A guide to GDPR for the research industry

Why is it particularly important for research agencies to comply?

Since the announcement of the new GDPRs (General Data Protection Regulations), Research Runner noticed that there has been a feeling of impending doom around the new regulations which come into play on the 25th May 2018, less than two weeks away.

As a specialist of new business and lead generation for research agencies, Research Runner recognized that the regulations will have a significant impact to the research industry and their clients, as the collection of personal information is key to producing and analyzing data.

What will it mean for the research industry?

In order to conduct quantitative and qualitative data researchers must extend their searches globally, particularly the EU, where the new regulations will be imposed on as from the 25th May 2018. GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). As such this will mean that there will be several obstacles, preventing or changing the way in which research is conducted.

Failure to comply with GDPR can result in fines, it is important to identify where your company/industry lies, to do this you must read Article 6 of the regulations. Take a look at the ICO website for full guidance. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/, however throughout this document there will be links to particular articles for quick reference purposes.

Research exemptions – articles of interest

Fear not, the new guidelines has allowed for a certain amount of leeway for organisations that process personal data for research purposes. The regulations are sympathetic to the research industry and understand the important role of research and the collection of data. It recognises the importance of innovation and research as a boost to economic growth.

The definition of research according to GDPR is broad and you will need to read the guidelines carefully to determine where your company lies.

(Article 6(4); Recital 50), http://www.privacy-regulation.eu/en/r50.htm, explains how to avoid restrictions on secondary processing and on processing sensitive categories of data, however with the premise that appropriate safeguarding protocols are implemented.

According to Article 89 http://www.privacy-regulation.eu/en/article-89-safeguards-and-derogations-relating-to-processing-for-archiving-purposes-the-public-interest-scientific-or-hi-GDPR.htm, Research carried out, in the interest of the public, will also be exempt from regulations. This includes projects effecting government planning, economics and medical research which may have greater implications. However, safeguarding protocols must be implemented to protect the information collected. It may also give agencies the privilege of overriding the data subjects’ right to object and erase personal data in certain circumstances.

Article 6(1) (f); Recitals 47, 157 http://www.privacy-regulation.eu/en/r47.htm states that organisations may process personal data for research purposes without the need for the data subjects consent.

Article 49(h) http://www.privacy-regulation.eu/en/article-49-derogations-for-specific-situations-GDPR.htm ; Recital 113 http://www.privacy-regulation.eu/en/r113.htm explains that in some instances organisations may be given the right to transfer personal data to third countries for the purpose of research.

Lawful basis for processing – Articles of interest

Research agencies must be able to demonstrate that a lawful basis applies to their use of personal data. The lawful basis for processing is explained in Article 6 http://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm of the regulations. Research agencies can identify which best fits their business before a project can commence. There are six categories identified, researchers should pay particular attention to consent, public interest and legitimate interest:

The final base for contact is public task, which covers areas such as census data collection and information processed on behalf of public authorities in an official capacity.

The final base for contact is public task, which covers areas such as census data collection and information processed on behalf of public authorities in an official capacity.

Consent -The data subject has given consent to the processing of his or her personal data for one or more specific purposes. – Article: 7, 8, 9 => Recital: 32, 42, 43, 171

http://www.privacy-regulation.eu/en/article-7-conditions-for-consent-GDPR.htm

http://www.privacy-regulation.eu/en/article-8-conditions-applicable-to-child’s-consent-in-relation-to-information-society-services-GDPR.htm

http://www.privacy-regulation.eu/en/article-9-processing-of-special-categories-of-personal-data-GDPR.htm

The participant has consented to have you process their information. When gaining consent, you have to be explicitly clear as to the purpose of the processing, if you change the original purpose you will need to regain consent.

Contract – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. http://www.privacy-regulation.eu/en/article-20-right-to-data-portability-GDPR.htm

Compliance with a legal obligation – Processing is necessary for compliance with a legal obligation to which the controller is subject.

Vital interests – Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Public interest – Processing is necessary for the performance of a task carried out in the or in the exercise of official authority vested in the controller;

The final base for contact is public task, which covers areas such as census data collection and information processed on behalf of public authorities in an official capacity.

Legitimate interests – Processing is necessary for the purposes of the pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Article: 13, 21 => Recital: 113, 47, 48

http://www.privacy-regulation.eu/en/article-13-information-to-be-provided-where-personal-data-are-collected-from-the-data-subject-GDPR.htm

http://www.privacy-regulation.eu/en/article-21-right-to-object-GDPR.htm

The data controller has a legitimate reason for making contact – i.e. follow up calls on behalf of a client to make sure customers are happy with a product or for quality control purposes. Researchers/interviewers must provide evidence to prove the legitimacy of that contact, as well as explaining what the aim of the survey is. Is it worthwhile for the participant?

There are measures in place to maintain fairness for the participant. There must be control over how much data needs to be collected to achieve the stated purpose, making sure the rights of the data subject are not compromised in the process.

Understanding consent

A key challenge for the research industry will be gaining consent to process and store data and having the ability to encourage participants to give permission for their personal data to be used.

It is important to understand the difference between implied consent and actual consent. Implied consent is when the user does not ‘opt out’, implying that they have given permission by not opting out.

Actual consent is where the participant has ‘opted in’.

Research agencies must ensure that the procedures for gaining consent are updated and policed by an internal body on a regular basis and explain how the data collected is being used. No data is to be used without first gaining consent at the start of any project.

Impact on the research industry

Some of these may affect the way in which research agencies conduct interviews, it could affect the length of the interview and the introduction to the participant as to what your legal base for contact is at the start of the interview – something not currently required.

As participants adjust to their new rights there will be a certain amount of hesitation and reluctance to participate or comply. Interviewers may find that they will be open to question during the months following the introduction of the new regulations. This may mean questionnaires may take longer and may need to be adapted, thus affecting the amount of questionnaires carried out, the cost of reconstructing them and the ability to reach out.

How can Research Runner help?

Research Runner prides itself on providing support to their clients in many different aspects. Not only do we provide a successful new business lead generation and sales consultancy service, but we like to keep our clients up to date with news on the sales and research industry and any changes in law which may affect our client’s ability to conduct business.

Once the dust has settled on the initial impact of GDPR, Research Runner will reflect on the issues and key points that have affected the insudtry.

For any advice on how to grow your business, please contact us at Research Runner on +44 (0)1279 260 031 or visit is at www.research-runner.com.