Last updated: 22/10/2021
Here at Best Companies, we care about being transparent in how we use the personal data we receive. Please read our privacy notice below to understand what we do, and how we do it.
Who are Best Companies?
Hi, we are Best Companies, the workplace engagement people. We want to help make the world a better workplace. It’s something we really care about. We care because we truly believe that people who are fully engaged at work feel happier and more secure, which makes them more productive. To achieve this, we live by our five key principles Care, Humility, Responsibility, Hunger and Discipline.
True employee engagement is a journey, not a destination. We work with organisations to provide them with the information they need to understand what it is really like to work for them.
Best Companies provides the standard for workplace accreditation. Accreditation tells your clients, partners, investors and employees that your organisation understands the importance of workplace engagement and genuinely values its people.
Best Companies is also the company that provides the research and data analysis, for The Best Companies to Work For Lists, recognising the very best companies, nationally, in sector and regionally.
The Best Companies Accreditation and Best Companies to Work For Lists uses our academically developed methodology. Our unique system looks for patterns, connections and correlations between employee responses, thus ensuring those that make a list or achieve a Best Companies Accreditation are truly worthy of being branded a ‘Best Company’.
Today we work with some of the world’s best-known organisations: measuring, improving and recognising great workplace engagement. Please visit our website at www.b.co.uk/about to find out more.
The below information outlines the processing we undertake.
The personal data we receive, directly from an individual completing a survey or from an organisation that we are providing a service to, or an enquiry from, will be used for the purposes outlined below.
We will never sell your personal data to anyone, ever.
Why and how do we collect information?
Our main purpose for holding your personal data is to provide the organisation you work for with the tools and expertise that will enable them to monitor engagement over time and improve. The features, services and websites we provide offer an accurate insight into the engagement levels within an organisation to assist them to monitor, meet and inform their people strategy needs.
We also use the statistical data we collect for research purposes with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of employee engagement.
Please watch the video in the link below to understand how we use the data we receive.
We collect information through various ways. Below outlines, how we collect the information we hold:
Completing a b-Heard survey: The b-Heard survey can be received three ways, a) electronic survey (via email) b) paper survey c) login code (complete survey online by inserting a code). Your employer will decide which type or combination of survey, best suits your organisation. Each survey is allocated to an individual, this is important as Best Companies needs to know who you are and where you sit in the organisation structure, so we can create meaningful insightful reports for your organisation. You will notice there is nowhere to write your name. This is because we want you to be able to answer the b-Heard survey honestly, and for your survey responses to remain anonymous to your employer. Therefore, we can identify you, but your employer cannot.
We will ask you a range of questions about your employer, your manager, the management team and in some cases information about you. This ensures we accurately measure your organisations overall engagement and generate a customised report for your workplace. It is important that you answer honestly, so that your employer receives a true reflection of their employee engagement stance. This means they get the information they need to improve. Data collected through a b-Heard survey will become part of the Best Companies database which holds over 5 million responses. Survey responses do not become part of your employer's dataset, so we can ensure that your responses are protected and remain anonymous. The Diversity survey we may be asked to include with the b-Heard survey is to assist your employer with ensuring equality of opportunity or treatment within your workplace.
Requesting further information: Where you request further information on our services, you may be asked to provide your email address. In providing your email address, you consent for us to contact you in relation to your enquiry and to receive information on related services we provide. You may withdraw this consent at any time.
Businesses that use our Services: The services we supply to your employer requires them to provide certain personal data to us about you, for us to provide the services. Please read the information below to understand how we use the data we are provided to provision the services.
Best Companies Accounts: Your employer will nominate personnel within the organisation or an external consultant to manage the process, review and access the reports, and provide additional information to allow Best Companies to provide the purchased services. Those individuals provided with Best Companies accounts may include your organisation project manager(s), managers and/or your employers 3rd party consultants. The employer will determine who receives access to our website services such as The Dashboard, Workplace Insight Tool and MC³. In some of the websites, you may personalise your experience such as by uploading your photo. Where you choose to add content to your Best Companies account, this may be visible to others within your organisation where granted access and Best Companies employees where they have a requirement to access your account to provide the services. For data collected within our onsite applications, Best Companies is the Data Controller. Applications Privacy Notice
Feedback Surveys: We may contact individuals from time to time for feedback on the services we are providing, including Project Managers and your Awards Evening organisation contact. Please be aware that we may at times use a 3rd party survey platform to conduct anonymous feedback surveys. You may opt to identify yourself within the feedback survey; this is for us to respond to you directly in relation to the experience you have received.
Your Data, Your Rights: You have a right to be informed of personal data processed by Best Companies, a right to request rectification/correction, erasure and to object to the processing. You also have the right to request access to your personal data. We can only adhere to a request if we hold personal data about you and are able to identify you. Where your employer provided the information to us, they are the Data Controller and you will need to send your request to them directly. We will forward all requests we receive to the Data Controller. Due to the extent of the processing Best Companies conducts, Best Companies also becomes a Data Controller in their own right separately to your employer. We recognise your employer as the main controller of data they have shared with us. Therefore, we will only continue holding personal data on their instruction in relation to the services, which we only retain in the invested interest of the employer for the provision of the services. The final decision on a request in relation to rectification, objection, or deletion for any personal data that we store on behalf of your employer is with your employer who requested the services. Whilst your employer will consider a request, they may not be able to accept your request, where they require us to retain the data in their legitimate interest for the provision of the services. Where Best Companies has collected personal data directly from you such as through the b-Heard survey we are the Data Controller of this information. You can register a complaint about the handling of your personal data with the ICO, who are the supervisory authority for UK GDPR. www.ico.org.uk/concerns
Publication and recognition in association with Best Companies
The organisation PR representative and/or Project Manager(s) contact may be contacted where an organisation is successful with receiving an Accreditation or List position. We may on occasion share these contact details where we are required to outsource to external writers for conducting interviews and writing editorial pieces. The names and contact details of the appropriate organisation representative are provided by the employer within the organisation questionnaire, which is completed during survey setup.
What information do we collect?
The b-Heard Survey Process
Where an employer or individual representing an entity has accepted our Terms of Service Agreement to receive the purchased service.
For all survey types, we require the first name, last name, and a unique number/payroll number of all your UK employees. This is to ensure data accuracy, quality control and fair processing.
When surveying by Paper or Login Code by Post, we require the destination that the survey needs to be delivered to (Survey Delivery Location) e.g., head office, this will then be printed on the covering letter/Login Code by Post survey to assist with distribution.
Where employers opt for electronic survey delivery, we will require the employees email address. In line with best practice for security purposes, an electronic b-Heard survey (sent from firstname.lastname@example.org) email will be personalised to the employee, this is to assist in identifying a genuine email from Best Companies. We have also found there is a higher response rate when surveys are personally addressed.
To get the most out of the reporting and your employer’s investment in our services we may also require employers to provide demographics in advance; this saves the individual time in completing the survey and ensures data accuracy for the anonymous reports we create. These demographics include Employment Group, Manager Name, Job Grade, Date of Birth, Employment Start Date, Gender, Contracted Weekly Hours, Salary Band.
All details provided to us by your employer will remain hidden, as we do not need to request this information again from you. Information that we need you to complete will be displayed for you to fill in.
Where we receive an employment start date and date of birth, this is converted and saved as a banding as part of the processing. The individual date of birth and start date entries are deleted from our systems on the release of the reports to your employer.
Anonymity is the biggest concern individuals have when they complete a b-Heard survey. For voices to be heard and actions to be taken, we require you to answer your b-Heard survey truthfully. Incorrectly responding to a b-Heard survey, you are rendering the survey as useless and therefore the result meaningless. Please be assured your individual responses are never accessible by anyone associated with you or at your workplace. Please be assured we will always keep your survey responses confidential.
Where employers have a duty to monitor diversity levels, they may request that we include a diversity questionnaire alongside the b-Heard survey. Where this additional questionnaire has been requested, you may be asked to provide responses to questions that are deemed to be more sensitive to you e.g., race, religion, sexual identity, gender identity and disability. We will be the Data Controller of this data as we are for your responses to the questions on the b-Heard survey. Your individual survey responses will not form part of your employer’s dataset.
Diversity reporting: Where the diversity questionnaire is used, we will provide your employer with a report of the total counts of each diversity field. To comply with the general equality duty, some organisations need to have an adequate evidence base for their decision-making. By collecting and using the equality information, we may work with organisations to create bespoke reporting (on request) to better understand the needs of staff from different protected groups and thereby improve the efficiency of the organisation.
Before you complete the diversity questionnaire, we will inform you the information that we are about to collect is considered to be more sensitive and is to assist your employer in monitoring diversity levels for the purpose of equality of opportunity or treatment. Our research team will then use the collated diversity data responses, with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of equality.
Your individual responses will remain anonymous. This processing is conducted under the lawful basis of Article 6(f); the lawful condition of Article 9(2)(j) and in accordance with Article 89(1) of the GDPR.
At the end of the survey, you will be provided the opportunity to give direct feedback to your employer. We will not identify you with the feedback, however, do take care not to identify yourself when providing feedback with these comment boxes, these individual responses will be provided to your employer as anonymous feedback.
Our websites and cookies
We collect usage data, such as information collected by cookies (with your consent) about the Best Companies pages viewed, links clicked, and other actions taken when accessing our website or services; activities, interactions, and other computer and connection information (such as IP address) relating to use of our website and services. This information is used to evaluate how users use our websites, and to compile statistical reports on activity for us. We will use this information to improve our websites, by making them more user-friendly, more valuable, and easier to use. Third-party analytics software will not share your personal data or associate your personal data with any other data held by them.
Best Companies Live
Best Companies Live, join us for our quarterly list reveals and the quarter 4 reveal of the national ‘Best Companies to Work For’ list reveals. The world’s largest employee engagement event.
The online event(s) will see us reveal each quarter the very best organisations competing for the end of year’s Best Companies to Work For. The end of year hybrid event reveal includes all our regional, sector and national lists, as well as hosting the conversation around the future of the workplace. Throughout the day we’ll present ‘Special Awards’ to those who have excelled in the areas such as Leadership, Wellbeing, Personal Growth and more.
The events cover why employee engagement is and will continue to be critically important for organisations to building back better post-pandemic. There will also be discussions and celebrations for the organisations that are the very best in engagement. Find out more and register for the event. https://www.bestcompanies.live
If you are an individual who has made a nomination or been nominated to be recognised as a Great Manager, this is a separate initiative not covered by this privacy notice, please read the privacy notice for this initiative at https://www.greatmanager.co.uk
2Q Instant Insight Service
If you are an individual or your employer has registered for the 2Q Instant Insight, this is a separate service not covered by this privacy notice, please read the privacy notice for this service at https://2q.b.co.uk
We're looking for awesome people...
You can apply directly for positions through our website Join the Best Companies Live Team
We also display links and content to other websites that are not owned or controlled by Best Companies such as Vimeo Privacy Notice and YouTube Privacy Notice. Please be aware that we are not responsible for the privacy practices of such other websites or third parties. We encourage you to be aware of when you leave our websites and to read the privacy notices of each website that collects personal information.
We have implemented Google Analytics for tracking events, location and page hits that assist us in the improvement and optimisation of the analysis of data supplied via the Best Companies platform for content enrichment, our marketing activities and lead generation purposes, including Google location API. Please view the Google privacy notice to view any necessary notices or consents for the collection and sharing of the data with Google.
Website registration and web forms
When you register to the website, you may be asked for personal information about yourself to register and/or download content. This information may include, but is not limited to, your name, the company you work for, your e-mail address and telephone number. By providing this information, you are consenting to us contacting you in relation to your request or enquiry. We will only collect information from you that is necessary for us to provide you with any services or assistance connected with your enquiry. If you would like more information on our services, do get in touch by completing our online enquiry form at https://www.b.co.uk/contact. You may withdraw your consent at any time.
Best Companies uses WorldPay a third-party service provider for managing credit card processing. WorldPay does not store, retain, or use billing information except for the purpose of credit card processing on Best Companies behalf.
At the Awards evening we will take images of winners of the awards and attendees at the event.
These images will be released into the public domain and used to promote the Awards evenings and The Best Companies to Work For Lists by both Best Companies and publishing partners, they may also be used by organisations for them to promote their achievement. We may also collect from you on the night of your Awards Evening, with your consent, your name, organisation name, and email address. This is to provide you with the images taken of you and your colleagues at the photo booth. The contact data collected on the Photo Nomination Voucher(s) will be retained by the photographer (the data processor), for a period of 3 months, to assist us with any enquiries and by Best Companies (the Data Controller) for a period of 12 months. You may withdraw your consent and ask us to remove your personal data from our systems at any time.
Data Protection by design and default
Best Companies is dedicated to protecting all personal data we receive in line with industry standards and best practise. All data is only accessible by authorised personnel and Best Companies employees who are all contractually subject to confidentiality. We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorised access, disclosure, alteration, and/or destruction. We have put in place appropriate physical, technical, and administrative measures to safeguard and secure your information, and make use of privacy-enhancing technologies such as encryption. An external auditor conducts an annual vulnerability assessment and penetration test on our systems. We also continually monitor our security posture as part of our ongoing risk management strategy.
Best Companies has achieved ISO 27001 the information security standard and the ISO 9001 quality standard. We have been independently verified and certified for Cyber Essentials Plus, which is a UK Government-backed cyber security certification scheme. We are also registered with the Information Commissioners Office. Our internal Data Protection Officer monitors our ongoing processing operations to ensure they are lawful and compliant with data protection laws and regulations, such as the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulation (PECR). We view our compliance, as GDPR aligned. We continue to focus on ongoing GDPR requirements, such as evaluating the data protection impact of new products and services on our users’ personal data and training employees about protecting the privacy of personal information. We have documented procedures for Incident Management and Data Subject Requests and have implemented appropriate company policies to protect the data we hold.
To provide the purchased services we use a select number of trusted external service providers. These service providers are carefully selected and meet with high data protection and security standards. We only transfer information that is required for the services offered and we contractually bind them to keep any information we share with them as confidential and to process personal data only according to our instructions. These service providers are also known as data processors, who we use for the provision of our services. Personal data is stored within the United Kingdom and European Economic Area (European Region). Personal data is not transferred outside of these areas.
Best Companies data processors:
Microsoft Azure and SQL database: (Location: United Kingdom, Netherlands) Required to host our live websites and to store and process the site files and data.
Barracuda Networks: (Location: United Kingdom) Data from our on-premise server cluster, is replicated securely to the Barracuda data centre to provide our offsite cloud backup.
Mailgun Technologies: (Location: Germany) Required to manage our transactional email delivery to clients.
Data Send UK: (Location: United Kingdom) A secure way to transfer large files or confidential information to Best Companies, which we may also use to transfer data at your request securely to an individual or organisation.
Salesforce: (Location: European Economic Area) Used by Best Companies to maintain business operations, customer relationship management.
FreshWorks and FreshService: (Location: European Economic Area) Used by Best Companies to maintain business operations, and IT service management.
As part of the service provision some of the data processors may transfer the data to a different country than stated above e.g., for Geo-redundancy. For the avoidance of doubt the transfer will only be within the European region.
International transfers of personal data
On the 28th of June 2021, the EU approved an adequacy decision after determining that the UK had an “essentially equivalent” level of data protection to the EU, meaning that data can continue to flow between the EU and UK as it did before, in most circumstances. This decision is expected to last until the 27th of June 2025; however, the European Commission must monitor developments in the UK on an ongoing basis.
Best Companies is located in the UK and our data processors that are assisting us in processing personal data, are located within the UK and the EEA. No personal data will be transferred outside of the UK/European Region. As part of the service provision some of the data processors may transfer the data to a different country for Geo-redundancy. For the avoidance of doubt the transfer will only be within the European region.
As part of our considerations, Best Companies has instructed Ametros Group as our EU Representative in accordance with Article 27 of the GDPR for EU supervisory authorities and EU citizens. Individuals situated in the EU wishing to request their individual rights may either contact Best Companies directly or Ametros Group.
Where required we will enter standard contractual clauses agreements with clients, please return a counter signed copy of the EU Standard Contractual Clauses agreement (available on request from email@example.com or which can be accessed here). Please contact us for a copy agreement where electronic signature is required.
Lawful basis for the processing
The processing between Best Companies and your employer does not rely on consent, processing is completed under the legal basis found in Article 6(1)(f) of the GDPR in that the processing is necessary for the organisation’s legitimate interests. The employer has legitimate interests in sharing the data, for Best Companies to process, to measure employee engagement in the organisation; to inform the people strategy; and to improve engagement in the workplace. Processing is required to ensure that the organisation is a good employer; who are looking after their employees; being recognised as a ‘Best Company’ on gaining an Accreditation or place on the List(s); for the positive national PR; and retention and attraction of top talent. Best Companies and your employer share personal data between our companies on the legal basis of legitimate interest.
The UK Information Commissioners Office acknowledges that companies may have a “…legitimate interest in processing data as long as the processing does not have a disproportionate impact on the individual.” On balance, the legal basis of legitimate interest against the individual impact: the services are reasonable, the company’s interests in the services appear compelling, and with there being little impact on the individual. The services are not considered high risk processing.
Best Companies processing for research purposes
Best Companies conducts additional research on the survey responses and demographical data under the lawful basis of Legitimate Interest as sole Data Controller, under the GDPR historical, scientific and statistical research is deemed compatible processing. This processing is required for:
- the statistical research, which is required to assist employers with understanding how employee engagement impacts their organisation in comparison to other organisation
- production of best practise content
- the ability to provide comparative historical research
- new learning for the benefit of the wider society in the form of white papers, case studies and articles
To the extent possible all data provided to our Research and Data Insight teams for the above research purposes is pseudo-anonymised.
Information regarding our MC³ Product
MC³ is intended as a development tool for organisations to reflect on what they are getting from their managers and their relationship with their team. MC³ should be used and considered as a resource, and when reviewing data, the organisation should consider the wider context of the team. The purpose for MC³ is to help focus managers on those areas that will make them great people-managers.
The UK Data Protection Act 2018, which includes the General Data Protection Regulation, advises that you can carry out this type of decision-making when it is necessary for the lawful basis of performance of a contract. Therefore, where your organisation purchases the MC³ product, the lawful basis of this product is Article 6(1)(b), where processing is necessary for the performance of a contract, to which the data subject (employee) is party. Your organisation will have a contract of employment with the employee that MC³ is reporting on, which will include clauses, or can reasonably refer to one or more of the following:
- managing a team
- completing the job function to a certain standard
- personal development
On balance, we have reasonably determined that MC³ benefits the individual by identifying where the individual is doing well and areas where they can focus to improve. This level of insight will not only benefit the organisation for meaningful conversations, but it can also really help the manager with their own personal development and becoming a better manager.
Your project manager within the organisation, to ensure individuals are aligned correctly to the reporting manager, will have reviewed the organisation hierarchy provided by the organisation for accuracy. Managers will be asked to verify their reporting structure at the end of the survey. MC³ is an automated decision-making process, should an individual disagree with the results, we are able to review manually. We recommend that organisations actively inform their managers that they have purchased the MC³ product and how to make best use of the learning outcomes.
We require a minimum number of survey responses, to provide MC³ reporting to ensure anonymity.
MC³ Manager Accreditation
Promoting your MC³ Accreditation
Employers have an invested interest for us to retain personal data for up to three years after the end of the survey year. Should an employer go through an organisation restructure or require further insight from the data, we can restructure the personal data held from the previous year(s) participation, to correlate the reports from the newest b-Heard survey. Following an organisation restructure, employers have a real need to understand the impact it has made on their employees. The ability to be able to alter the reporting to reflect the new organisation structure provides organisations with valuable data that reflects the true position of the organisation against those previous years surveyed.
We only continue to retain the personal data after the provision of services for the benefit of the employer. An employer can make a written request, at any time after the provision of services for us to delete the personal data we are holding on their behalf, should they no longer require us to retain the personal data. We delete personal data through an anonymisation process. We retain demographics and employee responses indefinitely to continue our research into employee engagement. To ensure fairness and transparency to the employee, we would not accept a request to extend the max retention period.
We use a process of anonymisation at the end of the retention period or earlier upon written request from the employer.
Anonymisation means we delete the personal identifiers, therefore anonymising the remaining statistical data for our continued research. This is in line with the Information Commissioners Office (ICO) anonymisation code of practice. The employee responses, which are attached to employee demographical data, are not removed; this would result in the inability to perform any future engagement reporting. This would also similarly affect benchmark data and where organisations are being assessed for Accreditation and a position on our List(s). The Data Protection Act and General Data Protection Regulation (GDPR) does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
We retain the statistical data for our continued research with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of employee engagement. Once anonymisation has been completed, we are unable to reverse this process.
Best Companies uses a third-party service provider for managing credit card processing. The service provider does not store, retain, or use billing information except for the purpose of credit card processing on the Company’s behalf.
Best Companies reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process. We will ensure the confidentiality of all survey responses unless we are required to reveal them in exceptional circumstances (in which case we will maintain as high a level of confidentiality as possible in those circumstances) or as required by law.
Privacy Notice Changes
Best Companies may make changes to this privacy notice to align with our operations and evolving laws. If we make changes to this privacy notice, we will post those changes on our website, Privacy Notice and in other appropriate places. We reserve the right to modify this privacy notice at anytime, so please review it regularly. If we make significant changes, we will notify you here, or by other reasonable means. This privacy notice is currently only available in English. In the event non-English translations of this privacy notice are provided, it is done so for convenience only. In the event of any ambiguity or conflict between translations, the English version shall always take precedence.
If you have a question regarding our processing, you can email or write to us your request to our Data Protection Office (contact details below).
Post: Best Companies Ltd, Hamilton House, Rackery Lane, Llay, Wrexham, United Kingdom, LL12 0PB
To individuals situated in the EU, please may contact us directly in regards to requesting your individual rights, alternatively Best Companies has instructed Ametros Group as our EU Representative in accordance with Article 27 of the GDPR for EU supervisory authorities and EU citizens (contact details below).
Post: Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland