We provide the majority of our research services by inviting members of our research panel (who we call ‘panel members’) to participate in surveys. Once an individual joins the YouGov panel, they are able to earn cash-redeemable points by completing surveys, and their survey responses are used to match panel members to future surveys (sampling) and to create research insights for our clients. To join one of YouGov’s research panels, individuals must agree to YouGov’s terms and conditions, and are given the opportunity to read YouGov’s panel privacy and cookies notices, which clearly explain the data that may be collected from panel members, and how it may be used.

YouGov is the sole data controller for all processing of personal data about panel members because we determine the purpose and means of processing.

Purpose

• Panel members expect an ongoing relationship with YouGov when they join the research panel, but do not expect a relationship with our clients unless they are specifically asked and agree to share identifiable data with a client:
  • Individuals join YouGov’s panel to participate in surveys, some of which are commissioned by clients (e.g. Omnibus and Custom Research) and others that are client agnostic (e.g. YouGov’s BrandIndex and Profiles tools).
  • In the vast majority of cases, YouGov’s clients are unknown to the survey participants, and the participants are unknown to the clients. While there are times where we may share identifiable data with clients, we would also obtain consent from our panel members and would put in place a controller-to-controller agreement as any client receiving identifiable panel data would become a controller in its own right.
  • Clients can only access the research panel through YouGov, and YouGov must first approve the project and launch it before any data is collected.
• Because YouGov owns the panel from a commercial and legal perspective, it has the final decision of which clients it will work with and which questions are asked.

Means

• Panel members are selected for projects by YouGov, using proprietary sampling methodologies.
• Survey data is largely collected using YouGov’s proprietary survey system (Gryphon), and we also have our own qualitative research methodologies.
• YouGov’s researchers are experts, who determine the most appropriate research methodologies and form of deliverables on a project-by-project basis.

We will consider any project that does not use panel member data on a case-by-case basis to ensure we agree the most appropriate processing relationship (although, in practice this will mainly be the case where we use client-provided sample, where we will be the data processor). However, YouGov must always be the sole data controller when using YouGov panel member data because this position forms the basis of all of the research we do with panel members and how our survey systems have been built. We have done a lot of thinking about this area of privacy law, and continue to monitor new case law and guidance, and while we acknowledge that this is a complex area that may give rise to different interpretations, we cannot change our position when carrying out research using our panel.

Our business is built on delivering anonymous research results. Survey responses are combined so we can deliver insights in easy to understand and use formats, such as statistical spreadsheets or aggregated reports, to our clients. Before we deliver any insights, we remove data we consider to be ‘directly identifiable’, such as an individual’s name or social media handle, and ‘indirectly identifiable’ data that we think could make it easier for an individual to be identified, such as a full postcode or date of birth.

While most of the insights we provide to our clients are aggregated and / or anonymous, there are some circumstances where we may be able to provide insights in an identifiable form.

• If you are using our proprietary panel– The first step is understanding what you would like to do with the information because there are certain scenarios in which we will not share personal data, for example if you want to contact our panellists for follow-up research or marketing purposes. Even if you intend to use the data for a permitted purpose, we will only provide identifiable insights if we have our panellists’ permission. Speak to your YouGov contact to find out more about this, or contact our Data Protection team at dataprotection@yougov.com.

If you are using your own sample– Because you are the data controller of this information, we are able to provide identifiable research insights – we would just need to work with you to ensure that we provide an appropriate privacy notice that clearly tells participants that their data will be made available to you in an identifiable form.

Yes, we share certain data with trusted third-party service providers that help us to provide our research services; for example, we share panel member email addresses with those companies that provide the technology we use to send survey invitations. We have appropriate contractual safeguards in place with all of the service providers to ensure that they have adequate security measures and do not disclose or use the personal data for any other purposes.

If you are a client and we are using your own sample for a project then it is important that you review and approve the sub-processors we use to help us provide our services to you.

When we work with you, we need to collect certain information about your employees so we can provide our services to you – for example, log-in details for our YouGov Profiles and YouGov BrandIndex tools, or the contact information for our key contacts. We are a data controller for this information because we use it so that we can provide our services – this means we are responsible for using the data in accordance with any applicable laws and regulations. You can find out more about the data we collect from our clients, and how we use it, in our Client Privacy & Cookies Notice.

The security of the data we hold is a top priority for us. We take a multi-layered approach for ensuring that data is secure, and are proud to be certified to the ISO27001 framework.

You can find out more on our security practices here.

This means, for example, when using a sample that you have provided, we:

• Make sure the data is saved in secure folders, and put appropriate access controls in place so that access is provided only to those that need it
• Delete the data once it is no longer needed (as agreed with you) or on your request

In addition, all YouGov staff are required to undertake training in data protection and security.

Yes, we encrypt the data we hold, both at rest and in transit.

All data on YouGov’s infrastructure, mobile devices, laptops and backup media is encrypted using industry standard encryption at rest. Data is also encrypted in transit over public networks using TLS which is an industry standard to protect against unauthorised disclosure or modification.

We use a combination of co-located, cloud and offline data storage providers to hold the data that we use to provide our services. The providers currently used are located in the European Union (EU) and the United States, and we ensure that any data originating from the EU is only stored in the EU.

You can find out about the data storage providers we use on our list of sub-processors.

YouGov plc is certified to ISO27001:2013. The co-located data centres, cloud and offline data storage providers used by YouGov are also ISO27001 certified.

YouGov plc is also certified against Cyber Essentials Plus which is a UK Government backed scheme that provides external assurance of the existence of security defences to protect against the most comment cyber threats.

YouGov carries out weekly vulnerability testing on its external infrastructure as part of its vulnerability management program. YouGov also uses a third-party CREST accredited organisation for carrying out penetration testing on its infrastructure and applications.

Relevant summaries of penetration testing reports can be provided to clients upon request.

We may allow customer initiated testing upon request but this is subject to approval from our Information Security and Application teams.

YouGov purchases a program of insurance appropriate for the business and our activities. If you have questions about insurance at YouGov, please contact us at governance@yougov.com.

YouGov purchases a program of insurance appropriate for the business and our activities. If you have questions about insurance at YouGov, please contact us at governance@yougov.com.

No, YouGov does not have a health and safety management system certified to a particular standard. YouGov takes the health, safety and welfare of our employees and those effected by our activities very seriously. We operate a management system that is commensurate with the level of risk raised by our activities and the size of our business. Our approach is defined in our Group Health and Safety Policy Statement.

No, YouGov does not currently hold a recognised environmental management system certification. The company appreciates the impact which it has on its environment and takes appropriate measures to manage this, commensurate with the size of our business.

YouGov does not currently hold a recognised quality management system certification. The company maintains internal standards that are in keeping with the ISO 9000 (quality management) and has an ISO 27001 certified information security management system. The data centres where YouGov hosts its data servers have ISO 27001 and PCI DSS certification.​​​

YouGov has a Group Anti-Bribery Policy. You can read a policy summary here. The full policy is available for panellists, clients and suppliers on request. If you require a copy of the Policy, please contact compliance@yougov.com. Our policies are made available to employees by the Company’s global intranet.

YouGov has a Group Anti-Fraud Policy. You can read a policy summary here. The full policy is available for panellists, clients and suppliers on request. If you require a copy of the Policy, please contact compliance@yougov.com. Our policies are made available to employees by the Company’s global intranet.

In accordance with the International Labour Organization expectations, YouGov supports the human right of all staff to associate freely, join or form a trade union, and bargain collectively. This commitment is outlined in the Group Freedom of Association Policy, which is available internally to employees by the Company's global intranet.

The policy can be made available for panel members, clients and suppliers on request. If you require a copy of the Policy, please contact compliance@yougov.com.

Yes, YouGov has a Group Whistleblowing Policy. You can read a policy summary here. The full policy is available for panellists, clients and suppliers on request. If you require a copy of the Policy, please contact compliance@yougov.com. Our policies are made available to employees by the Company’s global intranet.

YouGov is committed to respecting and and protecting human rights throughout our operations, including our supply chain. The Group Human Rights policy is available here.

YouGov’s statement on modern slavery and human trafficking is available here. The Group Human Rights Policy is available here.

All YouGov Suppliers are required to comply with a Business Partner Code of Conduct (the “Code”). This Code applies to any individual or business that provides YouGov with products or services – including all suppliers, sub-contractors, and business partners, and their officers, subsidiaries, affiliates, employees, sub-contractors, agents, representatives, and consultants.

If you have any concerns or would like to report an incident that violates this Code, please refer to our Whistleblowing Policy for the appropriate contacts.

Details of all registered offices are available here.

You can view the publicly filed records of YouGov plc or any of our UK companies via Companies House (https://www.gov.uk/get-information-about-a-company). Companies House is the Register of Companies in the UK and shares most information free of charge. If you are unable to find the information you require, please contact governance@yougov.com.

You can view our latest regulatory news service (RNS) announcements here.