As a research and insight specialist, you’ve been working with the challenges and complexities of GDPR for several months now. It’s hard right! That’s why we’ve written this short guide. It will help crystallise what you need to do on an ongoing basis, and why, helping you stay on track and remain compliant as Dr Marie-Claude Gervais, our Research Director explains.
Some GDPR basics
I'll use our Together platform as a point of reference to show how easy it is to ensure you're compliant with the key GDPR legislation when performing online research. The first thing to know is that, as a manager of an online research community, you are a ‘data controller’ (not a ‘data processor’).
As a data controller, when you invite people to take part in an online research community, you should always have clear Terms and Conditions (Ts and Cs) that include:
- Why you are conducting the research - it's purpose
- How the data will be used, shared, stored, anonymised, protected
- How long you will keep the data for (your approach to Data Retention)
- The identity and contact of your Data Controller and/or Data Protection Officer (DPO)
Agreeing to abide by these terms at the start of any research study or community amounts to giving informed consent. Using research platforms, it's simple to copy and paste the Ts and Cs into a welcome email message. Participants have to agree to them before they progress into the study. It's also important to set out what the house rules are for the duration of the study. For example, it's always going to be possible for someone to get a screen grab of community activity but this can be flagged and discouraged. Rules regarding acceptable behaviour need to be set out for people, as well as the consequences for flouting the rules!
We've talked previously about WhatsApp and other tools researchers use and how the group discussions from these software platforms aren't private and are hard to control. We've also set out how GDPR will impact the Market Research industry, hearing directly from legal experts in this field and the MRS. The crux of the issue is this, GDPR rules state that consumers have the right to know how data controllers are processing their data, where it is, and what it is being used for. This is fine in the case where agencies or technologists are the ones in sole receipt of the data. However, were you to use WhatsApp for online group sessions, there is an issue. Currently, within these groups, every individual can see the private phone number of everyone else and the data that has been shared, therefore controlling this data would be impossible. With this in mind, something you should always look for is independent certification (ISO 27001 compliance) for the technology you're considering using from a data security perspective. It's a huge advantage to be able to say to participants at the start of a study that their data is safe. As a result, they're more likely to be honest and open in their responses. If you're researching vulnerable people (for example, children or people with mental health problems) then privacy is absolutely a pre-requisite.
Right to data access
One of the new provisions under GDPR is that participants have the right to access their personal data. In other words, you need to be able to provide participants with all the input they shared. Doing this with offline focus group data is a nightmare because of the challenges of identifying each person and of allocating each comment to a participant. Doing it online is a breeze. Most online platforms, including ours, allow the user to download all the data associated with a study. It's simple to retrieve the data and export this into a .csv or .xls file and send it over to the participant for review.
Right to be forgotten
Another provision you have to make under GDPR is that research participants have the right to have all their data destroyed so that there are no digital traces of them. Using online platforms, this is simple. All the data associated with a participant (including their contributions to any discussions, videos and images they've submitted as part of the study) and any personal data that would enable them to be identified (such as their name, demographic profile or email address) can be retrieved and deleted with a few simple clicks. You should also contact your recruiter to make sure that they, too, have deleted all the participant data from their file.
It is essential for researchers to be able to anonymise their data set. This is not a new requirement but it is one to which participants may become more and more sensitive. Together allows you to anonymise your data (remove a participant’s real name) at the click of a button. However, be aware that anonymisation is not the same as protecting a participant’s right to confidentiality, which is a trickier issue. Again, this is much simpler to do online. Our platform even lets you export data that's already been anonymised at the click of a button.
Good luck with your research!
If you'd like to learn more about online qualitative research, there's more guides, podcasts and presentations you can access in our resources area. Alternatively...