GDPR – Guidance on using personal data for research purposes
Under the new GDPR regulations coming into force on 25 May 2018, we, as data processors, will need assurances from our clients (data controllers) that their customer data has been gathered in accordance with the new regulations and that it can be used for research purposes. Gathering explicit consent to take part in research activities at the point of data collection is one way of achieving this, however, processing personal data from existing customer databases for research purposes can also reasonably fall under the lawful grounds of legitimate interest.
What this means for you: whilst you may still want to, you don’t necessarily need to gather specific consent for a customer’s (data subject’s) personal data to be used for research purposes. However, if you choose to use legitimate interest as grounds for this use, you must ensure that your privacy notice details the legitimate interests upon which the intended research is based. According to the ICO, this must detail the following:
- What your purpose for processing personal data is
- That you are relying on legitimate interests as your lawful basis; and
- A summary of what the relevant legitimate interests are. (ico.org.uk, 2018)
It is up to you (as the data controller) to conduct your own legitimate interest assessment and, in cooperation with us, to consider the research activities you would like carried out (i.e. customer satisfaction feedback, profiling, in-depth qualitative research etc).
What this means for your customers (data subjects): although under the lawful grounds of legitimate interest they do not have to give consent for their personal details to be used for research purposes (this includes contacting them to invite them to take part in research), data subjects maintain the right to object to processing without providing specific reasons.
What this means for us: under the existing guidelines of our industry’s Code of Conduct (administered by the Market Research Society), we will continue to gain informed consent from all research participants. It is our responsibility as researcher to notify data subjects about their right to object at the time of communication.
We maintain our responsibility as data processors to alert our clients (the data controllers) of any data breaches or requests to be forgotten.
Following analysis of research results, findings will be aggregated for final delivery. We will take steps to minimise and anonymise research results at the earliest opportunity.
Data security: to protect individual’s data, any document or database that includes personal data must be shared securely. This means all documents that include personal data that we share will be password protected and any data we receive from clients we would also expect to be shared securely.
Legitimate interests under GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/
Conducting Research under the GDPR: Legal Bases: https://www.mrs.org.uk/pdf/EFAMRO_ESOMAR_MRS%20GDPR.pdf
The Zing Team