From May 25th, 2018, new General Data Protection Regulation (GDPR) legislation is being introduced across the EU to herald a new standard in data protection and privacy for individuals.
The aim of this legislation is to increase the rights of the individual, providing them with greater transparency as to what personal data companies hold on them as well as giving them more control over what can be done with it.
The GDPR definition of personal data covers anything which can be used to identify an individual and therefore covers things such as name, address, email address, phone number.
The legislation also provides more stringent rules for all companies that hold personal data on individuals, covering how they collect, store, share and dispose of that data. There are severe financial penalties for companies found to be in reach of the GDPR legislation.
One of the requirements of GDPR is for each company to have an easily accessible Privacy Notice, setting out, in plain English, their approach to personal data and how they will be handling it, post May 25th 2018.
This post sets out The Seed’s approach to GDPR and explains the types of personal data we generally have access to and how we handle it in order to be compliant with the GDPR.
Types of Personal data we collect and use
The Seed is a research and strategy consultancy. Companies commission us to give them an objective view of what their customers (past, present or future) think about various aspects related to their brand, products, services, competitors or general market trends.
We use various techniques which can broadly be divided into qualitative (e.g. focus groups, interviews) and quantitative (e.g. surveys)
1: Qualitative research
Qualitative research studies involve us talking to customers (typically face-to-face or via phone/video conference e.g Skype)
We typically sub-contract the recruitment of these customers to our clients or other specialist GDPR-compliant recruitment companies, with our involvement beginning when we receive a list of attendees prior to the session which we ask them to sign to confirm both their attendance and also that they have received any incentive payment due.
Any additional personal data they may reveal conversationally during the interviews and focus groups will only be reported anonymously in our reports, thus preserving the privacy of the individual.
Any notes or recordings (audio or video) that we may take of the interviews and focus groups are used purely to help us recall what was discussed and are generally retained for 6 months after the conclusion of the project after which they are destroyed.
2: Quantitative research
Quantitative research studies involve us creating a survey questionnaire which is completed by larger number of research participants.
This information is usually collected online whereby the survey is sent out to a sample of relevant people to complete.
The information collected varies, project-by-project, but, whilst it may include some broad profile data such as age, gender, occupations and so on, it does not generally include personal data i.e. data that allows an individual to be identified from their responses.
The survey links are typically sent to participants either directly by our clients (where they have a database) or from a GDPR-compliant panel company who we have briefed to recruit our research sample. In both cases, they may hold personal data on the respondents (e.g. name and email address), but this information is not passed on to us.
The only exception to this rule may be if we are offering an incentive such as entry into a prize draw. Where this takes place, we need to capture their name and email address to enter them into the draw, but this is a separate data capture exercise and their personal data is purely used to enable the prize draw to be carried out. Once it has been completed, the personal data of all prize draw entrants is deleted.
Once we have obtained customer feedback from one or more of these methodologies, we will analyse the findings at an aggregated level and provide our clients with overall insights and implications for their business
In our presentation of findings, we will never provide anything which could be linked back to an individual respondent and will resist any request to do so from our clients in the unlikely event that they ask us for it.
Our legal reasons for collecting data
The GDPR legislation sets out 6 broad principles covering the collection of data, at least one of which must be satisfied for an organisation to be GDPR compliant.
Those principles are defined as follows – Consent, Contract, Legitimate Interest, Public Interest, Legal Obligation and Vital Interest.
The work that The Seed carries out on behalf of its clients almost always falls into one of two categories – consent or legitimate interest.
Consent – here we will set out clearly in advance what we require the personal data for and what we are going to do with it. We then seek explicit consent from participants before taking part i.e. opt-in, not opt out required.
Legitimate interest – here we set out clearly up front why the personal data is required for us to be able to carry out our legitimate work for our clients. Again, this would include how we will handle the personal data and what we will do with it afterwards.
Roles: Data controller vs Data Processor
The GDPR legislation draws a distinction between Data Controllers and Data Processors. The former is responsible for the overall direction of a project i.e. what data is required and how it will be used; whereas the latter is responsible for working with the actual data, under instruction from the Data Controller.
In a typical project, it is likely that the commissioning client (End Client) will act as the Data Controller since they are determining the overall parameters of the project and paying The Seed to deliver the data as specified.
The Seed will typically act as the Data Processor, undertaking the research and collecting any personal data on behalf of the End Client.
The Seed may in turn contract additional sub Data Processors (e.g. data collection companies, research agencies, survey platforms, recruiters, etc) who will carry out those aspects of the project that The Seed cannot complete itself. These companies will work under the instruction of The Seed which is in turn acting under instruction from the End Client as per the agreement.
The Seed will always ensure that any companies sub-contracted in this way are also GDPR complaint in the way they obtain, handle, store and dispose of data.
It is possible on occasions that the End Client and The Seed will share the decision-making process on a particular project in which case they can be considered Joint Data Controllers.
Regardless, we will ensure that instructions are put in place each time between Data Controller and Data Processor to ensure that both parties are clear on their duties and obligations.
Data Protection Officer
One of the stipulations of the GDPR is that larger organisations must appoint a Data Protection Officer (DPO), an independent role to oversee the organisation’ data activities and ensure they comply with the GDPR.
At present, The Seed does not meet the criteria whereby a DPO is required, but we will continue to monitor the situation and if we need to appoint one in the future, we will do so at that time.
Data storage & transfer
Any personal data that we may obtain from a research project will be stored digitally on password protected laptops and backed up in the cloud on EU-based Microsoft 365 servers which are compliant with the GDPR legislation.
On occasions, personal data may be transferred outside the EU (e.g. if we are using a survey platform based in the US), but on those occasions we always ensure that whoever we are transferring the data to is also GDPR compliant.
If we are required to share any personal data during a project with a client or other party, we will do so via encrypted password-protected email with any password communicated to the recipient via an alternative, non-email channel e.g. by phone or SMS/What’s App message.
The Seed’s policy is to retain personal data for only as long as we need it. As a rule, this is typically for 6 months after the conclusion of a project but may be sooner. We do not keep hold of personal data ‘just in case’. When deleting data, we will advise our End Client first and then use an electronic file shredding service service such as File Shredder.
If a data breach does accidentally take place, then The Seed has a policy for dealing with it in line with the ICO’s recommendations.
Initially we will carry out a ‘containment and recovery’ exercise to limit any further damage, followed by a risk assessment. If appropriate, we will report any breach to the ICO within 72 hours of the breach. Any individuals affected will also be informed where necessary.
Right to access
Another aspect of the GDPR is that it gives individuals the right to access any data that a company may hold on them.
Should any individual wish to see what information we are holding on them, they can submit a request and we will respond within 30 days, provided the person can be identified and also that the request is reasonable.
The Seed has been taking the GDPR seriously over several months now and has undertaken a variety of training initiatives including attending a Market Research Society GDPR seminar, attending an ICG GDPR Webinar, purchasing and implementing the GDPR Advisors UK’s compliance pack for Market Research organisations and subscribing to the GDPR for Online Entrepreneurs group on Facebook. We will continue to maintain ongoing training on GDPR-related topics following the May 25th launch date.
The Seed has also taken steps to ensure it is in line with the requirements of the market research industry and the broader business community.
This includes maintaining membership of the Market Research Society (MRS), whose code of conduct we adhere to and also registering with the Information Commissioners Office (ICO). The Seed’s registration number is A8263007.
Non digital data
Whilst the GDPR is primarily focused on digital data, the same principles apply to non-digital data as well.
The Seed employs other safeguards to ensure any non-digital personal data is afforded the same protection and privacy as digital personal data e.g. keeping sensitive data in a locked file and shredding paper files after a similar length of time.
For more information
Hopefully this post will give you a good understanding of what The Seed does and how we are approaching data protection and privacy in a post GDPR world.
Our whole approach is based around ‘privacy by design’, ensuring the rights of the individual are respected at all times.
To that end, we approach every new project by conducting a Privacy Impact assessment (PIA) to identify any specific risks involved and ensuring that the correct measures are proactively put in place to mitigate against it.