The GDPR affects all companies, that deal with data of EU citizens. In this article (and two upcoming ones) we will address specific implications that GDPR might have on our industry and the daily work of fieldwork and marketing research companies.
As you could read in our previous blog post, the EU GDPR affects all companies, that deal with data of EU citizens. Every company needs to be aware their data flows, whether it is related to ‘generic’ customer data, or data is collected for well defined purposes.
Having an overall data-flow, attached to the company procedures in practice, will be your biggest help pinpointing risks, vulnerabilities, or improvement possibilities. Having said that, it has to be one of the very first steps, describing the INs and OUTs of all your data you need to deal with.
Next, and two of the most important, steps are classifying the data, and your role related to it - this requires continuous attention from your staff, as soon as new processes are established, that affect the data-flow. In our previous blog post we described the roles and data classification types. Not all data requires attention - this though sounds to be a case easy to deal with, you still need to guarantee, that a certain point you do not start mixing this data with personal identifiers or sensitive data. For the data, that you need to handle with high attention, the following factors have to be considered:
in what format that data exists (do not allow yourself to merely focus on data sitting in databases, as there are files, emails, documents, tables around and this is still just digital data, there can be data on paper as printed lists, in sound recordings, etc)
How is the data transferred between destinations, does the transfer method have the appropriate characteristics in terms of security, control and accessibility
storage location chosen
who can access the data in each destination
who is accountable for the data in each destination
lifecycle of data - when does it appear in your system, how and when it can be removed, or whether removing is an option at all
This list may look a bit abstract at first glance, but let’s examine some market research practices (without the aim of completeness) per different mode, and pinpoint challenges from these aspects.
Mode specific considerations: CATI
CATI interviews can start on two different paths:
start with an RDD (or semi-RDD) sample
start with a ‘normal’ sample
In both cases, you can end up in a few “feels tricky” situations. First and most important, is that you need to be aware of laws, that apply to your activity. This includes whether or not RDD sample is allowed to use at all, and also indicates, if do not call lists (blacklists) have to be applied.
For normal samples, you need to consider all the characteristics, mentioned in the data-flow section:
Do you send mails with sample files, where the sample files are not password protected and not encrypted? It is really easy to Cc many people, is it really necessary, can you confirm, that only the relevant people will get the content?
Do you use normal FTP instead of FTPs/sFTP? Are the access credentials managed properly, can you guarantee, that users use different (unique) logins & access rights?
Can sample files end up in various local workstations, local file shares, and if so, for how long? Do you have an established data retention/cleanup policy?
If data comes from web services, or external database connections - do they use proper authentication, and encrypted data transfer?
Phone numbers are personal identifiable information, are those hidden from the interviewers?
If you use manual dialing, do you have an appropriate policy on it?
What about your sound recordings? It’s evident that respondents have to be made aware of it if a recording is being created, but the purpose of the recording and lifecycle of the recording is just as important. Since in a questionnaire sensitive data and personal data also can be asked, then you need to apply same rules for sound recordings, then for other collected data, also must be part of your data-flow
Logging of calls in software, dialer, has to be designed properly, not to spread personal data to places, where it should not appear at all. When personal data appears in log files (bad practice) then you need to pay attention to their life-cycle, actually introducing more risks, than necessary.
Read all articles in this series:
GDPR - Market Research Implications #1 - CATI (you are reading this article now) GDPR - Market Research Implications #2 - WAPI (this blog post will be published soon) GDPR - Market Research Implications #3 - CAPI, Mixed-mode, Mode independent projects (this blog post will be published soon)
Disclaimer: This blog was created by Nebu in order to provide a high-level, general understanding of GDPR, and should by no means be considered or used as a substitute for legal advice. Nebu does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.
Zoltan Szuhai has worked for Nebu for more than 15 years and is Managing Director of the Development Centre in Debrecen, Hungary, with responsibilities for running the office and legal administration. The primary technical role is as a Director Research & Development: managing the Development Team and applying agile methodologies and responding to technology-related requirements. Previous experience within IT environments, including Client liaison and time spent as a Software Engineer, gives Zoltan a good understanding of the technical challenges of our industry.