Back to basics: everything you need to know about GDPR in market research
The General Data Protection Regulation (GDPR) was introduced in May 2018. It was brought in to update the existing data protection legislation which didn’t address the modern world of social media and internet use and applies to all 28 member states of the European Union. Basically, it set out to bolster the rights EU citizens have over their data and make companies more transparent in how they deal with that data.
As a result, misusing someone’s data now has serious consequences, with hefty fines issued to companies which fail to comply by the regulation standards. Worst-case scenario? Companies that are found guilty of misusing data can be fined up to €20 million or 4% of the company’s annual turnover. Eeek! So, basic GDPR lesson over, what does all this mean for market research?
Processors, controllers and market researchers
GDPR applies to every organisation - including market research and fieldwork agencies. In fact, even businesses outside of Europe are bound by GDPR if they process or hold data on EU residents. GDPR draws a distinction between data controllers and data processors in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.
A data controller defines the terms of data processing, must exercise control over the processing and carries the responsibility for it, whereas a data processor is any person/organisation who processes data on behalf of a data controller. A controller could be any organisation, from a high street shop to a charity or, yep, you guessed it, a market research agency. As a data controller, market research agencies are organisations to which personal information has been entrusted. They carry ultimate legal responsibility and therefore need to ensure all data processors are compliant before entrusting personal data to them.
A data processor would then be any third-party company to which MR agencies outsource functions - which means if your research involves participants from the EU you should audit your chosen agency to make sure they are compliant to GDPR legislation.
The six lawful bases for processing information
Data processors need to understand the lawful basis on which they are processing information and be clear on which they are using and why. There are six of them, which can be broken down as follows:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. If you are choosing to process data on this basis, you must undertake a legitimate interests assessment to show that you’ve considered the interests of the data subjects and are confident that you exercising your legitimate interests isn’t to the detriment of their interests. Find out more here.
When it comes to market research, it’s important to make sure you document it all so you can be confident you have selected the right lawful basis and can justify it in writing. This means you need to have reasoned, documented, thought-through reasons as to what you're doing and why.
Transparency and individual rights
When it comes to market research and GDPR, agencies should also strive to be transparent about exactly what information will be stored, how long it will be stored for, for what purposes it will be used and who will see it/use it. Make sure you have a clear process for handling your response when data subjects contact you to exercise one or more of their rights – it’s vital that your staff understand the policy and are trained on their roles.
Generally speaking, MR agencies will process data for the following reasons: inviting people to participate in market research, contacting them to help find other respondents, providing technical or incentive support, supplying incentives and allowing a moderator or interview to contact respondents. And they should also provide the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
One way to ensure you are completely transparent and providing the necessary rights is to allow granular consent as much as you can to make sure all respondents know exactly how their personal information will be used. Make sure you’re upfront about everything, from a breakdown of the type of information stored, to how long it will be stored for, as well as details of any third parties, and a clear indication of how they will process data.
Be aware of special category data
Special category data is personal data which the GDPR says is more sensitive and as such needs more protection. It includes information about things such as race, ethnic origin, religion, genetics, health, or sexual orientation, and in order to process special category data, you must identify a lawful basis and a separate condition for processing special category data as well.
This type of data could create more significant risks to a person’s fundamental rights and freedoms, so it needs to be treated more sensitively. There are 10 conditions, and you must determine your condition for processing special category data before you begin this processing - and make sure you document it too.
Incident response
It’s also important to make sure you have a proper incident response policy that is understood and adhered to should anything go wrong. Ensure that a proper decision-making process is prepared so that you can act quickly in the event of a breach, including what action to take, who to notify and when to notify them.
Brexit and GDPR
This is all very well and good, but what about the impact of Brexit? Well, the UK’s 2018 Data Protection Act is an almost identical copy of GDPR for a reason: when the UK leaves the EU, there won’t be a huge shift in the law. After the UK leaves, GDPR will still protect the rights of EU citizens with businesses and organisations not having to change their policies, but there could be changes for organisations that move data between the European Economic Area and the UK.
It all depends on what deal the UK leaves with. However, because the UK won’t technically be part of GDPR, it doesn’t have any assurances that data will be protected. Despite this, the UK government has said it will seek adequacy agreements with the EU to clarify that its data protection system is essentially the same as GDPR. And once agreed, this would mean that data could easily flow between the EEA and the UK.
In conclusion, when it comes to GDPR in market research in agencies, there must be a multi-pronged approach of technology and technical controls alongside good processes to ensure agencies adhere to GDPR - and when it comes to choosing a fieldwork agency, it’s really important to make sure your fieldwork agency adheres to GDPR. Find out more about how to choose the right qualitative market research recruitment agency by following this link.