Choosing the Right Research Partner (and Why Data Security is a Defining Factor)

We make decisions each and every day. Some small and fairly inconsequential. Others, may be large decisions that have the capacity to facilitate great change. For some of us, these decisions form a big part of our careers, and for in-house insight experts who need a helping hand or business professionals who need the help of an insight team to gather insights to inform a strategy, one of these decisions is choosing which research agency to partner with.

Choosing a research agency partner can be tricky – there are many different agencies with different specialities, tools, and values that determine how they operate, so what should you consider when deciding which research agency to work with?

Here are my top 5 things to look into when choosing who to work with:

• Cost - This, often elephant in the room, is a big consideration for all companies. We all have budgets or financial boundaries to respect so choosing an agency who’s pricing is in-line with these is important. Sometimes, we need to venture outside of our budget if possible but generally a good agency would work with you to help you achieve your goals within their pricing structure if they can.
• Value – How is this different to cost? Value often includes how important something is. It can also include how much you get for the cost. So, the value for money a research agency provides and the value you place on finding the right agency to work with should both feature in the decision-making process. Why? When you find an agency that marries value for money with understanding your priorities then you are onto a winner.
• Alignment of aims – This is an obvious consideration but one which needs to be said. It is important to find a company who understands your goals and who’s research ethos fits yours. What do you want to gain from working with a research agency? How do you want to work? Is there a working culture which fits with yours? Finding an agency who truly wants to work along with you to meet your goals and who works/communicates with you in a way which mirrors yours is bound to make the process smoother.
• Experience – A firm that has some experience with conducting the type of research you are after or in the industry you are in should be considered. They should be able to bring some appropriate industry knowledge or research expertise to the table. While I would argue this is not an essential, it is helpful.
• Data Security – As someone who works in InfoSec it is not surprising that I would say this. However, not many ‘how to choose a research agency’ blogs include this category and that shocked me. So, for the rest of this blog I am going to discuss why I feel it should play a big part in the decision-making process and just how to check this.

Now, the first four factors are pretty self-explanatory, and simple enough to understand for any professional be they insight or business. I want to talk more about the importance of data security, why data security should pay a key role in decision making and what to look out for.

The Importance of Data Security

Perhaps the main driver for companies to check the data security credentials of a market research agency is the fact that the law dictates the need to do so. Depending on what country you are based in, where those participating in the research are based and where you will be processing data, there are a variety of laws and regulations that need to be followed.

In the UK, the implementation of GDPR back in 2018 brought a whole host of changes for many companies; these changes were for the best, making it easier for data subjects to exercise their rights and providing data controllers and processors with much clearer guidance to follow. Making sure you choose a research agency that fully complies with the law should be a top priority.

Secondly, a research agency that has robust data protection policies and procedures enables them to respond to data subject requests quickly and thoroughly. It also allows them to handle both participant and client data securely. Why are these points important when considering which research agency to work with? Having and following these policies greatly aids in reducing the risk of a data breach or violation of legal timeframes.

If there was a breach or a violation this could result in damage to the reputations of both companies involved. How much better would it be to hire a company where the chances of this happening are a minimal as they can be?

Now, let’s look at how you can go about checking a company’s data security standards.

Evaluating Data Security Standards

Perhaps the most common way to check this is to send the research agency your ‘Due Diligence’ form. These normally consist of a comprehensive set of questions, designed to find out what certifications they hold and what policies and procedures they have in place. If a research agency takes data protection seriously, the answers to these questions should leave you feeling confident that your research/participant data will be handled securely.

However, having seen a lot of these forms in my career, my one piece of advice would be to make sure you ask the correct questions. I am aware this is a sweeping statement, but sometimes asking if a company has a certain policy in place is fine, but asking how they implement data security practices on a daily/weekly/monthly/etc. basis might be better.

Ensure to look at the digital element of security too. If we were to go back as little as 10 years, you may have got away with thinking about Data Security mainly in terms of physical security. Now though, the bulk of our protection comes from digital means. Yes, a research agency needs to be physically secure, and yes, they need to have guidelines in place to minimise the ‘human error’ factor, but most data attacks are now in some way digital.

A good baseline is to check if the company is Cyber Essentials Plus certified, but you can and should go deeper than that. If a company develops its own research software, how is that secured? How do they keep their corporate digital environment protected from those with malicious intent?

Perhaps you are thinking that the above two points are all well and good, but they are something that falls to your internal InfoSec team to check after you have chosen an agency you wish to work with. Well, that may be true, but is there something the decision makers could be doing (if they are not already) way before it gets to this point? How about asking the sales representatives about their data security certifications and policies when you are having those initial conversations? Asking them what data protection certifications they have is a great starting point in narrowing down potential research partner candidates.

To hold, for example, ISO 27001 or Cyber Essentials Plus implies a high standard is followed. It could go beyond this with a few carefully chosen questions designed to give you an overview of how seriously they view data security. These can then be fed to the relevant Information Security teams to be followed up on in their next steps.

So then, how do you decide which research agency to pick? Ultimately, while exact needs may be unique, you need to weigh up their certifications, their daily practices, their knowledge and dedication to data security. Cost might be the most ‘restrictive’ part of your criteria, but it is down to so much more than that. Value, aims, experience and security should all feature in the decision-making process and inform your final decision.