What is GDPR?
GDPR, or the General Data Protection Regulation, is a legislative framework that came into effect in May 2018. It aims to ensure:
– Transparency
– Lawfulness
– Fairness
The regulation focuses on the collection, use, processing, and transfer of personally identifiable information (PII) from individuals residing in the European Union and other subscribing regions.
Its primary goal is to regulate how personal data is handled by businesses, corporations, and governmental bodies, ensuring accountability in data usage and storage.
Is GDPR Consistent Across All Countries?
While GDPR is applicable to all subscribing countries, each government has discretion over its enforcement. Certain regulations may grant exemptions, particularly in response to emergencies, such as the COVID-19 pandemic, where governments may need to share healthcare data for public health purposes.
Additionally, in market research, Article 9 allows countries or regions to exempt specific GDPR guidelines concerning health-related data processing, depending on local or national laws.
Does GDPR Apply to Anonymous Data?
GDPR does not apply to data that is fully anonymized. When Greenland Market Research & Consultancy, acting as either a data controller or processor, provides anonymous data, GDPR regulations do not apply.
Definitions of Personal Data
Under GDPR, “personal data”; is defined as any information that can identify an individual or link back to them. Before starting any project, clients should clearly define the PII required and its relevance to the project.
Examples of Personal Data Include:
– Photographs (originals or copies)
– IP Addresses
– Audio and Visual Recordings
– Online Behaviour (e.g., social media posts)
– Postal/Mailing Addresses
– Names
– Contact Information (both online and offline)
Data Controller vs. Data Processor
GDPR distinguishes between “data controllers” and “data processors”:
– Data Controller: The organization that determines the purpose and methods of processing PII. For instance, in market research, this could be the owner of a panel or database, controlling the information.
– Data Processor: The organization that processes PII on behalf of the data controller. In some cases, both parties may act as joint data controllers, jointly determining the reasons and methods for processing PII.
How Does Greenland Market Research & Consultancy Ensure GDPR Compliance?
Greenland Market Research & Consultancy implements several measures to ensure GDPR
compliance:
– Consultation and Implementation: We have sought both internal and external advice to ensure compliance with GDPR and have updated our privacy policies accordingly.
– Consent: We obtain clear, informed consent from respondents for the use and processing of their personal data. Respondents have the option to withdraw their consent at any time.
Key Contact
Our Client Servicing Director, John Smith, serves as the Data Protection Officer (DPO) and can be reached at info@greenland-research.com
Third-Party Vendors/Suppliers
In line with GDPR, we have updated our contracts with vendors and suppliers (as of February 2022) to reflect current GDPR clauses. We also use non-disclosure agreements (NDAs) with third parties to ensure they process information only as instructed and delete any PII at project completion.
GDPR Compliance Practices
– Data Protection: We have secured information with appropriate firewalls and shredded all storage media.
– Internal Policies: We have published internal memoranda on IT security, data breaches, access control, business continuity, and backup/recovery.
– Article 32 Compliance: We have implemented technical and organizational measures to meet GDPR’s Article 32 requirements for data security.
Handling Data Breaches
In the event of a data breach, we have internal procedures to report incidents to the DPO or relevant authorities within three working days.
Recruitment and Data Handling
When recruiting from our panel, Greenland Market Research & Consultancy is the data controller. For projects involving client-provided target lists, the client is the data controller, and we adhere to their procedures for processing and recruitment.
FAQs on GDPR in Market Research
– General GDPR Practices: Greenland Market Research & Consultancy provides anonymous data for standard research and only includes PII when specifically requested, with respondent consent.
– Communicating GDPR and Obtaining Consent: We update our privacy policy, terms of use, and code of conduct to reflect GDPR requirements. Respondents can opt out by contacting our support team or the DPO.
– Disclosure of Clients: GDPR requires transparency regarding the data controller. Greenland Market Research & Consultancy discloses client information to respondents when PII is involved, unless data is anonymized.
– Request for Personal Information: If collecting PII is unavoidable, clients must allow respondents to opt out and disclose their identity when required.
– Qualitative Methodologies: Disclosure of clients or sponsors is required based on GDPR guidelines. For live or recorded interviews, clients must be disclosed appropriately.
– International Data Transfers: Transfers of personal data between regions, such as from North America to the EU, are minimized. Internal mechanisms and client agreements ensure compliance with GDPR.
– Exclusion Lists: When sharing exclusion lists, only partial information is shared to avoid identifying individuals. Additional information that can identify individuals requires informed consent.
– Re-contact for Quality Purposes: Re-contacting for quality purposes is generally covered under GDPR’s legitimate interest. For other research, additional consent is required.
Further Questions?
For more information on GDPR compliance, please contact your Greenland Market Research & Consultancy representative or email us at info@greenland-research.com with the subject “GDPR enquiry.”