GDPR will be implemented within weeks and it is particularly important that market research agencies understand its implications. Chime Insight & Engagement CEO, Crispin Beale, looks at the fundamentals that researchers need to know.

As we move closer to a new era of data processing, preparing for the GDPR is particularly important for market research agencies. Data is critical to the industry and – alongside all the processes, checks and balances that must be implemented internally – the regulation will bring additional barriers, particularly when conducting interviews.

So, how can compliance be ensured?

Lawful basis for processing

To avoid breaching the GDPR, companies must be able to demonstrate that a lawful basis applies to their use of personal data. These six lawful bases for processing personal information are outlined in Article 6 of the regulations, and researchers will need to identify which fits their business and any research projects before a project can be commenced.

From these six bases, it is likely that research companies may use one of the following options;

  • Consent – the individual has given clear consent for you to process their personal data for a specific purpose
  • Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those
  • Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law

Consent, which means a participant has consented to have you process their information. When gaining consent, you have to be explicitly clear as to the purpose of the processing, if you change the original purpose you will need to regain consent.

Legitimate interest, which means the data controller has a legitimate reason for making contact – for instance contacting on behalf of a client to see if their customer is happy with a service or product, or for quality control purposes such as back checking face-to-face research. With legitimate interest there are measures in place to maintain fairness for the participant. These must all be recorded and include controlling how much data needs to be collected to achieve the stated purpose, and ensuring the fundamental rights of the data subject are not affected. The final base for contact is public task, which covers areas such as census data collection and information processed on behalf of public authorities in an official capacity.

When contacting participants, it is essential interviewers provide evidence to prove the legitimacy of that contact, as well as explaining what the aim of the survey is and demonstrating their work is valuable and worthwhile for respondents.

Ultimately, this will have a direct effect on survey design, introduction, and interview length. Interviewers may need to explain their legal base for contact at the beginning of the interview – something that is not currently required. Some questionnaires may take time to legitimise with respondents, especially in the early days when consumers are unlikely to be fully informed about the GDPR.

Making these changes may come at a cost as processes, scripts and techniques are updated to account for additional information that needs to be shared. Interviews may take more time, meaning a longer research period or more interviewers will be required to reach a sufficient number of respondents. Research agencies should have a conversation with their clients about the changes necessitated by the GDPR, and must ensure any associated cost increases are communicated in advance.

Implied versus actual consent

Consent to data collection, processing, and storage is a vital element of the GDPR and encouraging consumers to give explicit permission for their data to be used will be a key challenge for market researchers.

There is a difference between implied consent, where data subjects don’t opt out of data collection, and actual consent, where they need to opt in. Under the GDPR researchers must explain clearly what the data they are asking for consent to collect will be used for, and must only use it for that specific purpose, deleting it when it’s served its intended purpose. 

Understanding consent, and recording it on an individual basis across the business will be key. Facilitating internal processes to police consent periods and re-consent requests will be compulsory to ensure consumer data is not used without permission. These processes can be automated to an extent, but to remain within the guidelines, implementing training and assigning employees as consent ambassadors to internally manage and police the system will be crucial. Research businesses may need to identify a Data Protection Officer to advise on these aspects and ensure internal compliance.

Article 89 exemptions for research

The GDPR will have a significant impact on the market research industry but there is some leeway for select research areas. Article 89 states researchers conducting historical, scientific and statistical research may be exempt from rules about secondary processing and using sensitive data, if appropriate safeguards are implemented to protect the information. What’s more, in some circumstances, researchers might even be able to access data without consent and override requests to delete data, although such occurrences will be exceptional.

Research being conducted in the national and public interest may be excluded from the GDPR regulations, since being unable to collect personal or sensitive data would prevent the core purpose from being achieved. This will apply to research that informs areas such as government planning, or impacts medical and economic viewpoints that will have wider societal implications. One example would be the National Rail Passenger Survey, which is a critical tool in understanding the experiences of rail passengers across the country.

Despite the Article 89 exemptions, it is essential for researchers to establish which category their activities fall under and not to assume their company is exempt just because it covers a particular discipline.

The GDPR deadline is fast approaching and for the market research industry it is not enough to adjust internal systems so they pass muster when the 25th of May comes around. It’s essential that firms identify potential weak points and gain the relevant independent legal advice for their activities. Agencies must keep legitimate bases for contact and explicit consent at the forefront of every project and be fully aware of the ripples that will continue to form long after the GDPR deadline comes around. Only then can they ensure their teams remain compliant into the future.