Impact of GDPR Survey 2019

BMG Research Ltd (BMG) is undertaking a telephone survey for the Department for Digital, Culture Media and Sport (DCMS) and RSM UK Consulting LLP (RSM). The aim of the survey is to assess the impact that the General Data Protection Regulation (GDPR) has had on the cyber security outcomes of UK organisations. The findings will be used to inform the Department’s comprehensive review of the UK’s cyber security incentives and regulatory landscape.

BMG Research is contacting organisations across the UK to carry out the telephone survey. Interviews will last around 20 minutes and we can arrange an appointment to call at a convenient time for you.  We are an independent market research agency which abides by the Code of Conduct of the Market Research Society and the General Data Protection Regulation (see hyperlinks to both below). Any information you provide will be treated in the strictest confidence, and all data is reported to DCMS and RSM in an anonymised form.

For more information about the survey please contact Emma Osborne, Associate Director at BMG Research on 0121-333 6006, or by email at . More information about BMG Research can be found on our website:

Your assistance to help make this survey a success is highly appreciated.

To access the MRS Code of Conduct: of conduct

To access information about GDPR in the UK:

BMG Research is a market research company registered in England with the company number 2841970. Our registered office is at Beech House, Greenfield Crescent, Edgbaston, Birmingham, B15 3BE.

Privacy Notice – Impact of GDPR on Cyber Security Outcomes Survey (2019)

What is this Privacy Notice about and how does it relate to you?

You are likely to be reading this Privacy Notice because you have either taken part in the Impact of GDPR on Cyber Security survey (2019) or are considering taking part. This Privacy Notice explains what personal data we will collect from you in relation to the survey and what we will do with it.

In addition to the information stated in this Privacy Notice, BMG Research is bound by the Market Research Society Code of Conduct (; Tel: 0800 9759596) and we are wholly committed to meeting the requirements of the General Data Protection Regulation on data privacy.

Please read this Notice in order to ensure that you are happy with how its contents affect you. Participation in our research surveys is entirely voluntary, and if you have taken part in this survey we will take it to mean that you agree with the terms of this Notice. However, if you are not happy with the terms of this Notice you should not participate in the survey, or if you have already participated you are still entitled to ask that part or all of your interview and/or personal details be destroyed or deleted and we will carry out such a request. We tell you below how to contact us.

Before completing the survey, the interviewer will ask you to confirm that you have read and understood this Privacy Notice.

Why have we contacted you and where did we get your details?

BMG carry out market and social research on behalf of their clients – in this case RSM and ultimately the DCMS (RSM’s client) – to gather and present the opinions of the public or businesses directly to the people making decisions about products, services or public policy. We never sell, market or promote any products or services that might be offered by our clients.

For the Impact of GDPR on Cyber Security survey (2019), BMG have been provided with contact data by DCMS who have sourced a limited amount of personal information relating to around 75,000 organisations from the Inter-Departmental Business Register, which is a list of UK businesses (including some charities registered as businesses) maintained by the Office for National Statistics (ONS) for statistical purposes. The ONS data was securely shared between ONS and DCMS on 10th October 2019 under licence for a limited time until 30th June 2020, whereupon it shall be securely destroyed by BMG and DCMS.

Whilst much of this data is business in nature, some of this data may be personal information. The personal data relates to:

General information about how DCMS handles personal data can be found here:-

What personal data is collected?

BMG collect information through surveys conducted on the telephone, online, face to face or by post.  We might also collect feedback and information from group interviews or workshops.

We only collect personal data about you that is relevant to the purpose of the particular survey we are conducting at that time. Personal data means in this context your name, address, email address, telephone number or online identifier.

We will protect the confidentiality of your information in accordance with our normal data handling procedures and all legal requirements. We will not use it for any purposes other than those which are set out in the surveys and in this Notice.

What is DCMS’s legal basis for processing personal data?

DCMS requires a legal basis to process your personal data. DCMS’s legal basis for processing your personal information is public task. We are providing this information on a public website as it would involve a disproportionate effort to contact over 75,000 organisations about the information we hold, for this statistical purpose task.

How long will DCMS retain personal data?

DCMS will only retain any personal data for as long as is necessary to support this research. For this project, DCMS will securely remove your personal data from our systems by 30th June 2020. DCMS will also instruct RSM (who will in turn instruct BMG) to securely remove any your personal data from our systems by 30th June 2020.

How long will BMG retain personal data?

BMG only keep your information for as long as is necessary. BMG will not retain any  personal data beyond the 30th June 2020; it will be deleted by that date and once deleted BMG will no longer hold any copies. If, at any time, you withdraw your consent to our processing your personal data, BMG will delete your personal data at that point and no copies will be held by BMG.

Your Rights?


As mentioned above, DCMS has collected this data under the legal basis of public task. Under this basis, when it comes to the data DCMS holds, you have the right to do the following:

If you wish to lodge a complaint about how your data was handled, or if you have concerns about how we have processed your data, you can contact the ICO at, or telephone 0303 123 1113. ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

BMG Research

Your co-operation in our research surveys is voluntary at all times regardless of what the survey is about or who our client is.

You are entitled at any stage to ask that your personal data, or part or all of the record of your survey responses, be destroyed or deleted and we will carry out such a request. This can be requested during the interview itself or afterwards (using the contact details below).

You have the right to access any personal data that we process relating to you. We may ask for verification of your identity before releasing any information to you.

In instances where surveys are taking place over a period of time, we would wish to ensure that any personal data we hold for you is accurate.  Therefore, if any information you have provided changes, you have the option to let us know and we will advise at the time whether or not it is appropriate to update any records we hold.

If you have any complaint in relation to how we process your personal data you are entitled to ask the Information Commissioner’s Office to review the matter. Details about how to contact them are on their website at

How do we use your personal data?

BMG may use your personal data in the following ways:

What information is shared with the DCMS (the survey commissioner)?

Typically survey results will be reported in an aggregated format, by that we mean that your responses will be combined with all other responses we have collected and shown as a total combined number or a percentage of the total.

On rare occasions BMG might wish to share personal data that we have collected as part of the survey with the client in a format that would make it attributable to you.  On those occasions where this is the case, we would only do so after we have explained to you what we want to do and obtained your permission to do so.

Do BMG share your personal data with anyone else?

DCMS is the controller in respect of this survey, with RSM being a processor to the DCMS and BMG being a sub-processor.

Data collected through this survey will be shared with RSM for analysis and reporting purposes. There may be some rare instances where we may be required to disclose your information without your prior consent, for example:

How we keep your data secure

BMG are committed to keeping personal data secure and take all reasonable technical and organisational measures to protect personal data from loss, misuse or alteration.

Only authorised employees and contractors or partners carrying out authorised business functions are allowed to access data or databases held by BMG Research.

We inform and update our employees about our policies and procedures regarding confidentiality, security and privacy, and we emphasise the importance of complying with them at all times. Our security procedures are consistent with or exceed generally accepted commercial standards used to protect personal data. BMG Research employees are required to sign a Confidentiality Agreement in which they agree to keep all project and respondent personal data confidential. Employees who violate the Confidentiality Agreement are subject to disciplinary actions, including termination of employment when appropriate.  Any employee found to be in breach of the law will be reported to the relevant authorities.

BMG have contracts and agreements in place with all contractors or partners who have access to survey information, including RSM. As a minimum these contracts and agreements require contractors and partners to keep any information we provide to them confidential; we are not permitted to use this information for any purpose other than to carry out the services we are contracted to on behalf of RSM and ultimately DCMS.

Where is your data processed?

All data is processed within the UK and no personal data is transferred to countries outside the UK.

How to Contact us

If you have any questions about this Privacy Notice or want to get in touch about the survey please email:

If you have been contacted by BMG and use this email address to request your details be removed or deleted from our systems please include any relevant references in your email so we can locate you in our lists, e.g. the telephone number on which we called you, or your address.

Effective: 23rd September 2019