The General Data Protection Regulation (GDPR) and the UK Data Protection Act came into effect in the UK and all EU Member States on 25 May 2018.

These FAQ’s, set out answers to some of the frequently asked questions by researchers and will be updated on an ongoing basis.

MRS is providing this data protection guidance on the GDPR as general information for research practitioners. It is not legal advice and should not be relied upon as such. Specific legal advice should be taken in relation to any specific legal problems or matters.

Q: If I have a film or vox-pop of someone I don’t generally have all their data, sometimes only a first name and their view on vanilla ice cream.  Do I need to complete the set of data for that person and then store it properly?

A: If you have limited information as part of a research project you do not need to collect additional information just to be able to identify an individual with greater ease and/or meet any subject access requests.

The best approach is minimisation of personal data held by storing data only for as long as necessary. Set a short retention period and reflect this retention period in your contracts with clients.

Q: For the longest time I have always assumed that it was not OK for us to simply build a list of e-mail addresses found online by doing desk research and then e-mailing them some information about a survey we’re running. However, I now have a client that wants to follow just this approach and I can’t seem to find any backing for my view. Is it OK for us to publicly-available e-mails and send survey invitations to highly-targeted potential participants?

A: Yes, you may use publically available information in this way, as per GDPR you will still need to establish your legal processing ground and inform the participants where you found their data if they ask.

Q: We are holding to filmed recordings of focus groups. How long is a company entitled to keep someone’s data for?

A: Under the GDPR/Data Protection Act 2018 personal data should not be kept longer than necessary. There are not set periods and the retention period will vary according to the nature of the data, the type of project and whether there is any need for future research or follow up analysis.  The data retention period should also reflect any requirements for audit purposes in any standards adhered to (e.g. 1 year under the ISO 20252 market research standard). Under the GDPR/Data Protection Act 2018 personal data should not be kept longer than necessary. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

There are no set periods and the retention period will vary according to the nature of the data, the type of project and whether there is any need for future research or follow up analysis.  The data retention period should also reflect any requirements for audit purposes in any standards adhered to (e.g. 1 year under the ISO 20252 market research standard).

The important point is to ensure that the length of time that personal data is retained i.e. including participant consent forms is reflected in your organisation’s data retention policy; your privacy policy; terms and conditions you contractually agree with clients, so that all are clear as to the length of time that the data will be held for.

We always recommend that records are held for the shortest period necessary and generally the lower the threshold for deletion the better, especially for records containing personal data. If there is no set policy then general guidance for research records would be for primary records – one year and secondary records – two years.

Q: What timeframe do you feel is appropriate for data retention?  Do you think it should include legacy videos, as we have edited films going back 20 odd years - or are they of historical interest?

A: You shouldn’t be holding on to this for more than a year, tops, unless you have a sound reason and contractual obligation to do so.  As well as the GDPR requirements on data retention, don’t forget that any personal data you hold is subject to a right of access request so that’s another good reason to get rid of it as soon as possible.  All the historic videos should be destroyed as soon as possible.

Q: We're looking to collect data from people who have attended an event. The client is going to administer the survey and then we will analyse the data collected. What kind of consent, if any, do we need to collect while administering the survey? What, if anything, do we need to tell the participants about who is collecting / analysing the data?

A: Researchers collecting personal data for a research exercise must

Under Code of Conduct:

  • Refer to rules on informed consent 16-19
  • Refer to rules on Data Collection 36-40

Under GDPR

  • ensure the purpose of the data collection is clearly specified in an information notice (also known as a privacy notice or privacy information notice) which provides full details of all privacy information to data subjects;
  • minimise the collection of personal data by only collecting data that is necessary
  • ensure that data subjects are clearly informed about expected uses of data and provided with an adequate privacy information notice;
  • securely store and manage all data and build in security measures such as encryption or hashing of data taking into account the sensitivity of the data being collected and any risks to research data subjects.

 

Q: Our client wants to survey a particular cohort within its customers. The client was very keen to retain all communications with the target audience so they sent out the invitations to participate, with instructions to send completed returns directly to a secure inbox. Response rate being very slow, the client is now asking if we can provide them with the names of the member organisations that have responded, so that they can send targeted reminders to those that haven't.

A: Unfortunately this is unacceptable. Participants must consent to any personal data, identifiable or potentially identifiable, being passed onto the client, they must consent as to what will be revealed, to whom and for what purpose. 

Q: I note in the Market Research Society Code of Conduct (page 13, point no. 16), that informed consent is required where “personal data are collected directly from them”. For business-to-business market research where the participant represents a company or other organisation, does the concept of “personal data” apply? I would appreciate it if you could direct me to any guidance on informed consent in a business-to-business setting.

Also, as I understand it, participants have the right to request that their data is withdrawn from a study. Again, does this need to be explicitly stated via an informed consent declaration at the start of a project/interview?

A: Personal data is information that relates to an identified or identifiable individual.  What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.  If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.  If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.

Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.  When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.  Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.

The GDPR is clear that you must inform individuals of their right to object at the latest at the time of your first communication with them where:

  • you process personal data for direct marketing purposes, or
  • your lawful basis for processing is:
  • public task (for the performance of a task carried out in the public interest),
  • public task (for the exercise of official authority vested in you), or
  • legitimate interests.

If one of these conditions applies, you should explicitly bring the right to object to the individual’s attention. You should present this information clearly and separately from any other information.  If you are processing personal data for research or statistical purposes you should include information about the right to object (along with information about the other rights of the individual) in your privacy notice.

Q: As a small research agency (with less than 10 members of staff) who conduct surveys in-house, are we required to appoint a Data Protection Officer (DPO)?

A: The test for appointment of a DPO is related to the scale and risk of the processing undertaken by the agency rather than the number of employees. Under the GDPR, you must appoint a DPO if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.

Q: I work in a client-side research team, and we have an organisation-wide data security officer.  Under the GDPR will we need an additional data protection officer within our market research team?

A: The appointment of a Data Protection Officer (DPO) will be mandatory for public authorities and where core activities are regular and systematic monitoring on a large scale or processing of sensitive data on a large scale. It is a specific independent position for a qualified profession and inherent in the role are some protections from dismissal.

Organisations will need to determine how the DPO and supporting team is structured. Although there is no need for a separate DPO for different teams it is likely that organisations will have to be clearer about explicit responsibilities for privacy issues such as encouraging privacy champions throughout the organisation.

Q: Now GDPR  has come into effect, is it necessary to disclose the end client who will hold any of the personal data, videos, audio recordings, will do the analysis etc.?

A: Data subjects must be provided with all relevant information to make choices about the collection and retention of their data. Different techniques and formats can be used to get consent for data collection but in all cases the consent must be specific and informed with transparent disclosure of all required information. Pre-ticked boxes or opt-outs are not allowed.

There is a minimum level of information that must be provided as part of the process of getting consent. As applicable this includes:

  • data controller(s) identity and contact details – details of the research supplier/s and the client (where they acting as joint controllers) relying on the consent preferably allowing for different channels of communication (e.g. phone, email, postal address)
  • purpose of each processing activity that consent is being sought for;
  • type of data to be collected and used;
  • existence of the right to withdraw consent;
  • information about the use of the data for decisions based solely on automated processing, including profiling;
  • possible risks of data transfers to third countries outside the EEA in the absence of an adequacy decision or appropriate safeguards

This information must be provided prior to getting consent and must be included on a consent form or in the script being read to data subjects to seek verbal consent for their participation.

Research suppliers often act as a joint data controller with client(s) for research datasets and under the GDPR joint data controllers must be named as part of the process of getting consent. It is important to note that clients may still be a data controller even if they are not receiving identifiable data back from the research supplier. The determining factor is whether the agency and client are jointly “determining the purposes and means” of processing the personal data. MRS is aware that a requirement to name the client as the joint data controller in all situations will have far reaching significant consequences on the research sector and are liaising with the ICO to determine alternatives to this current ICO advice.

In consent-based research, such as an online survey, if the client is a data controller they must be named at the beginning of data capture to allow informed consent to be given. Other legal obligations also mean that if the client is receiving personal data, they will need to be named as a recipient of personal data and if they are the source of the personal data then they will also need to be named as part of meeting data subject information requirements.

In the interim research suppliers can evaluate the risks in adopting an approach that provides data subjects with this information at a later stage in the process. In circumstances where no personal data is being passed over, joint data controller client(s) could be named at an appropriate point in a data collection exercise with assurances that the personal data will be deleted if data subjects object and/or no longer wish to participate. This would only be applicable where researchers in their professional judgement consider that it will adversely impact the rigour and robustness of the research to name clients upfront before the research has been undertaken.

Q: We need to run a survey with a sample of our customers.  In order to do this, we would of course need our chosen agency to contact our customers for us, and omit our name from the email. Can you please advise on what you would consider to be acceptable?

A: Under the GDPR it is a requirement that data controller(s) relying on the consent are named at the time the personal data is obtained.

MRS is aware that a requirement to name the end-client upfront at the start of a research exercise such as a survey may have significant consequences in certain research projects such as: spontaneous awareness research (assessing whether participants can quote/recall a brand name without prompting); reducing methodological rigour including biasing responses where the client’s identity is known up front or adversely impacting on trend data where attitudes on behaviour etc. are measured over time, as the results will not be comparable.

MRS interprets the requirements in the GDPR on naming the data controller as providing some leeway on the point in time that the controller must be named. It is important that the data controller is named as part of the single process of collecting personal data but this may be more appropriately done at the end rather than at the beginning of a survey. This may be appropriate in those circumstances where researchers, in their documented professional judgement, consider that it will adversely impact the rigour and robustness of the research to name clients at the start of a survey the data controller client must be named at an alternative appropriate point in a data collection exercise subject to the following:

  • it must be made clear to data subjects that the data controller will be named at the end of the data collection exercise
  • assurances must be provided to data subjects that any personal data collected will be deleted if at the point that the data controller is revealed they object, wish to withdraw their consent and/or no longer wish to participate. This approach is most appropriate when no personal data is being shared with the end client but researchers may also consider using it in other circumstances.

It is also important to note that:

  • if client is the source of the personal data then they will also need to be named as part of meeting data subject information requirements
  • if client is receiving personal data from the data collection exercise, they will need to be named as a recipient of personal data.

In both cases set out above this information will need to be provided at an appropriate point in the data capture activity, which may be at the end of data collection.

Q: We are working with another market research agency for a research project. We are providing the interview team and storing the contacts at our premise to be handled by our staff. Therefore, I believed that we should introduce the survey and state that our company is the data controller. However, our partner don’t want us to use our name but theirs. I am concerned we should not be doing this.

A: Correct. The data controller(s) must be named as their privacy notices must be made accessible to the participants and the data controller(s) determines the use of the data.

Q: In qualitative participant recruitment- how do we balance the applicant's "right to be forgotten" against our need to robustly control frequency of attendance? E.g.  if we recruit someone to a focus group today, tomorrow they exercise their right to have all record of that deleted from our database, and next week they apply for something else (and lie to our interviewer about their past participation) – how do we protect ourselves and our research against this?  Will there be specific exemptions for tracking market research?

A: The practical exercise of the right to be forgotten is complicated and works together and overlaps with individuals rights of subject access, to object and to restrict processing. An individual may combine all these rights in a request and it is useful to consider how you would respond to all of them.

Regarding records on professional research participants it is important to recognise that the right to be forgotten is not absolute.

  • You can continue to process the data if there is a compelling reason for processing the data.
  • You may need objective evidence/reasons regarding decision to keep a particular individual's details on a register in order to prevent fraud.
  • The ability to refuse a request “to be forgotten” can also be based on the legal basis that you use for processing e.g. if it as part of your legitimate interests rather than consent.

In summary, exercise of this right depends on the circumstances but in some instances you will be able to keep processing personal data tracking attendance if there are valid reasons.

Q: What are the main changes in dealing with Subject Access Requests under the GDPR rather than the Data Protection Act 1998?

A: The procedure to be followed by organisations when dealing with Subject Access Requests (SAR’s) is similar to the approach under the Data Protection Act 1998. However under the GDPR:

  • there is a shorter time frame for compliance. Requests must be met without delay and within one month of receipt, apart from a possible extension of a further two months for complex and multiple requests.
  • fees cannot be charged for SAR’s. There is the possibility that you can charge a reasonable fee to individuals for manifestly unfounded or excessive SARs or to comply with requests for further copies of the same information.
  • a best practice recommendation is that where possible you should be able to provide remote access to a secure self-service system which would allow the individual direct access to his or her information. Although not appropriate for all research organisations a self-service system would be particularly useful for research panels.

 

Q: If we only have limited personal information but have talked to people through bulletin boards or WhatsApp etc do we need to match up or link that to all of their personal data to allow it to be traced through the research agency as well as any recruiters who may have been sub-contracted to?

A: If you have limited information on a participant as part of a research project you

  • should be able to trace all the personal information that you hold on a particular person so that you can provide it to the individual.
  • may need to take steps to verify the individual’s identity and request additional information such as a date range for participation in a project.
  • do not need to collect additional personal information just to be able to identify an individual with greater ease and meet the subject access request (SAR).

The SAR will apply to data held by you as data controller or a data processor acting on your behalf. It will therefore depend on whether the information held by the recruiter is held as part of them acting as a data controller over their own recruiter databases or acting as a processor for you i.e. processing data on your instructions. If recruiter is acting as a data processor for your research project then in the contract between you there will be a requirement for them to support exercise of data subject rights and a commitment to delete or return data.

Q: Is withdrawing consent the same as destroying data?

A: Withdrawal of consent is the right exercised by the research participant and means that the personal data that you hold on them must be removed or deleted as you no longer have a legal basis for holding on to it and data subject should be notified when this will be done.

Q: If a respondent wants to withdraw consent after they have been filmed that would mean destroying the film? 

A: Yes, if they withdraw consent on filming you would need to delete the personal data or anonymise by pixelating etc. so that they cannot be identified in the video. In some circumstances one can use an alternative legal basis, once notified to the data subject, but this is unlikely to apply in research context.

Q: A customer has complained that we used a personalised link for an online survey that identifies them. They seemed to think that we shouldn’t be doing this post GDPR.

A: GDPR does not prevent the processing of personal data but ensures that it is carried out lawfully, fairly and transparently. Appropriate information provided to the participant including the privacy policy should make it clear how the personal data will be used, retained and destroyed and in particular ensure that the participant is clear about whether the survey is being conducted anonymously or if not who the personal details will be revealed to. If the use of personal data (including online identifiers) has been made clear to the participant then it is more likely to be compliant with the new data protection framework.

Q: As a sole trader, working as an independent freelance researcher (often collecting personal data for participant interview recruitment, recording interviews and transcripts). GDPR compliance is daunting. What do you recommend as the best starting point?

A: Data protection compliance under the GDPR is likely to be more time-consuming than under the Data Protection Act 1998. Planning and prioritising  can help you reduce the task to manageable tasks.

Although there is a lot to address the best approach is to start with the basics, documenting the type of information that you hold and understanding the areas that may pose greatest risk. 

Continue to follow basic data protection hygiene by maintaining security of files with personal data (password protecting, restricting devices held on etc) and minimising the amount of personal data held by disposing of it quickly and reflecting this in all agreements with suppliers and clients.

Also consult the MRS website for GDPR information, access to member webinars and consider targeted training such as MRS one day training course on GDPR for researchers. The ICO also has useful GDPR resources available here: https://ico.org.uk/for-organisations/data-protection-reform/

Q: We use survey software to collect personal data. If the server is based in the United States, and this is being used to collect or store the data of individuals based in the EU, does this count as data being “transferred” outside of the EU and thus an international data transfer?

A: If the personal data is being stored on a server outside the European Economic Area (EEA) there will be a transfer of data outside the EEA. If it is being stored in US then need to make sure there is an adequate level of protection e.g. checking whether the provider is certified under the EU-US Privacy Shield or using contractual clauses.

Q: I am a freelancer working with a statistician based in Australia. Would it be possible to know about what the safeguards could be to transfer anonymised data to Australia?

A: You should be very careful. Australia is not cover by an adequacy decision, so you can’t freely transfer personal data there, unless you have Standard Contract Clauses in place with your statistician. The European Commission has published those that offer sufficient safeguards on data protection for personal data to be transferred from EEA to third countries. The clauses contain contractual obligations on the EEA data exporter and the UK data importer, and rights for the individuals whose personal data is transferred. Importantly, individuals can directly enforce those rights. Since 2010, EEA based controllers wishing to rely on Standard Contractual Clauses to legitimise international data transfers to processors outside the EEA, have had to use the updated clauses for new processing operations.

If you make the data anonymous so that it is never possible to identify individuals (even when combined with other information which is available to receiver), it is not personal data. This means that the restrictions do not apply and you are free to transfer the anonymised data to Australia.

Anonymization is information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information

In order to be truly anonymised under the GDPR, you must strip personal data of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised. This means that despite your attempt at anonymization you will continue to be processing personal data.

Q: If an end-client is using ‘legitimate interest’ in order to supply us with their customer leads, and they have documented research as a legitimate interest in there are there any additional steps that we need to take in order to use this data?

A: Communication with client can evidence legal grounds for transfer of data and contact with customer database. Also useful to have an audit document that records privacy policy details, conduct of Legitimate Impact Assessment (LIA) by client etc to use as a demonstrable record of lawfulness.

Q: What information do we need our panel companies to provide to show they are GDPR compliant in the recruitment of respondents?  We do informed consent for each survey so believe it is the recruitment process that needs confirming.

A: Within GDPR direct liability is placed on data processors for breach of specific statutory obligations, such as not processing personal data in line with data controllers written instructions and implementing own appropriate security measures etc.  Equally Data Controllers are responsible for the data processors they select and the processes they undertake to ensure that any processors are working in line with Data Controllers GDPR requirements. 

As such written contract terms between you and your panel suppliers should detail requirements and expectations as this will be the primary means of demonstrating compliance.  Furthermore due diligence by you such as checking the panels T&C’s, recruitment approach, sources of panellists etc. will also demonstrate that you as a Data Controller has undertaken the necessary steps to ensure that contractual requirements and actual practice by panel suppliers are in alignment.

Q: Our assessor’s interpretation of GDPR was that when asking permission/ collecting contact details to be used for quality control purposes only, we should offer participants a choice over how they are to be contacted, rather than simply asking for their telephone number for this purpose.

A: Re-contact for quality control purposes can lawfully be based on consent of the participant or your legitimate interests.  However if you are seeking to use consent as your processing ground to re-contact for quality control then it is best practice to offer a choice of channels such as phone, email, post, text.

Q: We work with recruiters on a freelance/ad hoc basis to recruit respondents for qualitative research. Please could you confirm what agreement you would advise having in place with such suppliers? We have been informed by a recruiter that they are classed as a ‘Data Collector’. What does this mean and what is our responsibility when working with them?  

A: Under GDPR, organisations working with personal data will be data controllers or data processors of personal data that they process. Data controllers determine the purposes and means of the processing of personal data. Data processors process personal data on behalf of controller(s). In this supply chain recruiters are processing data on the agency's or end-client's behalf and are likely to be data processors. Obligation to only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets GDPR requirements so need to seek assurances, in some instances audit and have a written contract in place with all the mandatory terms.

 

We would also be keen to understand what other agencies are doing regarding recruiters/agreements with recruiters.

MRS has provided materials for recruiters, as part of the Recruiter Accreditation Scheme, which can be used to alert and/or educate recruiters on their responsibilities https://www.mrs.org.uk/resources/recruiter_resources. There is also some draft best practice guidance on working with recruiters.

Q: We run a leavers & joiners customer tracker survey. In this survey we do deep dives on the personal data where we look back over a period of years to understand customer behaviour. We use information from our customer records management database linked to information in the survey.  Do we need to state anything additional in the email text to ensure that this is GDPR compliant? How can we best store this identifiable information?

A: Within the recruitment preamble to the tracker questionnaire, used to get informed consent, must make it clear how the tracker data will be used i.e. purpose, how long it will be retained in an identifiable format, and how it might be used in the future.  This should be supplemented with more detail within your Privacy Policy (such as your security arrangements for keeping the data secure) and a link to the Policy should be included in the recruitment documentation. 

In terms of retention of data GDPR does not state time periods.  Rather it is for the Data Controller to review the data it holds, identify the length of time that the data will be used and has a clear purpose, and delete data when it no longer is being used and no longer has a purpose. At this point data should be securely deleted.  It is highly likely that as a Data Controller you will have different retention periods for different data sets (including those used for research and insight purposes) depending on the type of data and what it is used for.  The important point is that whatever you state in your policy as retention periods is adhered to.

The MRS GDPR In Brief documents 5, 6 and 7 https://www.mrs.org.uk/standards/gdprsupport set out the information which should be included to gain informed consent and information that should be stated in privacy information notices.

Q: We run a viewing studio and recently came across a clip of a focus group (recorded at our studio) discussing politics on a social media site. We always obtain permission for recording but after the recordings leave us we have limited control over what happens to them.  The consent sheet also states that responses will only be used for market research purposes.

What would our position be if the participants did not give their permission for the clips to be used in this way?

A: The conditions for use of focus group recordings by the client must be included in the written contract between yourself and the client. The contract should stipulate the purposes for which consent has been given by the participants. If the client uses the recordings in another way they will be liable for breach of contract and breach of the data protection legislation for processing personal data without a lawful basis.

Q: How do we as agencies ensure that clients are held to their responsibilities under GDPR when receiving personal data of participants we have independently sourced for a project. e.g. if a client asks to receive video footage which they hold on an intranet how do we make them responsible for storing and using it safely and within the law once it is out of our control. Do we need to have this in writing or does GDPR by default make them accountable?

A: Written contracts are mandatory and should cover off these issues.

Conditions for use of video recordings should be included in written contracts between yourself and the client. These should stipulate the purposes for which consent has been given by the participants. If used outside of this the other party will be liable for breach of contract and breach of the GDPR as using personal data without a lawful basis.

Get the latest MRS news

Our newsletters cover the latest MRS events, policy updates and research news.