What does it mean in Practical Terms?
General Data Protection Regulation means new and important changes to the way respondent data can be gathered, used, stored and processed. Individual rights will be better defined, and more rigorously enforced, with large fines for those that don’t follow the rules. At the same time, expect respondents to be better informed and educated as to their rights, and less willing than ever to surrender them. Here we look at the things that need addressing, the increasing privacy expectations of the respondent, and the escalating relevance of the regulatory framework that protects them.
Privacy by Design
The overriding requirement is that the way data is collected and processed is built into the fundamental design of the project. This early emphasis makes commercial sense too, as opposed to the inconvenience and commercial danger of having to employ a sticky-plaster, staged approach once the project wheels start turning. The most successful projects have this soup to nuts privacy focus along the entirety of the vertical, with the expectations of each party being firmly established in advance, by contract or agreement if necessary. On reflection, this is what one might call a perfect partnership approach, meaning fewer disappointments, and a more pleasant outcome. In effect these new processes, and the regulation that enforces them, might now cement the client/agency-fieldworker relationship even more as there’s a reliance on each other to do it the right way!
As a controller of a respondent’s data and the processes that dictate the manner and means by which they are researched, there’s an obligation to demonstrate that any processing undertaken is performed in accordance with the regulations. Each part of the respondent journey should be laid out clearly in an understandable form - it must be transparent. In practical terms, this mean providing more detail to better aid informed decision making, and in terms of tracking, the increasing use of demonstrable mechanisms for recording this process, and in turn safeguarding accountability.
It’s also apparent that large sways of respondent data cannot be simply kept, and continuously processed, over an indefinite period. Data must have a shelf life – an agreed and communicated retention period.
Sharing Data with Clients and Suppliers
Furthermore, being a de facto data controller means having to be more than interested in the actions of the processors employed (who ideally will now be governed by contract, and be obliged to demonstrate sufficiently that they have in place measures to meet the requirements of the regulation), and the clients you might attract (who will be looking to partner with business that can demonstrate the same level of regard to the “rules”, and be able to manage their ever more complex research processes). But, most importantly, it remains true that commercial success must be ensured by the adoption of a smooth and fluid system of compliance, that aids and improves project outcome, rather than hinders and damages it. For example, a greater emphasis on compliance may indeed lead to longer project lead times but may ultimately mean better data. Or, a requirement to take longer to reach a fully consented and informed respondent cohort, may eventually deliver a deeper level of understanding.
Who Sees the Data
More than ever, there is an increased focus on the data journey - where the data is going (geographically) and to whom (their role), and how it is transported on that journey; with an expectation of more pseudonymisation, more anonymity, more security and more emphasis on having the correct privacy mechanisms in place for cross border transfer. If you’re based in the US, and moving data from US to Europe, or receiving it from Europe to US look closely at the Privacy Shield; there are other transfer mechanisms, including contract, but these are very cumbersome templates provide by the European regulators.
At is core, the aim of GDPR is to keep the respondent fully informed throughout, as well as maintaining a focus on transparency. Most of this can be done with the use of a well-laid out respondent privacy notice.
How can we help?
- By providing practical support to your compliance needs
- By working with you to develop a transparent, and demonstrable project level consent process, using our digital signing tool
- By working with you to support your data delivery and transfer requirements
What to consider during the Consent Process
In the past, much of the project detail would only have been included in the recruitment screener, with consent secured verbally. Though the new regulation allows for consent to be recorded orally, it would need to be recorded in totality, and kept to demonstrate compliance. We feel it’s better to record consent from each respondent in the more formal way, using a digital documentation and signing tool. Here the respondent can agree to each element individually, and have a signed copy of their consent documentation passed to them via e-mail automatically.
Key information to include in any consent documentation:
- What is the study for?
- What are the study protocols/methodology?
- What will the respondent be asked to do?
- Will the respondent receive payment for their contribution and how much?
- If and When should the client company be revealed to the respondent?
- How is the confidentiality of the respondent guarded?
- What rights does the respondent have? e.g. the right to withdraw
- How and why information on Adverse Event and Product complaints is required and collected?
- Will other people be used in the completion of the study and what is their role? Moderator, transcribers, note takers, studios, simultaneous translators etc.
- Communicate to the respondent that they may see confidential information and/or materials.
- Tell the respondent about how their contribution will be obtained e.g. Audio and Video recordings, and who will have access to this information.
- If they are completing a WATI interview, inform them that they may need to use a third-party supplier of a screen sharing service.
- Let the respondent know that other persons may be present in the interview - e.g. their peers during a FG
- Include a clause requesting direct observation by clients, or by recording or streaming, and communicate where they are based, and in what roles.
- Ask the respondent if they are willing to be recontacted should their be any questions following the research study
For the latest GDPR updates click here
Including: GDPR Quick Guide - an overview; Checklist to help you audit your data processing; Risk and Privacy Impact Assessment; Data Protection Officer; Data Security - including Breaches and International Transfers; Consents for Market Research - What is required and when - new May 2018, including new guidance on revealing the sponsor!