It’s a pretty lofty ambition, but it’s something we really care about. We care because we truly believe that people who are fully engaged at work feel happier and more secure, which makes them more productive.
We pride ourselves on setting an example to industry, striving to operate lawfully, fairly, and transparently. Our Trust Centre looks to demonstrate our organisation’s stance for you to evaluate Best Companies as your employee engagement partner of choice.
Our world class methodology is academically rigorous, developed in collaboration with academics at the University of Plymouth, forming the foundations of our b-Heard survey and helping us in our ambition of achieving our primary purpose, helping make the world a better workplace. We strive to be transparent, happy to share so that others can understand how we do what we do.
Best Companies cares about what we do, and who we do it for. In consideration of our services and the amount of personal data we store, ensuring our security posture is appropriate and proportionate is high on our agenda. In addition to the contractual obligations set out in our Terms of Service we also look to demonstrate we are a competent authority, and our measures effective. This will allow you to make a risk-based approach to our processing and allow you the opportunity to verify our approach.
We embrace a ‘data protection by design and by default’ approach, considering data protection throughout the lifecycle of our services and ensuring that it’s integrated into everything we do.
We operate a ‘privacy centric’ approach. This means that we consider risk on an individual basis rather than in the collective sense. This is important in not only protecting the anonymity of individuals who respond negatively of their employer, which potentially could put them at risk of reprisal. We recognise that an individual’s data may be more sensitive by association, due to who their employer is or their job role/ function. Best Companies recognise that not all personal data is equal in terms of risk.
Data Protection is embedded into our culture, maintained through employee awareness and support. Training is provided at induction and at regular intervals throughout the year. We have an in-house Data Protection Officer (who can be contacted via email using privacy@b.co.uk), and data protection is given top-level support. The Board of Directors has nominated an accountable director for compliance oversight.
We take responsibility for what we do, with appropriate measures and records in place to be able to demonstrate our compliance.
We restrict access. Data is only accessible by authorised personnel and Best Companies employees, who are all contractually subject to confidentiality. Access controls are in place for our employees and our clients. We have installed a unified threat management solution, with high availability and Watchguard Total Security Suite which includes Data Loss Prevention (DLP) and Threat Detection Response (TDR). We use https across all our websites.
We continually monitor our security posture. Internal and external audits are conducted throughout the year. A vulnerability assessment and penetration test is conducted annually, by an external organisation. All Best Companies applications including the code for the survey, servers, and infrastructure networks are covered in the scan. Azure Dev Ops is used for our source code repository; this has full auditing of changes. Peer review is required as part of our secure development lifecycle. We are using an open-source security and license compliance management platform, which automates the entire process of open-source component selection, approval, and management, including detection and remediation of security and compliance issues. Quarterly scanning is conducted as required for PCI DSS and Security Scorecard is continually reviewed and reported to the board fortnightly.
We do what we say we do. We have an established privacy management framework which is reviewed as part of our independent 3rd party assessments. We are proud of achieving certification for the ISO 9001 Quality Standard, ISO 27001 Information Security Standard, Payment Card Industry Data Security Standard (PCI-DSS) and certified as part of the Hellios Financial Services Qualification System (FSQS).
Best Companies is located in the United Kingdom (UK), which means organisations operating outside of the UK will be transferring data to the UK. Our services involve processing of the personal data we receive within the UK and the EEA (European Region). No personal data will be transferred outside of the European Region, unless your organisation operates outside of this jurisdiction.
Like most organisations, Best Companies works with other organisations to enable us to provide you with the best possible service. We conduct due diligence on all our suppliers taking a risk-based approach. This means we consider the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. This allows us to evaluate whether a supplier’s measures are effective and proportionate in relation to the services being provided. We reassess data processors periodically to ensure they have at a minimum, maintained existing standards / certifications, and consider any new security features they have released that we may be able to make use of.
Best Companies conducts statistical research as a separate data controller with the goal of discovering useful information, informing conclusions, and supporting decision-making into a better understanding of employee engagement. We will only process the personal data as a data controller to the extent that it is deemed compatible processing.
We want to ensure your employees can access our privacy notice in order to understand how we use the data we hold about them. We do this by providing a multi-layered approach, on our website, within our communications and a just-in-time notice at point of survey.
Our Terms of Service include everything required for our specific processing, and accurately reflect our position as a data controller or data processor, dependent on the processing. It’s important that all clients receive the same set of terms to ensure a level playing field and fair competition for those applying for Accreditation evaluation and consideration for the Best Companies to Work For Lists. Terms are available to be reviewed and accepted as part of the registration process.
View our Terms of Service and Rules of Engagement
Best Companies is based in the UK; therefore, we are processing data in accordance with UK legislation. As an organisation providing services internationally, we continually monitor evolving global laws. We continue to focus on ongoing requirements, such as evaluating the data protection impact of new products and services and training employees about protecting the privacy of personal information. We have documented procedures for incident management and data subject requests and have implemented appropriate company policies to protect the data we hold.
For Best Companies to provide our services to you, there is a requirement to share personal data for us to be able to fulfil your request. We are unable to provide our services without it. Prior to sharing personal data, you must be able to show that you considered and selected a lawful basis before sharing. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. In consideration of the services you are requesting from Best Companies, consent is unlikely to be the most appropriate basis due to the imbalance of power between employer and employee.
Best Companies operates as a data processor or a data controller, dependent on the processing. To support your decision making, please view our Data Processing Record, Legitimate Interest Assessment and Requirement Consideration for Fields of Data Being Shared documents.
Best Companies lives by our five key principles, Care, Discipline, Responsibility, Humility and Hunger. These principles underpin all aspects of our activities. They are an essential part of who we are, and we refer and abide by them in everything we do. Particular attention is focused on our responsibilities to our environment, the local and wider communities, our effect on the world at large and every way we touch it.
View our People and Planet Statement
We believe every organisation has a duty to find ways to protect our planet and reverse the effects of climate change. We are committed to reducing and eliminating any negative impact our activities may have on the world by a continuous reduction on any reliance on non-renewable resources, reducing waste production and by striving for a more sustainable future.
View our Environmental Policy Statement
The organisations that work with us can choose whether to donate an amount to a charity of choice for every survey returned by their employees, what better way to measure engagement levels and give a little something back in return. Over 3 million has been raised for charity to date.
Best Companies employees are given five days per year to volunteer, giving their time and energy to giving something back to the community. This has seen the team landscaping, packing shoe boxes and spending time at a local animal shelter.
Money raised by our employees through charitable events and activities, Best Companies match the contribution received.
Follow Best Companies on social media platforms to see what we have been up to.
Best Companies Primary Purpose is to “help make the world a better workplace”, and we are committed to upholding the protection of human rights of all workers where it is possible through our sphere of influence. As part of this commitment, whilst not legally required, we believe it is important to consider our commitment and have released the following voluntary statement.
View our Modern Slavery Statement
Best Companies strive to provide our clients with a service which meets and even exceeds their expectations. We are committed to continuous improvement and have established a Quality Management System which meets with ISO 9001, the Quality Standard. We have the following systems and procedures in place to support us in our aim of providing client satisfaction and continuous improvement throughout our business:
Our internal procedures are reviewed regularly and are held in our Business Management System manual which is made available to all employees.
We welcome feedback from customers either in celebration, where we have got it right or where we could look to improve. Get in touch.