Before we lay out the 4 practical steps you need to take, let’s get the background clear:
Who is affected by GDPR?
If your company holds, handles or processes data of an individual or individuals who are in the EU, then you have to comply with GDPR from 25 May onwards.
GDPR applies to data processing carried out by organisations operating within the EU, and also to organisations outside the EU that offer goods or services to individuals in the EU. So, if you’re a US-based company selling to customers in Germany or France, then GDPR does apply to you too.
And it applies to both “data controllers” and “data processors”
What type of data does GDPR apply to?
Any information relating to an identified or identifiable natural person (the 'data subject'). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as: a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personally identifiable information (PII) includes:
|Stand-alone data||Data which may qualify, when combined|
|Full name||First name or last name|
|Postal address||Country, state, postcode or city or residence|
|National ID number||Gender|
|Vehicle registration number / number plate||Company worked for, or job position|
|Driver licence number||Date of birth|
|Login name, screen name, nickname or handle||Location data|
|Unique URL string (e.g shopping cart when online shopping)|
|Device number (e.g. IMEI)|
|Photograph of the person|
|ID number of third parties (e.g. Facebook, Google etc)|
--> this applies to data you hold or handle on your panellists, employees, suppliers and clients
It’s worth noting that ’pseudonymised' data are still subject to GDPR; however ‘anonymised’ data are not subject to GDPR.
(Pseudonymised data are personal data which have been processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information - provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.)
What legal rights is GDPR enforcing for individuals, regarding their Personal Data (PD)?
Review current privacy notices and put a plan in place to implement changes in the survey invitation, the online privacy statement, the review of notice to customers, the questionnaire (online, hard copy) and the research portals and reporting tools.
Use concise, easy to understand, clear language, and consider whether you need to translate the notices for the countries you are active in, and whether you need a nationality question.
Privacy notices should include:
They should also state what the legal basis is, for processing the data - e.g. one of the following:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The consent notice should include:
Also, consent cannot be assumed, so you need to review the questionnaire and change any “pre-ticked” consents.
Finally, keep records to evidence consent: who consented, when, how and what they were told. And build regular consent reviews into your processes, so you can refresh if anything changes.
Document what personal data you hold, where it came from and who you share it with. This will help you to comply with the accountability principle of GDPR and demonstrates that you have effective processes in place.
Also, organise an information audit and a privacy impact assessment to identify any issues early on. For example, if you find out that you hold inaccurate personal data, and you have shared this data with another organisation, you are obligated to tell the other organisation that the data is inaccurate.
Think about the the flow of personal data to truly understand exactly where the personal data goes / who has access to it and if is transfered.
In our example below, for instance, the data sits with the research team in the UK, but also on our servers in Germany, and then it may also be on the servers of the external online discussion board.
The task is to map the data flow so you can better understand your processing and identify where data is, so that you can meet the rights of individuals by describing the processing in a privacy notice and you are able to delete data, if requested.
GDPR can seem daunting at first, but, broken down into these four core steps, it becomes manageable – but it does take time to set up any new process, so it should be tackled without delay, as the deadline for enablement is approaching fast.
For MRS members - the MRS have provided useful checklists for GDPR, including an Informed Consent checklist and a Compliance checklist.