The source of this piece is, unfortunately, some dodgy practice we spotted in the last few weeks. To help provide solutions instead of wagging fingers, here are some best practice hints and tips so you know what you need to do.
Consider who you are contacting. Are they the right people to help you answer your questions and do you have permission to contact them for market research purposes? You need to identify in the survey your legal grounds for making contact. It may be that you have a legitimate interest, such as when you are sending out a post-event customer satisfaction survey. If so, great!
Be clear on what the research is about and how long your survey, interview or focus group will take to complete. Share this with people right up front so they know what they’re getting into.
Think carefully about gathering sensitive personal data. This includes: people’s religious or philosophical beliefs, health status, racial or ethnic origin, trade union membership, political beliefs, sex life or sexual orientation, genetic data, biometric data. Do you really need this data? If the answer is yes, you need additional, specific consent to collect it. This is in addition to the consent given to conduct the research. You need to be upfront about how any personal data will and will not be used. For instance, you’ll likely want to make clear that you will not share the data with third parties.
There are additional considerations if you are conducting research with children under 16 or with vulnerable people. Make sure if they are part of your target population for research you treat their data with special care.
A good privacy notice is your friend. It’s where you make it clear to your participants how their data will be used, processed and stored. It should also outline their rights (to withdraw consent, complain etc.) and be written in plain English so everyone can understand what they are consenting to. Be sure to provide your contact details as the researcher as well as your data protection officer’s contact details. If you are offering an incentive you should also clearly state what the prize draw terms and conditions are. Also, remember its not good practice to offer your own products or services as an incentive to complete your survey.
Finally, think about where the data is being stored. Some commentators have raised concerns that data stored outside the EU (in cloud services in North America or offshore for instance) may not sufficiently comply with data protection. Your organisation will need to make a judgement about how tolerant you will be of such a risk.
Overall, GDPR compliance is an extension of good, basic research practice. If you want to dig in in more detail, as members of the Market Research Society (MRS) we recommend both their Code of Conduct along with the detailed and useful guidance and advice on GDPR.
If your internal processes follow the advice above you can be sure that your patron’s personal data will be handled in a GDPR compliant way and live up to the trust participants place in you.