The Evolution of Data Security and Privacy at C+R Research
Chief Technology Officer, IT
When it comes to data security and privacy, following the rules is a given, but having data security ingrained in your culture is something else. At C+R, this is a part of our DNA and is an integral part of our research process – something that has been infused in all our qualitative and quantitative research.
A Leader in the Protection of Youth and Family Research Data
Our first privacy milestone focused on protecting children’s privacy back in 2000, when we launched one of the first, fully COPPA (Children’s Online Privacy Protection Act of 1998) compliant children’s panel, KidzEyes®. COPPA requires a company to obtain verifiable consent from the parent or guardian of a child under 13 years old before collecting personal information from them online. At that time, C+R led the pack in COPPA compliance. At the launch of KidzEyes®, we collected consents via paper forms, completed and signed by the child’s parent or guardian. As technology progressed, we were able to switch to a more frictionless paperless yet compliant process. And our partnership with PRIVO, a leading expert in children’s online privacy, is a great resource as we continue to enhance our data security and privacy for our youth and family research.
Navigating New Legislations
Our auditable history in data security started shortly after the enactment of the Gramm–Leach–Bliley Act (GLBA). As our clients became GLBA compliant – mostly starting with our financial services clients – we knew that we would need to also be complaint to support our partnerships. We designed and implemented our first control framework aimed to protect the quality of our data as well as our client’s data. Over the years, our data collection department continues to test and expand our set of controls to address the changing risks and needs in the industry. Since the implementation of the first control framework, we hired an external auditing firm to test the authenticity of our controls. We felt this was necessary for us to do; we didn’t want to tell our clients “trust us, we have taken care of.” The proof is in the audits; initially called SAS70 audits and have since evolved and now called Soc2 Type audits.
As new risks and regulations emerge, we commission periodic assessments in addition to our annual audits to identify gaps, and we are always looking for ways to secure data for any research we conduct. Because of this, we have adopted the General Data Protection Regulation (GDPR) and the soon-to-be released California Consumer Privacy Act (CCPA) into our privacy framework.
And, as members of ESOMAR, we are able to tap into this valuable resource for information and guidance to help us navigate new legislations.
Given our clients’ jammed-packed schedules, they can breathe a sigh of relief because they know we take data security very seriously and have everything covered.