GDPR (General Data Protection Regulation) was implemented in 2018 to enhance individuals’ control and rights over their personal data. Every market research provider should be aware of the basic concept of GDPR and know how to design and conduct research projects which meet the data protection rules and best practices.
What is personal data
This is any information relating to an identified or identifiable person. An “identifiable” person is one who can be identified directly or indirectly, in particular by means of association.
Identification attributes can be divided into three different categories:
Hard identifiers refer to a specific person: full name, address, e-mail address, telephone number, photo, etc.
A combination of soft identifiers can also be used to identify a single person because the combination is unique. For example, if somebody is a “fitness trainer” + a concrete small village, you can find the specific person without knowing any other attribute, even the name.
Sensitive attributes are a special category of personal data and should be treated in a special way.
Privacy consideration during research design
Here are a few questions you should think about before every research project:
- Will you collect personal data? What type of data?
- How much data you really need to collect to achieve your research goals.
- How will you process the data? To create report, presentation, articles, blog posts, ads, PR activities…? The information you give to participants should cover all possible uses of the data.
- Will you share the data with anyone? Will the result contain any personal information?
Respondents’ consents are the key aspect for meeting the GDPR requirements. It is the legal basis for the processing and transfer of personal data. Do not collect personal data if you don’t have the consent of the respondent. You need to give complete information about the usage of their personal information to your participant and you must get their consent with the usage, processing, and sharing with other parties.
- Explicit consent – respondents must do an action to prove they agree, for example by signing the form, ticking the checkbox (not checked by default), etc.
- What information is being collected.
- Whether and how the video session will be recorded or observed (and who’s watching).
- How the information will be used, who can access it (list all data processors, clients, …).
- How long is the data stored and when it’s deleted.
- User’s rights: consent can be withdrawn any time, respondents’ right to access their data, to correct inaccurate data, and request its removal (to be forgotten).
- Who is the data controller, contact information, list of data processors (recruiters, agencies, transcription services, software providers).
- Everything written in a clear, comprehensive, easy language.
Best practices during data collection
Do not collect or record data that you really don’t need. We know, this can be tricky in qualitative research because your goal is to look for insights, new ideas and you often need to create a big picture of the topic you explore. Try to keep the minimization principle at least for personal data.
The GDPR does not apply to anonymized information. Anonymization is the process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified. The best approach on how to be on the safe side with GDPR is to collect anonymized answers. If you are not able to identify the specific respondent, no need to worry about GDPR. When data is anonymized, it is no longer personal data.
Unfortunately, fully anonymized studies are rare. Usually, you need respondents’ emails or phone numbers to invite participants, their names and address to provide incentives, you have video focus group recordings with their faces, etc.
You should anonymize data as soon as possible in the research process – to cut off the personal data from the collected content.
Pseudonymization can be helpful – the personal data can be replaced by a pseudonym (e.g., false name, nickname, ID number, masked characters). Pseudonymized data means that it is still possible to determine the reference person with the appropriate additional knowledge. For example, if you use a nickname instead of a full name in your study, you are still able to connect answers with the real identity of the specific respondent.
When you work with pseudonyms instead of real names, it’s much easier to apply anonymization later during the research process – you just delete the source that connects the real identity with the pseudonym. This is typically one table that includes both the real name/email and the nickname.
Data processing, storage and sharing
The data can be stored in many various ways – paper documents, text files, audio files, online forms, and databases. Make sure the data is stored in a safe place and is accessible only to authorized individuals.
Read your company’s data protection policy, safety rules, data retention, and recommendations. Know where the data are kept (locally, externally, cloud, …). Use strong passwords and encryption.
Be sure the data is processed by trustworthy people – internal staff or external subjects with the highest data privacy awareness. You should have a valid DPA (data processing agreement) with all your partners and subcontractors that proves they also comply with GDPR legislation.
If you share the data with your client, make sure you have explicit consent for it from the respondents.
Collabito & personal data
You are a data controller because you organize the project, recruit respondents and determine how the data is collected and used. Sometimes, your client is the data controller.
The data controller is responsible to get participants’ consents. We follow your instructions regarding the personal data of your project. You can contact us and request information about participant’s personal data, and request to delete the personal data. We will inform you in the case when your participant contacts us with his/her data protection request.
We have our Data Processing Agreement template ready, or you can send us your DPA template if you have one.
Personally identifiable information (PII) used in Collabito:
- Data imported by you as the project organizer: names, e-mails, phone numbers, and notes.
- Data submitted by the participants during the project: text information, images, video files, audio files, contact information, etc.
- Video focus group recordings (can be disabled in the settings).
- Data collected by our system: IP address and technical cookies to ensure a proper functionality of our system.
We recommend always using nicknames or pseudonyms in Collabito instead of the real names, so your study participants are not able to identify other participants.
We recommend deleting the project data (email, names, photos, phone numbers, video recordings) when you don’t need it anymore. If you don’t delete your project data, we will do it automatically according to our data retention policy.
You can create an anonymized study in Collabito by not importing any personal data into Collabito – use nicknames, don’t submit real emails, don’t record the sessions, don’t ask people to submit their personal data.
Our servers: we use top secure data centers physically located inside the European Union – for both application and storage purposes: Frankfurt/Germany – Amazon S3, SES; Prague/Czechia – Nethost; Dublin/Ireland – Amazon S3, SES. Certified ISO/IEC 27001:2014.
How to handle data deletion requests:
- You can delete one or more respondents from your project. Their answers will be also deleted.
- You can anonymize the project by changing/deleting the real names, emails and phone numbers in the participant’s profile.
- You can delete the video recordings from your video focus group session. You can also disable the recordings.
- You can delete the video uploads or images.
- You can delete the whole project.
- If you are not sure, feel free to contact us, we will help.
Frequently asked questions
What is the recommended data retention period for video focus group recordings?
The retention time period is not strictly defined by GDPR, but don’t keep it longer than necessary. Consider data processing time, requirements given by industry standards (ISO 20252 1 year), audits, and other circumstances. 1-2 years is generally recommended.
Our company resides in the US. Do we also comply with GDPR?
Yes, you need to comply with GDPR if you conduct research with participants in the EU, even if your business resides in non-EU countries.
My company resides in Italy, your servers are in Czechia, Germany, and Ireland. Is it a problem?
No, GDPR is related to the whole EU so it doesn’t matter which country you reside in. There might be some differences in the local GDPR implementations, for example, children’s age limit.
Can you get the respondent’s consent for us?
You need to get explicit consent in the recruitment phase before you import the personal data to Collabito because our platform requires at least a name and email. For additional data, you can get consent by using the questionnaire module in Collabito, but it’s always easier and safer to get all consent during the recruitment.
What if somebody requests to be erased during or after the study?
You can easily delete the person from the project. This will delete his answers. If you want to keep the answers, you can anonymize the person by deleting the real name and email with a fictive one. Anonymized means, you don’t keep a connection between fictive names and real names, not even in a separate place.
Please note that we are not lawyers, we are a startup team that cares very much about your success. If you want to ensure your GDPR compliance we recommend discussing project specifics with your data protection office (DPO) or lawyer.