This month Jon Wood of Critical Research reviews a recent Forum session which dealt with the implications of the new GDPR legislation – and muses on the implications (and urgency) for us all.
April’s BIG forum was an excellent session, focussing on an impending change in legislation which looks likely to have a considerable bearing on the Market Research industry’s future handling of data and associated procedures. For those discovering GDPR for the first time, this could well have been an unsettling couple of hours.
GDPR is being introduced to strengthen and unify data protection for individuals within the European Union. In short, companies will need to be more careful with the personal data they are holding on people and much more open about the reasons for collecting it in the first place. Regardless of what is happening with Brexit, this regulation will apply in the UK from 25 May 2018.
The session was lucky enough to be headed by two of the best speakers on the topic. In her role as MRS Director of Policy & Standards, Dr Michelle Goddard spends much of her time promoting and protecting quality standards across the industry. As Regional Research & Quality Director, Jackie Megahey heads up compliance for GfK UK and is responsible for amongst other things, information security and data protection.
The combination of speakers was ideal with Michelle able to enlighten us with regard to the legal side of the regulation and Jacquie ideally positioned to tell us more about what it means for us all and how it can be put it into practice. The two complimented each other perfectly.
The Legislation
Michelle kicked off the session with an explanation of the rationale behind GDPR before moving on to an overview of legislation itself.
Having moved so rapidly into an ever more digital age, EU legislators felt there was an urgent need to update data handling regulation to reflect the current time. One of the greatest challenges for those crafting the new guidelines was the need to balance the rights of individuals and the burden of additional bureaucracy faced by the business community. Whether this has been achieved is yet to be seen.
Some of the key areas of the legislation highlighted by Michelle were:
- Consent – businesses must get explicit consent from to keep and use people’s data
- Right to be forgotten – information on individuals must be deleted if requested unless there is a very specific reason not to do so
- Fines – possible monetary penalties will increase significantly with regulators able to fine companies up to 4% of annual turnover for failure to comply
- Data Protection Officers (DPOs) – these must be appointed if a company “process sensitive data on a large scale or collect information on many consumers”
- Mandatory breach notifications – any “serious” breach must be reported to the relevant supervisory authority and the individuals in question within 72 hours
In the UK, GDPR regulation will be enforced by the Information Commissioner’s Office (ICO). The scope of the data categories it covers will be far wider. As well as ‘Personal data’ (Identifiable information such as name and address) GDPR also includes specific reference to the handling of information deemed to be ‘Sensitive’ (Health, political opinion, biometric & genetic). It also touches upon the issue of pseudo-identifiable information but as far as I could tell, the wording leaves considerable room at this stage for its interpretation. Not ideal given the implication of failing to comply!
Ultimately, the revised legislation will see greater business accountability with regard to the handling of personal data. The increased obligations facing companies that were highlighted in the session included the following:
- Demonstrating compliance
- Maintaining detailed written internal records
- Possible introduction of Data Protection Officers (DPOs)
- Privacy impact assessments
Michelle will be spending the coming months helping the industry prepare for GDPR. The MRS plan to play a major role in helping its members commit to best practice. They have already produced a number of introductory documents and checklists which are available via their website and expand upon the obligations detailed above.
For any company approaching the issue of GDPR for the first time, the strategy suggested by the MRS is review, commit and embed.
Inside an Organisation: GfK
The session continued with Jackie kindly sharing her experience of preparations for GDPR from inside one of the world’s largest research companies. It was clear that GfK has already invested significant time and effort in getting ready. This is no walk in the park!
Jackie’s presentation covered GfK’s actions with reference to ICO’s “12 steps to take now” in great detail. I have picked out a number I deemed to be of particular interest:
- Awareness: GfK believe that GDPR will result in a big change in how personal data is handled. Ensuring awareness of GDPR is deemed of such significance that it is now part of any staff induction. GfK have produced an excellent video to introduce the topic to all staff whether new or old
- Information held: GfK started by addressing a number of crucial questions; What information do you hold? Where? With whom is it shared? Being able to answer those questions was deemed a crucial part of being able to demonstrate compliance. Going forward, any GfK project will have an associated data flow diagram showing the movement of any personal data. Documenting in this way should ensure accountability
- Communicating privacy information: Making respondents aware of our company policies is a new requirement of GDPR. A cursory nod to a company terms and conditions page buried on our websites is unlikely to suffice. So how and where should this be done? Whilst not claiming to have all of the answers, GfK are at least addressing the fact that it is difficult to tell respondents information they don’t necessarily care about.
- Consent: How this is agreed is likely to need to change. GfK are reviewing how they seek, obtain and record consent. As with communication of privacy information, we will need to come up with innovative solutions to ensure this requirement doesn’t too dramatically affect our ability to collect the data so crucial for what we do
Final Thoughts
In truth I’m not sure anyone knows yet, exactly what the impact of GDPR will be on our industry. Nor exactly what changes we will all need to make to comply. In time we will all need to update our procedures and communicate the changes to our staff, suppliers and clients. As a company, we think it is important that all our staff know about the legislation so that if it’s mentioned by clients they can at least say that we are aware of the changes and that we are addressing the relevant issues. It looks like being a hot topic in the research and marketing industries and I think all our clients will be reassured to know that it is at least on our radar.
Dealing with new regulation can certainly be difficult (and time consuming), but that is not a reason to do nothing. Blind faith in existing security procedures, lack of awareness regarding new threats as well as the fact GDPR doesn’t start until 2018 could see compliance with data regulation low on company priority lists. It might well be that only the first widely publicised case of a company being punished for non-compliance of GDPR will ensure everyone in the industry to get their houses in order.
Unless you want your company to be the one made an example of, you should stop procrastinating and start your preparations now.
Jon Wood