Before we lay out the 4 practical steps you need to take, let’s get the background clear:

Who is affected by GDPR?

If your company holds, handles or processes data of an individual or individuals who are in the EU, then you have to comply with GDPR from 25 May onwards.

GDPR applies to data processing carried out by organisations operating within the EU, and also to organisations outside the EU that offer goods or services to individuals in the EU.  So, if you’re a US-based company selling to customers in Germany or France, then GDPR does apply to you too.

And it applies to both “data controllers” and “data processors”

• A controller determines the purposes and manner in which personal data is collected and used, and the means of processing that personal data – i.e. GfK’s client companies. If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
  
  
• A processor is responsible for processing personal data on behalf of a controller – i.e. GfK. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

What type of data does GDPR apply to?

Any information relating to an identified or identifiable natural person (the 'data subject'). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as: a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personally identifiable information (PII) includes:

--> this applies to data you hold or handle on your panellists, employees, suppliers and clients

It’s worth noting that ’pseudonymised' data are still subject to GDPR; however ‘anonymised’ data are not subject to GDPR. 

(Pseudonymised data are personal data which have been processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information - provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.)

What legal rights is GDPR enforcing for individuals, regarding their Personal Data (PD)?

1. Access / Portability: the right to access their data and transfer it to others
2. Correction: the right to have their personal information corrected 
3. Deletion: the right to have their personal data deleted (right to be forgotten)
4. Consent / Profiling: individuals must give their consent for you to process / profile their data
5. Report: data breaches mush be reported within 72 hours
6. Design: you must provide documented privacy protection during design
7. Communication: you must use plain language and explain the purpose for which you will process their personal data, for how long it will be stored, and who will receive it.

4 practical steps for Researchers, to comply with GDPR:

1.     Check your privacy notices

Review current privacy notices and put a plan in place to implement changes in the survey invitation, the online privacy statement, the review of notice to customers, the questionnaire (online, hard copy) and the research portals and reporting tools.

Use concise, easy to understand, clear language, and consider whether you need to translate the notices for the countries you are active in, and whether you need a nationality question.

Privacy notices should include:

• The identity and contact details for the Project; as well as the contact details of the data protection officer.
• The purposes and the legal basis of the processing
• The legitimate interests pursued by the data controller or by a third party.
• The recipients, or categories of recipients, of the personal data collected by the research
• That the data controller intends to transfer personal data outside the European Economic Area (EEA) (this is the EU plus Norway, Iceland and Lichtenstein), plus a reference to the appropriate or suitable safeguards in place.
• The period for which the personal data will be stored, or, if this is not possible, the criteria used to determine this period.
• The existence of the right to request, from the data controller or the data processor, access to and rectification or erasure of the personal data, or restriction of processing of personal data concerning the data subject, or to object to the processing of such personal data, as well as the right to data portability.
• For research that relies on consent for the processing, the notice should state the existence of the right to withdraw that consent at any time.
• The right to lodge a complaint to a supervisory authority.
• A statement on whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the data, and of the possible consequences of failure to provide such data.
• The existence of automated decision making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.

They should also state what the legal basis is, for processing the data - e.g. one of the following:

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

2.     Review how your survey collects consents

The consent notice should include:

• clear affirmative action ("By clicking on this button, you agree to participate in the survey")
• clear affirmative written statement ("[ ] I confirm you agree to participate in the survey and provide data about my gender and ethnicity for research purposes. By ticking the checkbox, you agree that you are willing to provide information about your gender and ethnicity.")
• signature
• clear affirmative oral statement (phone call, in which a script that seeks consent is read to the participant by the interviewer and agreed by the participant).

Also, consent cannot be assumed, so you need to review the questionnaire and change any “pre-ticked” consents.

Finally, keep records to evidence consent:  who consented, when, how and what they were told. And build regular consent reviews into your processes, so you can refresh if anything changes.

3.     Document everything!

Document what personal data you hold, where it came from and who you share it with. This will help you to comply with the accountability principle of GDPR and demonstrates that you have effective processes in place.

Also, organise an information audit and a privacy impact assessment to identify any issues early on. For example, if you find out that you hold inaccurate personal data, and you have shared this data with another organisation, you are obligated to tell the other organisation that the data is inaccurate.

 4.     Map out your data flow 

Think about the the flow of personal data to truly understand exactly where the personal data goes / who has access to it and if is transfered. 

In our example below, for instance, the data sits with the research team in the UK, but also on our servers in Germany, and then it may also be on the servers of the external online discussion board.

The task is to map the data flow so you can better understand your processing and identify where data is, so that you can meet the rights of individuals by describing the processing in a privacy notice and you are able to delete data, if requested.

Conclusion

GDPR can seem daunting at first, but, broken down into these four core steps, it becomes manageable – but it does take time to set up any new process, so it should be tackled without delay, as the deadline for enablement is approaching fast. 

For MRS members - the MRS have provided useful checklists for GDPR, including an Informed Consent checklist and a Compliance checklist.