GDPR – What will it mean for research companies and clients?
Like all market research suppliers we have been hard at work over the last few months preparing for GDPR. Whilst we have always taken our data protection responsibilities seriously, this has been a good opportunity to review all of our systems and processes to make sure that we can fully document how we are complying with the new regulations.
Our clients will probably see little obvious difference. At Community Research it is unusual for us to be in the position of receiving data from our clients, although this does sometimes happen. More frequently we are recruiting participants for research directly – and the lawful basis is consent. This means our focus has been very much on making sure we have the right processes for gaining informed consent from those we recruit. We will have to be even more clear about what data we will collect (including photographs or videos) how it will be used, processed, stored and, eventually destroyed.
This may mean that we will have to ask our clients to think much more carefully in advance about what they may want to use in terms of outputs such as vox-pop videos, as we will need to be clear with respondents about this from the start. It will also mean we can’t ask for a general permission to re-contact and keep respondents’ details; we will only do this if we can be transparent with respondents about what we may want to re-contact them for and within what timeframe that might occur.
GDPR has also meant that we have re-checked our IT security processes, gaining Cyber Essentials certification in March of this year. Whilst most of the requirements for Cyber Essentials were already in place at Community Research, again this provides our clients with assurance that their data and research participants’ personal or sensitive data is properly protected.
Finally, you may have received a number of opt in emails asking you whether you wish to continue to receive newsletters and emails like this one. We looked hard at the guidance and regulations on this and decided this was not necessary in our case. The new data protection requirements have a number of legitimate reasons for which we can use personal information. One of these is ‘legitimate interests’. This means that we have the potential to use your personal information (your name and email address) if we have a genuine and legitimate reason and we are not harming any of your rights and interests. We should only use individuals’ information in ways they would reasonably expect and we must be careful that we are not using personal information in a way that people may find intrusive or which could cause them harm. We believe we can demonstrate this is the case when we send you these updates in our occasional newsletters, but you always have a choice….if you no longer wish to hear from us you can, as ever, unsubscribe at the bottom of the newsletter or by clicking here.