Last updated: 12/10/2023
Here at Best Companies, we care about being transparent in how we use the personal data we receive. Please read our privacy notice below to understand what we do, and how we do it.
Who are Best Companies?
Hi, we are Best Companies, the workplace engagement people. We want to help make the world a better workplace. We truly believe that people who are fully engaged at work feel happier and more secure, which makes them more productive.
True employee engagement is a journey, not a destination. Guided by our five key principles Care, Humility, Responsibility, Hunger and Discipline, we work with organisations to provide them with the information they need to understand what it is really like to work for them.
Best Companies provides the standard for workplace accreditation. Accreditation tells your clients, partners, investors, and employees that your organisation understands the importance of workplace engagement and genuinely values its people.
Best Companies is also the company that provides the research and data analysis, for The Best Companies to Work for lists recognising the very best companies, nationally, in sector and regionally.
The Best Companies Accreditation and Best Companies to Work for lists uses our academically developed methodology. Our unique system looks for patterns, connections and correlations between employee responses which we measure to provide a Best Companies Index Score. Those that make one of our lists or achieve a Best Companies Accreditation are truly worthy of being branded one of the ‘Best Companies’ to work for.
Today we work with some of the world’s best-known organisations: measuring, improving, and recognising great workplace engagement. Please visit our website at www.b.co.uk/about to find out more.
The below information outlines the processing we undertake.
The personal data we receive, directly from an organisation that we are providing a service to, an individual completing a survey or an enquiry from. Personal data will be used for the purposes outlined below.
We will never sell your personal data to anyone, ever.
Why and how do we collect information?
Majority of the personal data we process is to provide the organisation you work for, the tools and expertise that will enable them to monitor engagement over time and improve. The features, services, and websites we provide, offer an accurate insight into the engagement levels within an organisation, assisting employers to inform, meet and monitor their people strategy needs.
We also use the statistical data we collect for research purposes with the goal of discovering new information, informing conclusions, and supporting decision-making into better understanding of employee engagement.
Please watch the video in the link below to understand how we use the data we receive.
We collect information through various ways. Below outlines, how we collect the information we hold:
Completing a b-Heard survey: The b-Heard survey can be received three ways, a) electronic survey (via email) b) paper survey c) login code (complete survey online by inserting a code). Your employer will decide which type or combination of survey, best suits your organisation. Each survey is allocated to a specific individual. Best Companies needs to know who you are and where you sit in the organisation structure, so we can create meaningful insightful reports for your organisation. You will notice there is nowhere to write your name. This is because we want you to be able to answer the b-Heard survey honestly, and for your survey responses to remain anonymous to your employer. Therefore, we can identify you, but your employer cannot. We will never identify you against your responses to your employer.
We will ask you a range of questions about your employer, your manager, the management team and in some cases information about you. This ensures we accurately measure your organisations overall engagement and generate a customised report for your workplace. It is important that you answer honestly, so that your employer receives a true reflection of their employee engagement stance. This means they get the information they need to improve. Data collected through a b-Heard survey will become part of the Best Companies database which holds over 5 million responses. Survey responses do not become part of your employer's dataset, so we can ensure that your responses are protected and remain anonymous. The Diversity survey we may be asked to include with the b-Heard survey is to assist your employer with ensuring equality of opportunity or treatment within your workplace.
Requesting further information: Where you request further information on our services, you may be asked to provide your email address. In providing your email address, you are allowing us to contact you in relation to your enquiry and to receive information on related services we provide. You may opt-out of these communications at any time..
Businesses that use our Services: The services we supply to your employer requires them to provide certain personal data to us about you, for us to provide the services. Please read the information below to understand how we use the data we are provided to provision the services.
Best Companies Accounts: Your employer will nominate personnel within the organisation or an external consultant to manage the process, review and access the reports, and provide additional information to allow Best Companies to provide the purchased services. Those individuals provided with Best Companies accounts may include your organisation project manager(s), managers and/or your employers third party consultants. The employer will determine who receives access to our website services such as The Dashboard, Workplace Insight Tool, and MC³. In some of the websites, you may personalise your experience such as by uploading your photo. Where you choose to add content to your Best Companies account, this may be visible to others within your organisation where granted access and Best Companies employees where they have a requirement to access your account to provide the services. For data collected within our onsite applications, Best Companies is the Data Controller. Applications Privacy Notice
Feedback Surveys: We may contact individuals from time to time for feedback on the services we are providing. These can include project managers, marketing representatives and individuals using our services/applications or that have attended a Best Companies event. This feedback may be requested within the application, or we may at times use a third-party survey platform. These third party platforms include LinkedIn InMail or for anonymous feedback we use SmartSurvey. You may opt to identify yourself within the anonymous feedback survey; this is for us to respond to you directly in relation to the experience you have received. Best Companies is the Data Controller of these activities..
Publication and recognition in association with Best Companies. We may on occasion have a requirement to share the contact details of a PR representative and/ or Project Manager(s) to a third party. This is to outsource to external writers for conducting interviews and writing editorial pieces. The names and contact details of the appropriate organisation representative are provided by the employer within the culture insight, which is completed during survey setup. The information shared will be the minimum required for them to make contact about your accreditation, list position or award. Best Companies is the Data Controller of these activities.
Your Data, Your Rights: You have a right to be informed of personal data processed by Best Companies, a right to request rectification/correction, erasure and to object to the processing. You also have the right to request access to your personal data. We can only adhere to a request if we hold personal data about you and are able to identify you. Where your employer provided the information to us, they are the Data Controller, and you will need to send your request to them directly. We will forward all requests we receive to the Data Controller. Due to the extent of the processing Best Companies conducts, Best Companies also becomes a Data Controller in their own right, separately to your employer. We recognise your employer as the main controller of data they have shared with us. Therefore, we will only continue holding personal data on their instruction in relation to the services, which we only retain in the invested interest of the employer for the provision of the services. The final decision on a request in relation to rectification, objection, or deletion for any personal data that we store on behalf of your employer is with your employer who requested the services. Whilst your employer will consider a request, they may not be able to accept your request, where they require us to retain the data in their legitimate interest for the provision of the services. Where Best Companies has collected personal data directly from you such as through the b-Heard survey, we are the Data Controller of this information. You can register a complaint about the handling of your personal data with the ICO, who are the supervisory authority for UK GDPR. www.ico.org.uk/concerns
What information do we collect?
The b-Heard Survey Process
Where an employer or individual representing an entity has accepted our Terms of Service Agreement to receive the purchased service.
For all survey types, we require the first name, last name, and a unique number/payroll number of all your UK employees. This is to ensure data accuracy, quality control and fair processing.
When surveying by Paper or Login Code by Post, we require the destination that the survey needs to be delivered to (Survey Delivery Location) e.g., head office, this will then be printed on the covering letter/Login Code by Post survey to assist with distribution.
Where employers opt for electronic survey delivery, we will require the employees email address. In line with best practice for security purposes, an email delivery of a b-Heard survey (sent from firstname.lastname@example.org) will be personalised to the employee, this is to assist in identifying a genuine email from Best Companies. We have also found there is a higher response rate when surveys are personally addressed.
To get the most out of the reporting and your employer’s investment in our services we may also be provided by employers some demographics in advance; this saves the individual time in completing the survey and ensures data accuracy for the anonymous reports we create. These demographics may include Employment Group, Manager Name, Job Grade, Date of Birth, Employment Start Date, Sex, Contracted Weekly Hours, Salary Band.
All details provided to us by your employer will remain hidden, as we do not need to request this information again from you. Information that we need you to complete will be displayed for you to fill in.
Where we receive an employment start date and date of birth, this is converted and saved as a banding as part of the processing. The individual date of birth and start date entries are deleted from our systems on the release of the reports to your employer.
There are some demographics that we will only collect directly from you, rather than enabling your employer to provide in advance. These may include how many hours you work in a typical week; how much time you spend working from home/remotely; how many days you travel to the office/workplace; how you get to work; how much time it takes you to get to work; whether you’ve taken a day of sick leave in the past month; whether you’ve applied for a new job in another organisation in the past six months and the composition of your household.
We may also measure your wellbeing through the World Health Organisation, ‘WHO-5’, where, in response to five statements, we will ask you to tell us how you’ve been feeling over the last two weeks.
Anonymity is the biggest concern individuals have when they complete a b-Heard survey. For voices to be heard and actions to be taken, we require you to answer your b-Heard survey truthfully. Incorrectly responding to a b-Heard survey, you are rendering the survey as useless and therefore the result meaningless. Please be assured your individual responses are never accessible by anyone associated with you or at your workplace. Please be assured we will always keep your survey responses confidential.
Where employers have a duty to monitor diversity levels, they may request that we include a diversity questionnaire alongside the b-Heard survey. Where this additional questionnaire has been requested, you may be asked to provide responses to questions that are deemed to be more sensitive to you e.g., race, religion, sexual identity, gender identity and disability. We will be the Data Controller of this data as we are for your responses to the questions on the b-Heard survey. Your individual survey responses will not form part of your employer’s dataset.
Diversity reporting: Where the diversity questionnaire is used, we will provide your employer with a report of the total counts of each diversity field. To comply with the general equality duty, some organisations need to have an adequate evidence base for their decision-making. By collecting and using the equality information, we may work with organisations to create bespoke reporting (on request) to better understand the needs of staff from different protected groups and thereby improve the efficiency of the organisation.
Before you complete the diversity questionnaire, we will inform you the information that we are about to collect is considered to be more sensitive and is to assist your employer in monitoring diversity levels for the purpose of equality of opportunity or treatment. Our research team will then use the collated diversity data responses, with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of equality. Your individual responses will remain anonymous. This processing is conducted under the lawful basis of Article 6(f); the lawful condition of Article 9(2)(j) and in accordance with Article 89(1) of the GDPR.
Survey comment box
At the end of the survey, you will be provided the opportunity to give direct feedback. Best Companies will review samples of responses and conduct comment analysis, this is to ensure the integrity of our accolades. Depending on the subscription service being provided, some employers will also receive your comments as direct feedback. We will not specifically identify you with the feedback, however, do take care not to identify yourself by describing something personal, which would only apply to you.
Our websites and cookies
Website usage data is collected by cookies (with your consent) to provide Best Companies with analytics. Data is tracked at visitor level, to understand how the site is used. The ability to attribute marketing leads from across multiple campaigns, ads, and keywords. This gives us an insight on how a visitor arrived at our website, what device is being used, such as a phone, tablet, or desktop, including interactions whilst on our site, such as the option to phone Best Companies. All of these analytics combined allow us to further develop our websites, improve the experience of visitors and measure where our marketing initiatives have been successful.
Web analytics tools which track website user activity. Tools like Google Analytics allow us to track data to analyse our website performance and measure the impact of our marketing campaigns on traffic and lead conversion metrics.
Attribution analytics tools cover web activity, but also break down the barrier between marketing and sales by identifying which channels are driving revenue, not just clicks and conversions.
Best Companies Live
The world’s largest employee engagement event, Best Companies Live.
Organisations can invite their staff to join online through their company dashboard. Only a first name and email address will be used for this processing. Individuals can choose to add additional content on the platform.
Individual subscribers can also join us by registering to join our online events. Please read the privacy notice and visit the site for more information and to register for the event. https://www.bestcompanies.live
If you are an individual who has made a nomination or been nominated to be recognised as a Great Manager, this is a separate initiative not covered by this privacy notice, please read the privacy notice for this initiative at https://www.greatmanager.co.uk
2Q Instant Insight Service
If you are an individual or your employer has registered for the 2Q Instant Insight, this is a separate service not covered by this privacy notice, please read the privacy notice for this service at https://2q.b.co.uk
We're looking for awesome people...
Where applying online you are required to upload your CV, for us to assess your application. We will also ask for you to supply your name and email address. If your application meets the job’s requirements, then one of the team will be in touch soon to discuss the next steps.
We may retain recruitment information and details of applicants for up to 12 months. If you have been referred via a recruitment agency, they are a separate controller you should read their privacy notice for details of their processing.
We also display links and content to other websites that are not owned or controlled by Best Companies such as Vimeo Privacy Notice and YouTube Privacy Notice. Please be aware that we are not responsible for the privacy practices of such other websites or third parties. We encourage you to be aware of when you leave our websites and to read the privacy notices of each website that collects personal information.
Third party, Google Analytics, applied with your consent as part of the cookie banner. This software conducts tracking, location and page hits that assist us in the improvement and optimisation of the analysis of data supplied via the Best Companies platform for content enrichment, our marketing activities and lead generation purposes, including Google location API and any necessary notices or consents for the collection and sharing of the data with Google. Please view the Google privacy notice to view any necessary notices or consents for the collection and sharing of the data with Google.
Website registration and web forms
When you register to the website, you may be asked for personal information about yourself to register and/or download content. This information may include, but is not limited to, your name, the company you work for, your e-mail address and telephone number. By providing this information, you are consenting to us contacting you in relation to your request or enquiry. We will only collect information from you that is necessary for us to provide you with any services or assistance connected with your enquiry. If you would like more information on our services, do get in touch by completing our online enquiry form at https://www.b.co.uk/contact. You may withdraw your consent at any time.
Best Companies uses WorldPay a third-party service provider for managing credit card processing. WorldPay does not store, retain, or use billing information except for the purpose of credit card processing on Best Companies behalf.
At the Awards evening we will take images of winners of the awards and attendees at the event. These images will be released into the public domain and used to promote the Awards evenings and The Best Companies to Work for lists by both Best Companies and publishing partners, they may also be used by organisations for them to promote their achievement. We may also collect from you on the night of your Awards Evening, with your consent, your name, organisation name, and email address. This is to provide you with the images taken of you and your colleagues at the photo booth. The contact data collected on the Photo Nomination Voucher(s) will be retained by the photographer (the data processor), for a period of 3 months, to assist us with any enquiries and by Best Companies (the Data Controller) for a period of 12 months. You may withdraw your consent and ask us to remove your personal data from our systems at any time.
Data Protection by design and default
Best Companies is dedicated to protecting all personal data we receive in line with industry standards and best practise. All data is only accessible by authorised personnel and Best Companies employees who are all contractually subject to confidentiality. We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorised access, disclosure, alteration, and/or destruction. We have put in place appropriate physical, technical, and administrative measures to safeguard and secure your information, and make use of privacy-enhancing technologies such as encryption. An external auditor conducts an annual vulnerability assessment and penetration test on our systems. We also continually monitor our security posture as part of our ongoing risk management strategy.
Best Companies has achieved ISO 27001 the information security standard and the ISO 9001 quality standard. We are also registered with the Information Commissioners Office. Our internal Data Protection Officer monitors our ongoing processing operations to ensure they are lawful and compliant with data protection laws and regulations, such as the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulation (PECR). We view our compliance, as GDPR aligned. We continue to focus on ongoing GDPR requirements, such as evaluating the data protection impact of new products and services on our users’ personal data and training employees about protecting the privacy of personal information. We have documented procedures for Incident Management and Data Subject Requests and have implemented appropriate company policies to protect the data we hold.
To provide the purchased services we use a select number of trusted external service providers. These service providers are carefully selected and meet with high data protection and security standards. We only transfer information that is required for the services offered and we contractually bind them to keep any information we share with them as confidential and to process personal data only according to our instructions. These service providers are also known as data processors, who we use for the provision of our services. Personal data is stored within the United Kingdom and European Economic Area (European Region). Personal data is not transferred outside of these areas.
Best Companies data processors:
Microsoft Azure and SQL database: (Location: United Kingdom, Netherlands) Required to host our live websites and to store and process the site files and data.
Barracuda Networks: (Location: United Kingdom) Data from our on-premise server cluster, is replicated securely to the Barracuda data centre to provide our offsite cloud backup.
Mailgun Technologies: (Location: Germany) Required to manage our transactional email delivery to clients.
Salesforce: (Location: European Economic Area) Used by Best Companies to maintain business operations, customer relationship management.
FreshWorks and FreshService: (Location: European Economic Area) Used by Best Companies to maintain business operations, and IT service management.
As part of the service provision some of the data processors may transfer the data to a different country than stated above e.g., for Geo-redundancy. For the avoidance of doubt the transfer will only be within the European region.
Zivver: (Location: European Economic Area) A secure way to transfer large files or confidential information to and from Best Companies, which we may also use to transfer data at your request securely to an individual or organisation.
As part of the service provision some of the data processors may transfer the data to a different country than stated above e.g., for Geo-redundancy. For the avoidance of doubt the transfer will only be within the European region.
International transfers of personal data
On the 28th of June 2021, the EU approved an adequacy decision after determining that the UK had an “essentially equivalent” level of data protection to the EU, meaning that data can continue to flow between the EU and UK as it did before, in most circumstances. This decision is expected to last until the 27th of June 2025; however, the European Commission must monitor developments in the UK on an ongoing basis.
Best Companies is located in the UK and our data processors that are assisting us in processing personal data, are located within the UK and the EEA. No personal data will be transferred outside of the UK/European Region. As part of the service provision some of the data processors may transfer the data to a different country for Geo-redundancy. For the avoidance of doubt the transfer will only be within the European region.
As part of our considerations, Best Companies has instructed Ametros Group as our EU Representative in accordance with Article 27 of the GDPR for EU supervisory authorities and EU citizens. Individuals situated in the EU wishing to request their individual rights may either contact Best Companies directly or Ametros Group.
Where an international data transfer agreement is required, please contact email@example.com.
Lawful basis for the processing
The processing between Best Companies and your employer for the survey and organisation reporting is completed under the legal basis found in Article 6(1)(f) of the GDPR, the processing is necessary for the organisation’s legitimate interests. The employer has legitimate interests in sharing the data, for Best Companies to process, to measure employee engagement in the organisation; to inform the people strategy; and to improve engagement in the workplace. Processing is required to ensure that the organisation is a good employer; who are looking after their employees; being recognised as a ‘Best Company’ on gaining an Accreditation or place on the lists; for the positive national PR; and retention and attraction of top talent. Best Companies and your employer share personal data between our companies on the legal basis of legitimate interest.
The UK Information Commissioners Office acknowledges that companies may have a “…legitimate interest in processing data as long as the processing does not have a disproportionate impact on the individual.” On balance, the legal basis of legitimate interest against the individual impact: the services are reasonable, the company’s interests in the services appear compelling, and with there being little impact on the individual. The services are not considered high risk processing.
Best Companies processing for research purposes
Best Companies conducts additional research on the survey responses and demographical data under the lawful basis of Legitimate Interest as sole Data Controller, under the GDPR historical, scientific and statistical research is deemed compatible processing. This processing is required for:
- the statistical research, which is required to assist employers with understanding how employee engagement impacts their organisation in comparison to other organisations
- production of best practise content
- the ability to provide comparative historical research
- new learning for the benefit of the wider society in the form of white papers, case studies and articles
To the extent possible all data provided to our Research and Data Insight teams for the above research purposes is pseudo-anonymised.
Information regarding our MC³ Product
MC³ is intended as a development tool for organisations to reflect on what they are getting from their managers and their relationship with their team. MC³ should be used and considered as a resource, and when reviewing data, the organisation should consider the wider context of the team. The purpose for MC³ is to help focus managers on those areas that will make them great people-managers.
The UK Data Protection Act 2018, which includes the General Data Protection Regulation, advises that you can carry out this type of decision-making when it is necessary for the lawful basis of performance of a contract. Therefore, where your organisation purchases the MC³ product, the lawful basis of this product is Article 6(1)(b), where processing is necessary for the performance of a contract, to which the data subject (employee) is party. Your organisation will have a contract of employment with the employee that MC³ is reporting on, which will include clauses, or can reasonably refer to one or more of the following:
- managing a team
- completing the job function to a certain standard
- personal development
On balance, we have reasonably determined that MC³ benefits the individual by identifying where the individual is doing well and areas where they can focus to improve. This level of insight will not only benefit the organisation for meaningful conversations, but it can also really help the manager with their own personal development and becoming a better manager.
Your project manager within the organisation, to ensure individuals are aligned correctly to the reporting manager, will have reviewed the organisation hierarchy provided by the organisation for accuracy. Managers will be asked to verify their reporting structure at the end of the survey. MC³ is an automated decision-making process, should an individual disagree with the results, we are able to review manually. We recommend that organisations actively inform their managers that they have purchased the MC³ product and how to make best use of the learning outcomes.
We require a minimum number of survey responses, to provide MC³ reporting to ensure anonymity.
MC³ Manager Accreditation
Promoting your MC³ Accreditation
Employers have an invested interest for us to retain personal data for up to three years following the lapse of the subscription term. Should an employer go through an organisation restructure or require further insight from the data, we can restructure the personal data held from the previous year(s) participation, to correlate the reports from the newest b-Heard survey. Following an organisation restructure, employers have a real need to understand the impact it has made on their employees. The ability to be able to alter the reporting to reflect the new organisation structure provides organisations with valuable data that reflects the true position of the organisation against those previous years surveyed.
We only continue to retain the personal data after the provision of services for the benefit of the employer. An employer can make a written request, at any time after the provision of services for us to delete the personal data we are holding on their behalf, should they no longer require us to retain the personal data. We delete personal data through an anonymisation process. We retain demographics and employee responses indefinitely to continue our research into employee engagement. To ensure fairness and transparency to the employee, we would not accept a request to extend the max retention period.
We use a process of anonymisation at the end of the retention period or earlier upon written request from the employer. Anonymisation means we delete the personal identifiers, therefore anonymising the remaining statistical data for our continued research. This is in line with the Information Commissioners Office (ICO) anonymisation code of practice. The employee responses, which are attached to employee demographical data, are not removed; this would result in the inability to perform any future engagement reporting. This would also similarly affect benchmark data and where organisations are being assessed for Accreditation and a position on our lists. The Data Protection Act and General Data Protection Regulation (GDPR) does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
We retain the statistical data for our continued research with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of employee engagement. Once anonymisation has been completed, we are unable to reverse this process.
Best Companies uses a third-party service provider for managing credit card processing. The service provider does not store, retain, or use billing information except for the purpose of credit card processing on the Company’s behalf. Best Companies is PCi DSS certified.
Best Companies reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process. We will ensure the confidentiality of all survey responses unless we are required to reveal them in exceptional circumstances (in which case we will maintain as high a level of confidentiality as possible in those circumstances) or as required by law.
Privacy Notice Changes
Best Companies may make changes to this privacy notice to align with our operations and evolving laws. If we make changes to this privacy notice, we will post those changes on our website, Privacy Notice and in other appropriate places. We reserve the right to modify this privacy notice at any time, so please review it regularly. If we make significant changes, we will notify you here, or by other reasonable means. This privacy notice is currently only available in English. In the event non-English translations of this privacy notice are provided, it is done so for convenience only. In the event of any ambiguity or conflict between translations, the English version shall always take precedence.
If you have a question regarding our processing, you can email or write to us your request to our Data Protection Office (contact details below).
Post: Best Companies Ltd, Hamilton House, Rackery Lane, Llay, Wrexham, United Kingdom, LL12 0PB
To individuals situated in the EU, please may contact us directly as above, regarding requesting your individual rights. Alternatively Best Companies has instructed Ametros Group as our EU Representative in accordance with Article 27 of the GDPR for EU supervisory authorities and EU citizens (contact details below).
Post: Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland
Recording of Calls
When contacting Best Companies, some calls and Teams meetings will be recorded for quality control and training purposes and retained for up to a month.
Where a Teams Video Meeting is selected to be recorded, this will be shown in the ribbon on screen. These calls can be made accessible to those on the call and may be reviewed for quality control and training purposes. Teams meeting where selected to record will be retained for up to 6 months (audio and video).