17 ways we keep your education market research data safe and GDPR-compliant

We're registered with the ICO as data controllers
We're registered with the Information Commissioner's Office, which is the UK's data protection regulator. This means you're working with a company that's been vetted by the authorities, follows recognised standards and is legally accountable to GDPR legislation. If anyone ever questions your market research, you can point to our ICO registration as proof you chose a legitimate and compliant partner.
 

We follow the Market Research Society's code of conduct
As members of the Market Research Society, we follow strict ethical guidelines that cover everything from getting proper consent to using data only for research purposes. These rules ensure participants know exactly what they're signing up for and that their information won't be misused. It also gives you peace of mind that you're collaborating with a professional education market research company. Our page on the Market Research Society explains more.
 

Our data protection policy is available for all to review
We have a formal privacy policy that spells out exactly how we collect, store, share and delete personal data. It's reviewed regularly and we're happy to share it with clients who want to see our approach. This gives you complete transparency about our processes and how we use your data. Click here to see our data protection policy.
 

We only use UK and EU-hosted servers
All our research tools and data servers are based in the UK or EU. This means your participants' information is never stored in regions not covered by GDPR, meaning you don't need to worry about complex international data transfer agreements or weak privacy laws in different jurisdictions. Everything stays within the same legal framework, removing any compliance headaches further down the line.
 

We limit which researchers have access to our data
Only researchers who are essential to the project can access personal participant data and our systems require strong passwords and two-factor authentication (that's when you need both a password and a code from your phone to log in). This creates clear accountability, helps prevent unauthorised access and means there's always a trail of who accessed what information.
 

All our devices have up-to-date security software
All our devices have up-to-date antivirus protection and security software. We install new security patches as soon as they're released and we're also picky about which software and providers we use. This means your data is protected by the same enterprise-grade security that major organisations use, which in turn reduces the risk of malware or cyberattacks compromising your research.
 

We operate a completely paperless office
We don't print any participant information—everything stays digital and encrypted. That means there are no sensitive papers being left lying around on desks, in filing cabinets, or accidentally thrown away in the rubbish! Paperless data storage also makes it easier to track who accessed what and when, which means there's a complete audit trail.
 

Our contractors sign NDAs and data agreements
Any subcontractors we work with must sign confidentiality agreements and are bound to our strict data-handling and privacy policies. They can't store data on their own computers and access is time-limited - they can only view relevant data for the duration of their project.
 

We collect minimal data for each project
Instead of asking for lots of personal information, we only collect the bare minimum needed—less data means less risk. This information then gets stored in our secure project management system, which can only be accessed by authorised members of our team.
 

Participants give their consent and know how their data is used
We explain to participants why we're doing the research, how their data will be used, and remind them they can withdraw at any time. We go through this again before interviews or surveys start. We've also found that when people understand what's happening with their information, they're more comfortable taking part and tend to give better quality responses.
 

Our recordings are saved to encrypted cloud storage
For interviews, we use platforms like Zoom or Teams and save recordings in a secure, encrypted cloud storage instead of on computers. For surveys, we use professional-grade survey software which keeps everything on UK/EU servers, too. Any prize draw data gets removed before we start analysing the results.
 

We use secure UK platforms for incentive payments
We handle participant payments through UK-based platforms that are designed for market research. We don't collect or store anyone's bank details. This removes a major privacy risk for you, and means participants get paid quickly and securely without needing to share sensitive financial information with multiple parties.
 

Our software automatically redacts personal information
Our GDPR-compliant research analysis software automatically detects and redacts personal information from interview transcripts. This means names, addresses, phone numbers and other sensitive details are removed before analysis.
 

We anonymise research before sharing it with you
We only share anonymised insights with you—never information that could identify the participant. All reports use reference numbers instead of participant names, and any quotes are checked to remove personal details. 
 

All data is deleted after six months
We keep project data for six months after completion, then delete everything permanently. Automated reminders ensure nothing gets forgotten, and we have clear procedures for secure deletion that meet ICO standards.
 

We have incident response procedures in place
If there's ever a data incident, we have clear procedures for investigating and, if required, notifying the ICO within 72 hours. We'll also inform affected participants and work with you to minimise any impact. While we work hard to prevent incidents, having a solid response plan means you're covered if something unexpected happens.
 

Any external data processors we use don't receive personal information
If we use external companies to help process survey data tables, we remove all personally identifying details before sending files to them. These sub-contractors only receive anonymised research responses, never names, email addresses or contact information.