The GDPR affects all companies, that deal with data of EU citizens. In this article we will address specific implications that GDPR might have on our industry and the daily work of fieldwork and marketing research companies.
In a series of three blog posts we're considering implications of the GDPR in regards to marketing research industry. The previous two blog article touched upon how GDPR might influence conducting CATI and WAPI interviews. In this one I'd like to ponder on how the new legislation may affect conducting CAPI surveys, as well as Mixed-mode studies and mode independent research projects.
Mode specific considerations: CAPI
As CAPI mode is a personal (F2F) interview, it gives a chance for collecting different type of data than in WAPI or CATI mode, that also needs different handling:
CAPI interviews are often conducted on tablets, where the location service can be on, and GPS coordinates data can be attached to the interview. If the interview application works with a sample file, then usually this is less of an issue, compared to when the interview itself collects personal data (like a question: “can we search you later in email?” where email address is also possibly collected) then other conclusions can be made (person X on a certain date was at location Y, that probably provides you with more information, than should be the case from a simple interview). (Potentially more information than is justified by the original scope of the survey.)
The Interview application can allow taking pictures of the respondent, that will be attached to the interview. If the picture also holds the geo-tag information, then personal data (picture of the respondent is also personal data) enriched with other conclusions, that again, most probably should not be part of the interview
Sound recordings can be enabled during the interview. Here the same rules apply as in CATI mode
Tablets will not be the final destination of the collected data, data transfer back to the processing place has to be done via a secure channel
It’s good practice to encrypt the devices, and use proper locking mechanisms, in case of a lost or stolen tablet, the chance of a data breach can be minimised, especially if remote wipe of data is possible
Mode specific considerations: Mixed-mode
Mixed mode interviews combine the characteristics of other interview modes, that means data handling challenges are extended to all characteristics of the combined modes.
Mode specific considerations: Mode independent studies
Independently from all modes, we cannot ignore one serious fact, that the actively collected data almost can be anything, therefore you either rule it by policy, what data you can collect and how that will fit into your data flow, or you need to handle that data with the highest care. Why is there that suggestion? Depending on the research, you may ask either sensitive information, that requires special attention (typically health, ethnic, religion related data) or you may ask certain data attributes, where the individual data attributes are not personal identifiable data, but the combination of 3-4 datapoint will identify a person, that again raises the attention on data handling.
If you use external sample providers, to carry out your research, additional, contractual data collection restrictions can be applied (obvious ones, like do not ask for email address or phone numbers) - this is not really under the terms of GDPR, as it is ruled by contracts, but any other aspects, in case of contacting EU citizens, will fall under EU GDPR.
Disclaimer: This blog was created by Nebu in order to provide a high-level, general understanding of GDPR, and should by no means be considered or used as a substitute for legal advice. Nebu does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.
Zoltan Szuhai has worked for Nebu for more than 15 years and is Managing Director of the Development Centre in Debrecen, Hungary, with responsibilities for running the office and legal administration. The primary technical role is as a Director Research & Development: managing the Development Team and applying agile methodologies and responding to technology-related requirements. Previous experience within IT environments, including Client liaison and time spent as a Software Engineer, gives Zoltan a good understanding of the technical challenges of our industry.