What Researchers and Research Buyers Should Know About Data Protection and GDPR

It’s 2021, the UK has left the European Union (EU) and due to a global pandemic, a higher than usual proportion of people working in the research industry, and insight professionals, handling data are doing so from the comfort of their homes.

GDPR continues to evolve alongside these major changes, thus the requirements for researchers, their organisations and their clients to be ‘compliant’ with Data Protection laws around the world has ratcheted up significantly.

This article aims to provide some basic guidance on the things that researchers and research buyers need to know and do, as they conduct primary research and understand people and their behaviour to facilitate business decisions.

We’ve started with three basic areas which come up in conversation more regularly than others, though we will delve deeper into other aspects in later articles.

These three areas are:

• Personal Data
• Data Protection Officers
• Record of Processing Activities (ROPA)

If you are not aware of these three things or haven’t got aspects of them in place, you risk being non-compliant and breaching laws that can lead to heavy fines in some cases.*

Know what is (and what isn't) classified as Personal Data

Personal Data relates to an individual and, as outlined in UK GDPR, "personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Factors that you should consider to determine whether you are processing personal data include the following:

• identifiability and related factors
• whether someone is directly identifiable
  
• whether someone is indirectly identifiable
• the meaning of ‘relates to’
• when different organisations are using the same data for different purposes.
  

Appointing a Data Protection Officer (DPO)

A Data Protection Officer is someone who has specific knowledge of data protection laws and practices in your country (because they may differ from country to country). It is not a requirement for all parties to appoint a DPO, but it is good practice to do so.

Article 37 of the UK GDPR will guide you on whether or not you need to appoint a DPO, and their responsibilities include data protection compliance, data protection policies, awareness-raising, training and audits.

Often, even though you may not be bound by law to have a DPO, it makes good sense to put one in place to aid compliance and, simply put, sleep better at night knowing you are doing the right thing.

The cost of putting a DPO in place is not significant and we advise sourcing one at the earliest opportunity to aid discussions between research teams and research buyers, and project design.

Complete a Record of Processing Activities (ROPA)

It is now a legal requirement to document your processing activities. This process should detail what information you have, where it is stored and what you do with it. This both improves governance and complies with other aspects of data protection law.

A ROPA is a record of an organisation's processing activities involving personal data. Pursuant to Art. 30 (3) GDPR, it must be in written or electronic text form. “Processing” is any activity performed on personal data.

You (if you are a freelancer) or your organisation must have documents and an up-to-date ROPA that is based on a data mapping exercise that highlights the journey the personal data you collect goes on, and these activities must be regularly reviewed.

So there you have it. Despite the terminology and language used, much of the above is very practical and easy to implement. There are many law firms, DPOs and data protection websites that can guide you further.

Notes:

* This article does not provide legal guidance nor should it be construed as such. For more information and formal guidance on such issues we recommend you speak to a lawyer with expertise in data protection, speak to your DOP or consult with your countries data governance body such as the ICO in the UK.