Compliance - FAQ
Sharing data with third parties
Our business is built on delivering anonymous research results. Survey responses are combined so we can deliver insights in easy to understand and use formats, such as statistical spreadsheets or aggregated reports, to our clients. Before we deliver any insights, we remove data we consider to be ‘directly identifiable’, such as an individual’s name or social media handle, and ‘indirectly identifiable’ data that we think could make it easier for an individual to be identified, such as a full postcode or date of birth.
While most of the insights we provide to our clients are aggregated and / or anonymous, there are some circumstances where we may be able to provide insights in an identifiable form.
- If you are using our proprietary panel– The first step is understanding what you would like to do with the information because there are certain scenarios in which we will not share personal data, for example if you want to contact our panellists for follow-up research or marketing purposes. Even if you intend to use the data for a permitted purpose, we will only provide identifiable insights if we have our panellists’ permission. Speak to your YouGov contact to find out more about this, or contact our Data Protection team at email@example.com.
If you are using your own sample– Because you are the data controller of this information, we are able to provide identifiable research insights – we would just need to work with you to ensure that we provide an appropriate privacy notice that clearly tells participants that their data will be made available to you in an identifiable form.
Yes, we share certain data with trusted third-party service providers that help us to provide our research services; for example, we share panellist email addresses with those companies that provide the technology we use to send survey invitations. We have appropriate contractual safeguards in place with all of the service providers to ensure that they have adequate security measures and do not disclose or use the personal data for any other purposes.
If you are a client and we are using your own sample for a project then it is important that you review and approve the sub-processors we use to help us provide our services to you.
When we work with you, we need to collect certain information about your employees so we can provide our services to you – for example, log-in details for our YouGov Profiles and YouGov BrandIndex tools, or the contact information for our key contacts. We are a data controller for this information because we use it so that we can provide our services – this means we are responsible for using the data in accordance with any applicable laws and regulations. You can find out more about the data we collect from our clients, and how we use it, in our Client Privacy & Cookies Notice.
Data security & storage
The security of the data we hold is a top priority for us. We take a multi-layered approach for ensuring that data is secure, and are proud to be certified to the ISO27001 framework.
You can find out more on our security practices here.
This means, for example, when using a sample that you have provided, we:
- Make sure the data is saved in secure folders, and put appropriate access controls in place so that access is provided only to those that need it
- Delete the data once it is no longer needed (as agreed with you) or on your request
In addition, all YouGov staff are required to undertake training in data protection and security
Yes, we encrypt the data we hold, both at rest and in transit.
All data on YouGov’s infrastructure, mobile devices, laptops and backup media is encrypted using industry standard encryption at rest. Data is also encrypted in transit over public networks using TLS which is an industry standard to protect against unauthorised disclosure or modification.
We use a combination of co-located, cloud and offline data storage providers to hold the data that we use to provide our services. The providers currently used are located in the European Union (EU) and the United States, and we ensure that any data originating from the EU is only stored in the EU.
You can find out about the data storage providers we use on our list of sub-processors.
YouGov Plc is certified to ISO27001:2013. The co-located data centres, cloud and offline data storage providers used by YouGov are also ISO27001 certified.
YouGov plc is also certified against Cyber Essentials Plus which is a UK Government backed scheme that provides external assurance of the existence of security defences to protect against the most comment cyber threats.
YouGov carries out weekly vulnerability testing on its external infrastructure as part of its vulnerability management program. YouGov also uses a third-party CREST accredited organisation for carrying out penetration testing on its infrastructure and applications.
Relevant summaries of penetration testing reports can be provided to clients upon request.
We may allow customer initiated testing upon request but this is subject to approval from our Information Security and Application teams.
Health and safety
No, YouGov does not have a health and safety management system certified to a particular standard. YouGov takes the health, safety and welfare of our employees and those effected by our activities very seriously. We operate a management system that is commensurate with the level of risk raised by our activities and the size of our business.
No, YouGov does not currently hold a recognised environmental management system certification. The company appreciates the impact which it has on its environment and takes appropriate measures to manage this, commensurate with the size of our business.
YouGov does not currently hold a recognised quality management system certification. The company maintains internal standards that are in keeping with the ISO 9000 (quality management) and has an ISO 27001 certified information security management system. The data centres where YouGov hosts its data servers have ISO 27001 and PCI DSS certification.
Anti-bribery and corruption
YouGov has a Group Anti-Bribery Policy which is available for panellists, clients and suppliers on request. If you require a copy of the Policy, please contact firstname.lastname@example.org. Our policies are made available to employees by the Company’s global intranet.
Yes, YouGov’s Group Whistleblowing Policy that is available for panellists, clients and suppliers on request. If you require a copy of the Policy, please contact email@example.com. Our policies are made available to employees by the Company’s global intranet.
You can view the publicly filed records of YouGov plc or any of our UK companies via Companies House (https://www.gov.uk/get-information-about-a-company). Companies House is the Register of Companies in the UK and shares most information free of charge. If you are unable to find the information you require, please contact firstname.lastname@example.org.
You can view our latest regulatory news service (RNS) announcements here.