Countdown to Compliance – What does GDPR mean for client/agency working practices?
With the General Data Protection Regulation (GDPR) going live in less than three months, organisations across the market research industry are gearing up to ensure that they are compliant by the 25th May 2018.
Much has been published and presented about these new privacy laws. Indeed, feedback from Facts International’s clients at the end of 2017 revealed that nearly 50% of market researchers think it will have the biggest impact on the UK market research industry in 2018. This far outstripped areas such as AI, Automation and, as reported by the Bellwether 2017 Q4 report, market research budgets, which declined for the sixth quarter in a row.
The feeling around the impact of GDPR in 2018 was reflected by senior industry experts such as: Tim Barber, Director at BDRC Continental; Debbie Bray, Director at Hook Research; and Paul Flatters, Chief Executive of Trajectory Partnership; who all identified GDPR as the topic that would have the greatest impact on market research this year.
As a leading market research organisation, Facts International has always placed data security and protection as a top priority. Having already achieved Cyber Essential accreditation along with ISO 27001 certification, we had a head start on the security aspects of GDPR. Combine this with our specialist staff members who sit within the MRS, ESOMAR, the IQCS Council and the Fair Data Board, and we were in a very strong position to implement the new regulations; in fact, many of our policies and processes have already been updated.
As we move closer to 25th May 2018, clients will undoubtedly notice two key upgrades within our communication processes.
So what exactly will that look like for you?
One of the main requirements of GDPR that will have a noticeable impact is that of consent. Facts International, along with most other market research organisations engaging in primary research and data collection, will get interview participant sample from a wide range of providers. Under the new regulations, those supplying the sample will have to ensure that the sample is clean, up to date and that they have the required consent to use the information.
Under Article 7 of GDPR, consent can no longer be implied and must be positively affirmed. Neither can consent to be in a database, be used as blanket consent for multiple purposes. When consent is sought, information about withdrawing consent including how to do so must be communicated and, where relevant, third parties who rely on consent must be named.
Whilst gaining legal consent will sit with the Data Controller, research agencies such as Facts International have a contractual obligation to ensure that the sample they are given to use on those projects has been put through the relevant consent checks. Therefore, our project set-up procedures will incorporate updates surrounding these consent parameters as of 25th May. From this date, clients and sample providers alike should expect to be asked questions surrounding the topic of sample and consent.
The second main requirement of GDPR that will have an impact on our clients is that of Transparency. Covered in a variety of ways in Articles 12-22, and with regard to breaches in Article 34, this area essentially covers information about and communication with individual data subjects. Here, the data controller will have to evidence that information regarding the data subject has been processed in a transparent manner. This means that the information conveyed must be concise, transparent, intelligible and easily accessible. Whilst Facts International and other agencies would not ordinarily be the data controller, it is in our interest and the interest of a well-run project, to ensure that communications do indeed follow this format.
In market research, one of the most common areas for these communications to take place is in warm-up letters which precede the primary research activity, or the introduction at the beginning of an interview or survey.
It has been considered that this may affect total interview length, and so interviewing costs may rise. However, the research professionals at Facts International feel that this does not always have to be the case, and that transparency provides greater opportunities to devise communications that engage data subjects and increase participation rates. In this area, GDPR promotes the use of principles such as KISS (Keep It Short & Simple). Facts International will work closely with clients on both a project and audience basis, to ensure that communications that are sent out from our organisation conform to the new communication requirements.
This would also include any information regarding a data subject’s rights or requirements in terms of how a data subject might check on the legitimacy of a market research project. These communications are often in the form of leaflets or hosted on websites and here it would fall to the data controller to ensure that the information was readily available and well signposted, so we could provide details on where the information can be easily found.
For more information on how GDPR will affect the market research industry, please visit https://www.mrs.org.uk/standards/gdprsupport