GDPR: What does it mean for market research firms?
If you’re in the market research or consulting industry, then you’ve probably heard about the General Data Protection Regulation (GDPR). Processing data to gather insight is at the heart of any market research or consulting firm, which makes GDPR particularly important for those in this industry. If you’re a part of the research industry, here’s what you need to know about the regulation.
What is GDPR?
The European Parliament aims to protect the personal data of its citizens in all the 28 EU member states through the General Data Protection Regulation (GDPR). The GDPR, which will officially be enforced on May 25, 2018, applies to all organizations that handle the data of EU citizens, including research companies. It will also form part of UK law, despite the country’s impending exit from the European Union.
Some of the key specifications of the regulation are as follows:
- Any company worldwide that collects or processes personal data of an individual in the EU is subject to the GDPR.
- Data breaches must be reported to protection authorities and affected individuals within 72 hours.
- Data breaches or non-compliance could lead to fines of up to EUR 20 Million or 4 percent of annual worldwide revenue (whichever is higher).
- Individuals have the right to be informed that you’re collecting their data, as well as the right to rectify and erase it.
- A wide range of personally-identifiable information come under its purview, including data about an individual’s:
- Racial origin
- Political opinions
- Browser cookies
- Biometrics
How will GDPR impact the research industry?
The research industry will clearly become the endpoint of security for access to data. Henceforth, all personal data stored and processed will have to be protected. Market research agencies will have to ensure that personal data of EU individuals is anonymized, encrypted, or pseudonymized regardless of where the data is stored. In the case of remote access or data transfers from outside the EU, the data in motion needs to be encrypted and anonymized by research companies.
Impact on outsourced research
While there is no direct impact in terms of outsourcing to offshore data processors from a regulation standpoint, agencies will need to comply with GDPR guidelines:
- All offshore data processers need to follow the guidelines laid down by data controllers around GDPR and any access to EU citizen data would involve anonymization of personal data.
- In case of data stored outside the EU (in offshore data centers), the personal data attributes would need to be anonymized.
Opportunity to improve IT systems and adopt newer technology
By reviewing IT processes, organizations will be able to identify and eliminate ‘shadow IT’ and build better processes that are known to the organization. It is an opportunity for research firms to improve their IT systems and processes, for example, by implementing Customer Identity and Access Management (CIAM) and backup systems.
Reduced costs
Complying with the GDPR can help research firms reduce costs by retiring any data inventory software and legacy applications that are no longer relevant to the business. Organizations will also benefit from reduced data maintenance costs involved in man-hours and infrastructure maintenance and be able to more effectively engage with customers. The regulation can pave way for more personalized communications with respondents, and save firms from the sunk costs of pursuing uninterested consumers.
Some important measures to follow
Research companies will have to build and improve processes and features to ensure that they can quickly and effectively address any requests from their customers when their subscribers wish to exercise their rights (including the right to access, rectify, object, forgotten, and port data).
You will need to re-evaluate sub-processors to ensure they have adequate security measures in place and that their contracts abide by the sub-processor requirements under the GDPR.
Appoint data protection officers
In order to successfully deploy a structured process for GDPR compliance, it’s mandatory for research companies to have a data protection officer (DPO) – professionals who understand data privacy and know how to apply the law. Beyond the legal requirements, it’s important that the DPO understand the value of data as a strategic asset for the business.
Improve data governance to drive business efficiency
An individual may want his/her personal data to be erased or the processing of this data to be stopped. In such situations, research companies will be required to help data controllers implement these requests.
Privacy rules must be documented and shared across all lines of business. This way you can ensure that personal data can only be accessed by those with proper rights.
Research companies should put proper processes in place to locate specific personal data and to remove or destroy it on behalf of a data controller or an individual. To achieve this, roles and definitions must be established in a governance model.
Data Protection Impact Assessment (DPIA)
DPIAs are used by research firms to identify, understand, and mitigate any risks that might arise when developing new solutions or undertaking new activities that involve the processing of customer data, such as data analytics and all data-driven applications, including BI, data warehouses, data lakes, and marketing applications
Research firms should conduct a DPIA and consult with a Data Protection supervisory authority if the assessment shows an inherent risk.