GDPR FAQ

Q: As a small research agency (with less than 10 members of staff) who conduct surveys in-house, are we required to appoint a Data Protection Officer (DPO)?

A: The test for appointment of a DPO is related to the scale and risk of the processing undertaken by the agency rather than the number of employees. Under the GDPR, you must appoint a DPO if:

• you are a public authority (except for courts acting in their judicial capacity);
• your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.

Q: I work in a client-side research team, and we have an organisation-wide data security officer.  Under the GDPR will we need an additional data protection officer within our market research team?

A: The appointment of a Data Protection Officer (DPO) will be mandatory for public authorities and where core activities are regular and systematic monitoring on a large scale or processing of sensitive data on a large scale. It is a specific independent position for a qualified profession and inherent in the role are some protections from dismissal.

Organisations will need to determine how the DPO and supporting team is structured. Although there is no need for a separate DPO for different teams it is likely that organisations will have to be clearer about explicit responsibilities for privacy issues such as encouraging privacy champions throughout the organisation.

Q: Now GDPR  has come into effect, is it necessary to disclose the end client who will hold any of the personal data, videos, audio recordings, will do the analysis etc.?

A: Data subjects must be provided with all relevant information to make choices about the collection and retention of their data. Different techniques and formats can be used to get consent for data collection but in all cases the consent must be specific and informed with transparent disclosure of all required information. Pre-ticked boxes or opt-outs are not allowed.

There is a minimum level of information that must be provided as part of the process of getting consent. As applicable this includes:

• data controller(s) identity and contact details – details of the research supplier/s and the client (where they acting as joint controllers) relying on the consent preferably allowing for different channels of communication (e.g. phone, email, postal address)
• purpose of each processing activity that consent is being sought for;
• type of data to be collected and used;
• existence of the right to withdraw consent;
• information about the use of the data for decisions based solely on automated processing, including profiling;
• possible risks of data transfers to third countries outside the EEA in the absence of an adequacy decision or appropriate safeguards

This information must be provided prior to getting consent and must be included on a consent form or in the script being read to data subjects to seek verbal consent for their participation.

Research suppliers often act as a joint data controller with client(s) for research datasets and under the GDPR joint data controllers must be named as part of the process of getting consent. It is important to note that clients may still be a data controller even if they are not receiving identifiable data back from the research supplier. The determining factor is whether the agency and client are jointly “determining the purposes and means” of processing the personal data. MRS is aware that a requirement to name the client as the joint data controller in all situations will have far reaching significant consequences on the research sector and are liaising with the ICO to determine alternatives to this current ICO advice.

In consent-based research, such as an online survey, if the client is a data controller they must be named at the beginning of data capture to allow informed consent to be given. Other legal obligations also mean that if the client is receiving personal data, they will need to be named as a recipient of personal data and if they are the source of the personal data then they will also need to be named as part of meeting data subject information requirements.

In the interim research suppliers can evaluate the risks in adopting an approach that provides data subjects with this information at a later stage in the process. In circumstances where no personal data is being passed over, joint data controller client(s) could be named at an appropriate point in a data collection exercise with assurances that the personal data will be deleted if data subjects object and/or no longer wish to participate. This would only be applicable where researchers in their professional judgement consider that it will adversely impact the rigour and robustness of the research to name clients upfront before the research has been undertaken.

Q: We need to run a survey with a sample of our customers.  In order to do this, we would of course need our chosen agency to contact our customers for us, and omit our name from the email. Can you please advise on what you would consider to be acceptable?

A: Under the GDPR it is a requirement that data controller(s) relying on the consent are named at the time the personal data is obtained.

MRS is aware that a requirement to name the end-client upfront at the start of a research exercise such as a survey may have significant consequences in certain research projects such as: spontaneous awareness research (assessing whether participants can quote/recall a brand name without prompting); reducing methodological rigour including biasing responses where the client’s identity is known up front or adversely impacting on trend data where attitudes on behaviour etc. are measured over time, as the results will not be comparable.

MRS interprets the requirements in the GDPR on naming the data controller as providing some leeway on the point in time that the controller must be named. It is important that the data controller is named as part of the single process of collecting personal data but this may be more appropriately done at the end rather than at the beginning of a survey. This may be appropriate in those circumstances where researchers, in their documented professional judgement, consider that it will adversely impact the rigour and robustness of the research to name clients at the start of a survey the data controller client must be named at an alternative appropriate point in a data collection exercise subject to the following:

• it must be made clear to data subjects that the data controller will be named at the end of the data collection exercise
• assurances must be provided to data subjects that any personal data collected will be deleted if at the point that the data controller is revealed they object, wish to withdraw their consent and/or no longer wish to participate. This approach is most appropriate when no personal data is being shared with the end client but researchers may also consider using it in other circumstances.

It is also important to note that:

• if client is the source of the personal data then they will also need to be named as part of meeting data subject information requirements
• if client is receiving personal data from the data collection exercise, they will need to be named as a recipient of personal data.

In both cases set out above this information will need to be provided at an appropriate point in the data capture activity, which may be at the end of data collection.

Q: We are working with another market research agency for a research project. We are providing the interview team and storing the contacts at our premise to be handled by our staff. Therefore, I believed that we should introduce the survey and state that our company is the data controller. However, our partner don’t want us to use our name but theirs. I am concerned we should not be doing this.

A: Correct. The data controller(s) must be named as their privacy notices must be made accessible to the participants and the data controller(s) determines the use of the data.

Q: In qualitative participant recruitment- how do we balance the applicant's "right to be forgotten" against our need to robustly control frequency of attendance? E.g.  if we recruit someone to a focus group today, tomorrow they exercise their right to have all record of that deleted from our database, and next week they apply for something else (and lie to our interviewer about their past participation) – how do we protect ourselves and our research against this?  Will there be specific exemptions for tracking market research?

A: The practical exercise of the right to be forgotten is complicated and works together and overlaps with individuals rights of subject access, to object and to restrict processing. An individual may combine all these rights in a request and it is useful to consider how you would respond to all of them.

Regarding records on professional research participants it is important to recognise that the right to be forgotten is not absolute.

• You can continue to process the data if there is a compelling reason for processing the data.
• You may need objective evidence/reasons regarding decision to keep a particular individual's details on a register in order to prevent fraud.
• The ability to refuse a request “to be forgotten” can also be based on the legal basis that you use for processing e.g. if it as part of your legitimate interests rather than consent.

In summary, exercise of this right depends on the circumstances but in some instances you will be able to keep processing personal data tracking attendance if there are valid reasons.

Q: What are the main changes in dealing with Subject Access Requests under the GDPR rather than the Data Protection Act 1998?

A: The procedure to be followed by organisations when dealing with Subject Access Requests (SAR’s) is similar to the approach under the Data Protection Act 1998. However under the GDPR:

• there is a shorter time frame for compliance. Requests must be met without delay and within one month of receipt, apart from a possible extension of a further two months for complex and multiple requests.
• fees cannot be charged for SAR’s. There is the possibility that you can charge a reasonable fee to individuals for manifestly unfounded or excessive SARs or to comply with requests for further copies of the same information.
• a best practice recommendation is that where possible you should be able to provide remote access to a secure self-service system which would allow the individual direct access to his or her information. Although not appropriate for all research organisations a self-service system would be particularly useful for research panels.

Q: If we only have limited personal information but have talked to people through bulletin boards or WhatsApp etc do we need to match up or link that to all of their personal data to allow it to be traced through the research agency as well as any recruiters who may have been sub-contracted to?

A: If you have limited information on a participant as part of a research project you

• should be able to trace all the personal information that you hold on a particular person so that you can provide it to the individual.
• may need to take steps to verify the individual’s identity and request additional information such as a date range for participation in a project.
• do not need to collect additional personal information just to be able to identify an individual with greater ease and meet the subject access request (SAR).

The SAR will apply to data held by you as data controller or a data processor acting on your behalf. It will therefore depend on whether the information held by the recruiter is held as part of them acting as a data controller over their own recruiter databases or acting as a processor for you i.e. processing data on your instructions. If recruiter is acting as a data processor for your research project then in the contract between you there will be a requirement for them to support exercise of data subject rights and a commitment to delete or return data.

Q: Is withdrawing consent the same as destroying data?

A: Withdrawal of consent is the right exercised by the research participant and means that the personal data that you hold on them must be removed or deleted as you no longer have a legal basis for holding on to it and data subject should be notified when this will be done.

Q: If a respondent wants to withdraw consent after they have been filmed that would mean destroying the film? 

A: Yes, if they withdraw consent on filming you would need to delete the personal data or anonymise by pixelating etc. so that they cannot be identified in the video. In some circumstances one can use an alternative legal basis, once notified to the data subject, but this is unlikely to apply in research context.

Q: A customer has complained that we used a personalised link for an online survey that identifies them. They seemed to think that we shouldn’t be doing this post GDPR.

A: GDPR does not prevent the processing of personal data but ensures that it is carried out lawfully, fairly and transparently. Appropriate information provided to the participant including the privacy policy should make it clear how the personal data will be used, retained and destroyed and in particular ensure that the participant is clear about whether the survey is being conducted anonymously or if not who the personal details will be revealed to. If the use of personal data (including online identifiers) has been made clear to the participant then it is more likely to be compliant with the new data protection framework.

Q: As a sole trader, working as an independent freelance researcher (often collecting personal data for participant interview recruitment, recording interviews and transcripts). GDPR compliance is daunting. What do you recommend as the best starting point?

A: Data protection compliance under the GDPR is likely to be more time-consuming than under the Data Protection Act 1998. Planning and prioritising  can help you reduce the task to manageable tasks.

Although there is a lot to address the best approach is to start with the basics, documenting the type of information that you hold and understanding the areas that may pose greatest risk. 

Continue to follow basic data protection hygiene by maintaining security of files with personal data (password protecting, restricting devices held on etc) and minimising the amount of personal data held by disposing of it quickly and reflecting this in all agreements with suppliers and clients.

Also consult the MRS website for GDPR information, access to member webinars and consider targeted training such as MRS one day training course on GDPR for researchers. The ICO also has useful GDPR resources available here: https://ico.org.uk/for-organisations/data-protection-reform/

Q: We use survey software to collect personal data. If the server is based in the United States, and this is being used to collect or store the data of individuals based in the EU, does this count as data being “transferred” outside of the EU and thus an international data transfer?

A: If the personal data is being stored on a server outside the European Economic Area (EEA) there will be a transfer of data outside the EEA. If it is being stored in US then need to make sure there is an adequate level of protection e.g. checking whether the provider is certified under the EU-US Privacy Shield or using contractual clauses.

Q: I am a freelancer working with a statistician based in Australia. Would it be possible to know about what the safeguards could be to transfer anonymised data to Australia?

A: You should be very careful. Australia is not cover by an adequacy decision, so you can’t freely transfer personal data there, unless you have Standard Contract Clauses in place with your statistician. The European Commission has published those that offer sufficient safeguards on data protection for personal data to be transferred from EEA to third countries. The clauses contain contractual obligations on the EEA data exporter and the UK data importer, and rights for the individuals whose personal data is transferred. Importantly, individuals can directly enforce those rights. Since 2010, EEA based controllers wishing to rely on Standard Contractual Clauses to legitimise international data transfers to processors outside the EEA, have had to use the updated clauses for new processing operations.

If you make the data anonymous so that it is never possible to identify individuals (even when combined with other information which is available to receiver), it is not personal data. This means that the restrictions do not apply and you are free to transfer the anonymised data to Australia.

Anonymization is information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information

In order to be truly anonymised under the GDPR, you must strip personal data of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised. This means that despite your attempt at anonymization you will continue to be processing personal data.

Q: If an end-client is using ‘legitimate interest’ in order to supply us with their customer leads, and they have documented research as a legitimate interest in there are there any additional steps that we need to take in order to use this data?

A: Communication with client can evidence legal grounds for transfer of data and contact with customer database. Also useful to have an audit document that records privacy policy details, conduct of Legitimate Impact Assessment (LIA) by client etc to use as a demonstrable record of lawfulness.

Q1: The client that is commissioning the research wants to remain anonymous. When we ask the participant’s consent to take part, is it sufficient to include extra text that clearly communicates that we cannot reveal the client name?

A: MRS Code of Conduct Rule 14. Members must disclose the identity of clients where there is a legal obligation to do so. Comment: Transparency is one of the fundamental principles underpinning data protection laws. In line with this an obligation to name a commissioning client may arise in three main scenarios:

1. Client is controller or joint controller
2. Client is the source of the personal data
3. Client is receiving personal data from a research activity

• This guidance is helpful in identifying your role in the research project MRS Guidance Note - Controllers and Processors (PDF) January 2020.
• This is a MRS binding guidance Data Protection & Research: Guidance for MRS Members and Company Partners 2019

MRS interprets the requirements in the GDPR on naming the data controller as providing some leeway on the point in time that the controller must be named. It is important that the data controller is named as part of the single process of collecting personal data, but this may be more appropriately done at the end rather than at the beginning of a survey.

This may be appropriate in those circumstances where researchers, in their documented professional judgement, consider that it will adversely impact the rigour and robustness of the research to name clients at the start of a survey.  The data controller client must be named at an alternative appropriate point in a data collection exercise subject to the following:

• it must be made clear to data subjects at the beginning of the data collection when they consent to take part that the data controller will be named at the end of the data collection exercise; and
• assurances must be provided to data subjects that any personal data collected will be deleted if at the point that the data controller is revealed they object, wish to withdraw their consent and/or no longer wish to participate.

This approach is most appropriate when no personal data is being shared with the end client, but researchers may also consider using it in other circumstances.

It is also important to note that-

• if client is the source of the personal data then they will also need to be named as part of meeting data subject information requirements; or
• if client is receiving personal data from the data collection exercise, they will need to be named as a recipient of personal data.

In both cases set out above this information will need to be provided at an appropriate point in the data capture activity, which may be at the end of data collection.

Q1: We have approved WhatsApp as a form of direct communication with participants where we feel it will benefit the research/methodology. Where we use WhatsApp, we ensure we have the appropriate consent and deletion protocol etc. We are now considering running a WhatsApp groups with participants. This will mean participants will be able to see each other profiles and telephone numbers.  Is this within the GDPR rules as long as we get their consent at recruitment?  

A:   It is important to remember that as with any third-party tool, the terms and conditions specified by the company must be read, understood and followed. Researchers that decide to use WhatsApp in their projects must do so in compliance with GDPR and the conditions set by Facebook. Additional information is available in the MRS GDPR in Practice No. 1: Using WhatsApp in compliance with GDPR

Q2: Sharing of voice recordings with the auditor & our client: We are currently in the process of being audited on our end to end processes around collecting interviews and providing scores with one of our clients.  The audit is being carried out by a third party. As part of the audit we are being asked to share recordings of interviews that have been conducted over the phone. We inform participants that the call will be recorded and get consent from them to continue the survey. The current wording that we have in the survey introduction relating to the call recording is: “All calls are being recorded for training and quality purposes - is it ok to continue?”

A: In terms of sharing the data with the auditor it depends on what basis that are being retained to do the audit.    Generally speaking, audit is a form of quality control, this certainly would be the case for an ISO 20252 or an IQCS audit.  It would be different if the audit was for financial purposes, as this is outside of the purpose for which the data was collected (research).

Q: If the responses are being sent to a machine learning application so that NLP techniques can be used to analyse them, then they would not have been sufficiently anonymised, as only high-level identifiers would have been removed. Significant context would still remain (potentially people and place names, and situational detail). In these circumstances, a UK based ML application would only be permissible with customer consent? Even with consent, a non-UK/ EU based ML application would not be permissible under GDPR?

A: I see a lot of misunderstanding lately when it comes to personal data and AI/ML – there is a tendency of not considering personal data as such when are used in ML. Which is, of course, wrong. We could debate extensively on how to design an ethical AI or ML that does not require the use of personal data, but the truth is that no matter what is used to process a given set of personal information they will remain such, unless properly anonymised, and as such fall under the extensive protection that is recognized and codified within data protection legislation.

Simply put: 

• You will still be collecting personal data to being with, so you are bound by the GDPR
• You will be processing personal data and be still bound by the GDPR
• You might proceed to anonymization – which is the only case in which that set of data is no longer subject to the GDPR. BUT you should exercise caution when attempting to anonymise personal data. Organisations frequently refer to personal data sets as having been ‘anonymised’ when, in fact, this is not the case. You should therefore ensure that any treatments or approaches you take truly anonymise personal data. There is a clear risk that you may disregard the terms of the GDPR in the mistaken belief that you are not processing personal data. In order to be truly anonymised under the GDPR, you must strip personal data of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised. This means that despite attempts at anonymisation you will continue to be processing personal data.

You can refer to the ICO Anonymisation: managing data protection risk code of practice for more information about anonymisation.

Q: What information do we need our panel companies to provide to show they are GDPR compliant in the recruitment of respondents?  We do informed consent for each survey so believe it is the recruitment process that needs confirming.

A: Within GDPR direct liability is placed on data processors for breach of specific statutory obligations, such as not processing personal data in line with data controllers written instructions and implementing own appropriate security measures etc.  Equally Data Controllers are responsible for the data processors they select and the processes they undertake to ensure that any processors are working in line with Data Controllers GDPR requirements. 

As such written contract terms between you and your panel suppliers should detail requirements and expectations as this will be the primary means of demonstrating compliance.  Furthermore due diligence by you such as checking the panels T&C’s, recruitment approach, sources of panellists etc. will also demonstrate that you as a Data Controller has undertaken the necessary steps to ensure that contractual requirements and actual practice by panel suppliers are in alignment.

Q: Our assessor’s interpretation of GDPR was that when asking permission/ collecting contact details to be used for quality control purposes only, we should offer participants a choice over how they are to be contacted, rather than simply asking for their telephone number for this purpose.

A: Re-contact for quality control purposes can lawfully be based on consent of the participant or your legitimate interests.  However if you are seeking to use consent as your processing ground to re-contact for quality control then it is best practice to offer a choice of channels such as phone, email, post, text.

Q: We work with recruiters on a freelance/ad hoc basis to recruit respondents for qualitative research. Please could you confirm what agreement you would advise having in place with such suppliers? We have been informed by a recruiter that they are classed as a ‘Data Collector’. What does this mean and what is our responsibility when working with them?  

A: Under GDPR, organisations working with personal data will be data controllers or data processors of personal data that they process. Data controllers determine the purposes and means of the processing of personal data. Data processors process personal data on behalf of controller(s). In this supply chain recruiters are processing data on the agency's or end-client's behalf and are likely to be data processors. Obligation to only appoint data processors which provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets GDPR requirements so need to seek assurances, in some instances audit and have a written contract in place with all the mandatory terms.

We would also be keen to understand what other agencies are doing regarding recruiters/agreements with recruiters.

MRS has provided materials for recruiters, as part of the Recruiter Accreditation Scheme, which can be used to alert and/or educate recruiters on their responsibilities https://www.mrs.org.uk/resources/recruiter_resources. There is also some draft best practice guidance on working with recruiters.

Q: We run a leavers & joiners customer tracker survey. In this survey we do deep dives on the personal data where we look back over a period of years to understand customer behaviour. We use information from our customer records management database linked to information in the survey.  Do we need to state anything additional in the email text to ensure that this is GDPR compliant? How can we best store this identifiable information?

A: Within the recruitment preamble to the tracker questionnaire, used to get informed consent, must make it clear how the tracker data will be used i.e. purpose, how long it will be retained in an identifiable format, and how it might be used in the future.  This should be supplemented with more detail within your Privacy Policy (such as your security arrangements for keeping the data secure) and a link to the Policy should be included in the recruitment documentation. 

In terms of retention of data GDPR does not state time periods.  Rather it is for the Data Controller to review the data it holds, identify the length of time that the data will be used and has a clear purpose, and delete data when it no longer is being used and no longer has a purpose. At this point data should be securely deleted.  It is highly likely that as a Data Controller you will have different retention periods for different data sets (including those used for research and insight purposes) depending on the type of data and what it is used for.  The important point is that whatever you state in your policy as retention periods is adhered to.

The MRS GDPR In Brief documents 5, 6 and 7 https://www.mrs.org.uk/standards/gdprsupport set out the information which should be included to gain informed consent and information that should be stated in privacy information notices.

Q: We run a viewing studio and recently came across a clip of a focus group (recorded at our studio) discussing politics on a social media site. We always obtain permission for recording but after the recordings leave us we have limited control over what happens to them.  The consent sheet also states that responses will only be used for market research purposes.

What would our position be if the participants did not give their permission for the clips to be used in this way?

A: The conditions for use of focus group recordings by the client must be included in the written contract between yourself and the client. The contract should stipulate the purposes for which consent has been given by the participants. If the client uses the recordings in another way they will be liable for breach of contract and breach of the data protection legislation for processing personal data without a lawful basis.

Q: How do we as agencies ensure that clients are held to their responsibilities under GDPR when receiving personal data of participants we have independently sourced for a project. e.g. if a client asks to receive video footage which they hold on an intranet how do we make them responsible for storing and using it safely and within the law once it is out of our control. Do we need to have this in writing or does GDPR by default make them accountable?

A: Written contracts are mandatory and should cover off these issues.

Conditions for use of video recordings should be included in written contracts between yourself and the client. These should stipulate the purposes for which consent has been given by the participants. If used outside of this the other party will be liable for breach of contract and breach of the GDPR as using personal data without a lawful basis.