As you could read in our previous blog post, the EU GDPR affects all companies, that deal with data of EU citizens. Every company needs to be aware their data flows, whether it is related to ‘generic’ customer data, or data is collected for well defined purposes.
Having an overall data-flow, attached to the company procedures in practice, will be your biggest help pinpointing risks, vulnerabilities, or improvement possibilities. Having said that, it has to be one of the very first steps, describing the INs and OUTs of all your data you need to deal with.
Next, and two of the most important, steps are classifying the data, and your role related to it - this requires continuous attention from your staff, as soon as new processes are established, that affect the data-flow. In our previous blog post we described the roles and data classification types. Not all data requires attention - this though sounds to be a case easy to deal with, you still need to guarantee, that a certain point you do not start mixing this data with personal identifiers or sensitive data. For the data, that you need to handle with high attention, the following factors have to be considered:
This list may look a bit abstract at first glance, but let’s examine some market research practices (without the aim of completeness) per different mode, and pinpoint challenges from these aspects.
CATI interviews can start on two different paths:
In both cases, you can end up in a few “feels tricky” situations. First and most important, is that you need to be aware of laws, that apply to your activity. This includes whether or not RDD sample is allowed to use at all, and also indicates, if do not call lists (blacklists) have to be applied.
For normal samples, you need to consider all the characteristics, mentioned in the data-flow section:
GDPR - Market Research Implications #1 - CATI (you are reading this article now)
GDPR - Market Research Implications #2 - WAPI (this blog post will be published soon)
GDPR - Market Research Implications #3 - CAPI, Mixed-mode, Mode independent projects (this blog post will be published soon)
Disclaimer: This blog was created by Nebu in order to provide a high-level, general understanding of GDPR, and should by no means be considered or used as a substitute for legal advice. Nebu does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.
Zoltan Szuhai has worked for Nebu for more than 15 years and is Managing Director of the Development Centre in Debrecen, Hungary, with responsibilities for running the office and legal administration. The primary technical role is as a Director Research & Development: managing the Development Team and applying agile methodologies and responding to technology-related requirements. Previous experience within IT environments, including Client liaison and time spent as a Software Engineer, gives Zoltan a good understanding of the technical challenges of our industry.
For more information on the GDPR please visit the GDPR Nebu blog category page collecting all our blog posts related to the topic.
If you would like to ask an expert a GDPR related question, please submit it via the form on the right.