Attachment_J_OMB_IpsosPrivacyCommitment

ATTACHMENT J 
Statement of Ipsos’s Commitment 
to Privacy and Data Protection 

J–1

– 
This page is intentionally blank. 

J–2

28 February 2018
Ipsos commitment to Privacy and Data Protection
Context

The General Data Protection Regulation issued by the European Union (“GDPR”) and effective 25 May, 2018, is
a further evolutionary step in the protection of the privacy rights of individuals (for example, tighter restrictions
around consent, the right to be forgotten, the type and amount of personal data that can be utilized, data access
and security, etc.) beyond those protections that have already been in place for some time in the European Union
and in many other countries around the world.
As such, the protection of personal data is, and always has been, a top priority for Ipsos as a leader in the Market
Research industry and producer of information about people. Ipsos is compliant with the guidance and
requirements of the professional code of conduct applicable to all registered market research companies
(ICC/ESOMAR International Code on Market, Opinion and Social Research and Data Analytics1) and all current
existing local regulations, especially as far as the protection of respondents’ data is concerned.
In addition, for many years, Ipsos has adopted the 4Ss approach in its business. The 4Ss stand for Security,
Simplicity, Speed and Substance, with IT Security and Information Management policies being an integral part
of Ipsos’ policies for many years.
Ipsos took a proactive approach to ensure the safeguarding and protection of the personal data of its customers,
respondents and employees. To that end, last year, Ipsos launched a global privacy programme led by a multidisciplinary team (i.e., its CPO, IT, Legal, Quality, HR and Marketing & Communication departments) to work on
achieving GDPR compliance by 25 May 2018, focusing first on the European Economic Area (EEA) countries.
Moreover, by the end of 2018, Ipsos intends to also implement the GDPR requirements in all 89 countries where
it operates.
Ipsos has already taken many actions to comply with the GDPR; with some of the main actions including but not
limited to the following:
1.

The nomination of a global Chief Privacy Officer (CPO) and local Data Privacy Officers (DPOs)

On 1st March, 2017, Ipsos appointed a global Chief Privacy Officer, Mr. Rupert van Hüllen.
The role of the CPO is to guide and coordinate Ipsos’ global compliance efforts on data protection and privacy
and to manage the local Data Protection Officers who have been appointed for each country in which Ipsos
operates. Their mandate is to ensure that personal data are appropriately treated and protected.
2.

Anonymised data and access security

-

For respondents

Ipsos uses anonymization techniques to protect respondents’ personal data as part of its data collection
operations so that access is restricted to its fieldwork teams in its operations units solely on a need to know
basis. Ipsos applies the same policy and care for customer provided samples and for Ipsos online panellists
and off-line respondents.

1

ICC/Esomar International Code on Market, Opinion
(https://www.esomar.org/what-we-do/code-guidelines)

J–3

and

Social

Research

and

Data

Analytics

-

For our employees

The access to employees’ personal data is strictly limited to the relevant staff in charge of human resources
management.
3.

Employee training

Ipsos will launch an extensive employee training program in March-April 2018to ensure a high level of data
protection awareness and data protection adherence across the Ipsos group. Our customers expect that
Ipsos employees are compliant with GDPR and other applicable data protection legislation. Ipsos is
implementing a worldwide training program concerning data protection (including GDPR requirements) for
relevant staff.
4.

Encryption

Ipsos implemented various encryption solutions, notably on all employees’ laptops.
Regarding its (software) applications, Ipsos is taking measures to encrypt certain panel applications as well
as databases containing special (sensitive) categories of personal data such as data concerning health,
political opinions, etc.
Lastly, when it comes to its employees, Ipsos’ main human capital management system, called “iTalent,” is
fully encrypted.
5.

Suppliers

Ipsos enforces procedures in order to select suppliers processing personal data based on their capacity to
comply with Ipsos’s data protection requirements. This means that all suppliers must sign an agreement
with Ipsos including data protection clauses at least as strict as the ones Ipsos signs with its customers, and
that no supplier can transfer any personal data outside the EEA unless they agree to appropriate safeguards
and obtain customer consent. Additionally, our suppliers cannot subcontract part of the personal data
processing services to sub-processors without Ipsos prior approval.
6.

Data transfers

Ipsos put in place some contractual measures for cross border data transfers within Ipsos and with its
suppliers. When a data transfer is required in a country recognized as not having an adequate level of data
protection, Ipsos ensures that EU Standard Contractual Clauses are in place, implementing appropriate
technical and organisational measures for the protection of the personal data.

Ipsos remains committed to protecting the personal data of its customers, respondents and employees. If
you have any questions or require any further clarification, please contact our Chief Privacy Officer, Rupert
van Hullen, at [email protected] who will direct your question to the appropriate person.

J–4

GAME CHANGERS
« Game Changers » is the Ipsos signature.
At Ipsos we are passionately curious about people, markets, brands and society.
We make our changing world easier and faster to navigate and inspire clients to make smarter decisions.
We deliver with security, simplicity, speed and substance. We are Game Changers.
Ipsos is listed on Eurolist - NYSE-Euronext.
The company is part of the SBF 120 and the Mid-60 index
and is eligible for the Deferred Settlement Service (SRD).
ISIN code FR0000073298, Reuters ISOS.PA, Bloomberg IPS:FP
www.ipsos.com

J–5