Ignorance will be no defence
The GDPR will affect all researchers and that includes you! Luckily help is at hand, with Dr Michelle Goddard offering some helpful pointers prior to AQR's webinar in December.
The General Data Protection Regulation (GDPR) is the most significant change to data protection in the UK and EU since 1995. Designed for the digital age, with strengthened individual rights and greater business accountability, it will impact organisations of all sizes processing personal data. The new regulation will be enforced in all EU Member States from May 2018 — which is likely to be before the UK leaves the EU — meaning that compliance must be a top priority for UK-based businesses.
Its vital that researchers are ready to meet the new obligations and responsibilities that the GDPR will bring. Collection of data by qualitative researchers often involves processing and analysing a diverse array of personal information that directly or indirectly identifies individuals bringing them squarely under the purview of the new regulation. However, de-identification or anonymisation of personal data as early as feasible in the research process will minimise exposure to the liabilities under GDPR as individual rights and corporate responsibilities apply to personal not anonymised data.
The GDPR makes several changes to the existing data protection framework and if youre conducting research its important to be familiar with the key changes. As a starter consider some of the points outlined below:
Designing and running a qualitative research project, transcribing questionnaires or recruiting and collecting participant details can make you directly liable to heavy monetary penalties for any data protection breaches.
The distinction between data controllers and data processors is less important as direct liability or responsibility is now placed on all parties. Data processors can be fined for some breaches of the law with overall monetary penalties under the GDPR increased to up to 4% worldwide turnover or 20 million euros.
Online identifiers used to track participants in online communities are personal data that need to be treated appropriately.
The boundaries of the type of personal data captured by data protection legislation have been broadened so that online identifiers such as IP addresses, cookies, digital fingerprinting and location data that could identify individuals are more squarely captured along with standard identifiers such as names and addresses.
Research participants are entitled to make requests to be erased from your database or to get copies of the data that you hold of them in the expectation that this will generally be done for free and within 30 days.
Existing individual rights have been considerably strengthened. Enhanced information rights require organisations to provide clearer detailed information and promote all data protection rights to individuals. These give consumers greater control of their data through new rights such as the right to data portability (to move their data to a new provider).
Participant consent forms and organisational privacy policies must be clearer and comprehensive and set out how long personal data is being held for.
All information notices including privacy policies and research consent forms must be written in plain and intelligible language (and consent must be as easy to withdraw as it is to give). Right to information includes the retention period or criteria used to determine how long the data will be held for.
UK researchers conducting research with participants based in an EU country will need to follow GDPR requirements whether or not the UK is a member of the EU.
The new regulation has extra territorial effect and applies to all organisations, offering goods or services or monitoring behaviour, that involves processing the personal data of EU residents regardless as to whether they are located inside or outside the EU.
Data breaches such as lost memory sticks holding sensitive personal participant details may have to be reported to the Information Commissioners Office (ICO), the client and/or the research participant within 72 hours depending on the likely level of harm to individuals.
Mandatory notification is required for risky data breaches to the data protection authority (and to affected data subjects where there is a high risk the breach is likely to cause harm). Organisations here and abroad will need to set up internal procedures and strategies for timely data breach identification and notification.
Notification to the ICO will no longer be required but detailed internal records will be required, to demonstrate accountability to the regulator.
Internal record keeping for smaller researchers (under 250 employees) will need to focus on high risk activities. It will also be important to consider whether they are kept up to date and who is responsible.
Build in privacy
So what do these reforms mean for qualitative researchers? A strategic and cultural shift to ensure that privacy is built in by design and default embedded at all points of the data collection, processing, analysis and reporting phase. GDPR compliance is not a tick-box affair and adherence to data protection legislation will be vital to ensure that members of the public can continue to trust that their personal data is secure with researchers, appreciating the role that research can play in delivering better societal outcomes.
Director of Policy and Standards, Market Research Society
This article was first published in InBrief magazine, November 2016
Copyright © Association for Qualitative Research, 2016