual (data subject), we will consider the request and whether we are able to accept the request. We will always make a client aware of when we have received a request and when the request has been fulfilled. 

Where processing is conducted on the lawful basis of legitimate interest, has Best Companies conducted a Legitimate Interests Assessment? 

Yes. Available on request, this can be provided to a client for consideration and use in demonstrating their compliance.  

Does Best Companies outsource any of its research to third parties? 

No. All research we conduct is completed by Best Companies. 

What security and technical certification standards have Best Companies or employees achieved? 

  • Best Companies: 

    • ISO 27001 

    • ISO 9001 

    • PCI-DSS 

    • Certified Supplier FSQS Hellios 

  • One or more individuals across Best Companies has achieved: 

    • ITIL Certification Foundation & Intermediate 

    • Microsoft Certified Professional 

    • IBITG GDPR EU Certification 

    • Certified Data Protection Foundation & Practitioner 

    • Certified Data Protection Officer 

    • AI Privacy Practitioners

What memberships or associations does Best Companies hold? 

  • Cyber Security Information Sharing Partnership (CiSP) 

  • CNR network reporting 

  • Cyber Wales 

  • National Association of DP & FOI Officers (NADPO) 

  • Registered with the Information Commissioners Office 

  • Forum of Private Business 

  • Founding Member of Data in Social Housing (DiSH)

  • Charter Member for Women in AI Governance (WiAIG)

How else does Best Companies demonstrate compliance? 

Includes but not limited to: 

  • Policies implemented across the business (e.g., Information Security Policy) 

  • Ability to facilitate Data Subject Requests 

  • Documented procedure and reporting templates in the event of an incident 

  • Contracts in place with Suppliers that meet GDPR requirements. 

  • Organisation audit (6 months), security posture monitoring (continuously) – Internal  

  • External Vulnerability Assessment and Penetration Testing (Annual) 

  • Drive encryption of company devices (laptops, desktops, mobiles) 

  • Due Diligence on new suppliers with ongoing annual reviews 

  • Data Protection Impact Assessments conducted where required. 

  • Documentation recording our data processing. 

  • Ability to restore availability and access to data in a timely manner. 

For additional support please call us on 01978 856222, or click the 'Get in Touch' button at the top of this page.