What do I do if...?
The new GDPR offers fresh challenges to our industry. We offer answers to a few basic questions on the topic, with a longer version of this article appearing online.
If your eyes have a tendency to glaze over at the mention of data protection — then you are not alone. The General Data Protection Regulation (GDPR), however, will wait for no man — or woman — and will apply in the UK from 25 May 2018, a start date unaffected by our decision to leave the EU.
AQR offers helpful links on its home page, but some of our members have expressed concerns that, despite the wealth of information out there, their needs — and queries — are more basic. So, taking a very rough straw poll, In Brief decided to make a note of these questions and asked Wendy Durn, quality and development manager at Research Opinions, for her take. She offers these responses as guidance only. People may need to take legal or professional advice where necessary,
The MRS is going to have a GDPR guide on its website before the end of the year which will be written for researchers and recruiters and answer a lot of questions.
Where are we in the chain? For example, when are we data controllers — when referring to online communities, say, where there are lots of parties with access?
If you decide how the personal identifiable data is going to be processed, then you are the data controller. In an online community the research agency would be the data controller as they would be deciding how to use the data. Any observers to the community would not be controllers. It is possible to have more than one data controller. For instance, if you were working from client supplied sample it is probable that they would be data controllers and so would the research agency. Everyone in the supply chain should have a contract which spells out their responsibilities regarding personal data.
What exactly are the ramifications of not following GDPR? Is this tiered, or would you receive the same punishment for keeping one small set of data vs a huge database?
If you are a data controller you will have to pay a fee to the ICO, as you do now, and the scale of fees will reflect size and turnover and the amount of data you hold — we havent been told the fee scale yet.
Do the ramifications depend on the size of the organisation? For instance, as a sole trader, what happens if I just ignore this?
You must follow the GDPR: it is the law! One of the main ramifications of not doing so is if you have a data breach. The volume of data lost/stolen/accessed unlawfully will obviously come into play, but the sensitivity of the data and the amount of detail is very important. As researchers and recruiters, we can store a lot of sensitive data such as health conditions without really realising it.
What actually is data (do email addresses in a personal contact list count)?
Data is where you can identify a living individual from that data, or could do if combined with other data that you have in your possession. Email addresses are regarded as personal data especially as they often use peoples names in the address and can be used for fraud. For instance, if you lost a client sample originating from a bank which contained email addresses these addresses could be used by someone pretending to be from the bank.
So if, as an individual, my work contacts are intermingled with my business ones, does that make me (and other researchers) controllers?
This is where researchers need to be careful. If you lose your phone and you have personal details of participants on it — think emails, phone numbers and possibly profiles, bank details of participants, audio and visual material of them — then that would technically be a data breach. If you just have your own personal contacts on your phone its a bit different as you havent promised those people to keep their details safe! In the case of participants, we have given them assurances of what their details will be used for and that they will be kept securely and deleted within certain timescales.
In the real world, researchers are always going to use mobile devices in their work, but they should routinely delete participant personal data from their phones/tablets. Research companies should have a Mobile and Remote Working Policy which outlines to staff what they can keep on their phones/tablets, procedures for deletion and what to do in the event of theft or loss of any mobile devices.
Should I keep lists that participants have signed to say they have received incentives?
Keep all personal identifiable data locked up. For incentive sheets it would depend on what information is on the sheet whether it needs to be kept in a locked place.
Should I be doing more than encrypting files that include any participant data?
Its correct to encrypt personal data. Passwords should be randomly generated: you can use a password generator. If you are sending large amounts of data or very sensitive data, you may want to use a secure File Transfer Protocol. Deletion of data is also very important, and data shouldnt be kept for longer than the purpose it has been collected. And never store personal data on any cloud storage system that you can get for free from the internet.
It's not the easiest of areas, and sometimes the answers to questions just raise more questions!
This article was first published in InBrief magazine, November 2017
Copyright © Association for Qualitative Research, 2017