How Do You Manage GDPR in Face-to-Face Research Interviews?
How Do You Manage GDPR in Face-to-Face Research Interviews?
You may remember all the ‘opt-in’ pop-ups that started appearing on websites last Spring? That was due to the General Data Protection Regulation which came into effect in May 2018. The aim of the regulation was to protect online consumers from having their personal data misused for marketing purposes. The practices that it sought to curb included:
- Selling on data to third parties
- Using data to ‘cold call’ consumers
- Storing online or physical data longer than necessary
- Not knowing where data was kept
- Offering inadequate protection from cybercrime
Key to the GDPR’s impact is the power of the Independent Commissioner’s Office (ICO) to levy huge fines. Businesses or individuals found to be in breach, can be fined up to 4 million euros, or 4% of annual global turnover, whichever is the most. These eye-watering figures are enough to make anyone handling personal data in a professional capacity sit up and take notice.
How Does the GDPR Affect Qualitative Research?
LDA Research has always taken privacy of personal data extremely seriously, given the nature of our research. The launch of the GDPR was, however, a great opportunity to audit our research practices. Given the range of research methodologies we employ, we approached the task by looking at each methodology separately. In this blog we'll be sharing our compliance guidelines for face-to-face research interviews.
What is Personal Data?
One of the most helpful aspects of the GDPR is the clarity with which it identifies what personal data is. It includes, of course, the obvious identity markers such as: name, address, photo, phone number, signature, email address, job role, age, ethnic identification. But it also emphasises the importance of recognising how scraps of information can be pieced together to identify someone. This places a requirement upon researchers to be extremely vigilant when capturing data.
How is Personal Data Stored?
Personal data can be captured on audio file, video recordings, online forms, written notes, letters, social media, health records or job profiles. These are stored in various ways, from notebooks, to online documents, to paper records and data bases. The GDPR requires that there are tight controls on what data is captured, how long it’s kept, who it’s shared with and when it’s deleted.
Step-by-Step Guide to Managing GDPR in Face-to-Face Research Interviews
Step 1. Make sure that your Data Privacy policy is up-to-date and share with everyone involved. Participants have a right to access their data or request its removal so make sure contact details for this purpose are available.
Step 2. Make clear rules about how online information is shared. Secure document sharing is preferable to email. There are a number of options including: DropBox, ShareFile, SharePoint. Always set a date for access revocation.
Step 3. Anonymise all participant data as soon as possible, and certainly before it is shared with clients and wider team. It is never OK to share personal data without the express permission of the participant.
Step 4. Before starting the interview it’s good practice to explain what data will be captured and how it will be distributed and stored. Any audio, or video recording requires the written permission of the participant.
Step 5. Make it a rule of thumb that no participant data is captured in the course of the interview. This doesn’t mean that you can’t use each other’s names – but it must be redacted from the recording or transcript before being passed to anyone outside the company or the UK/EU. This extends to ensuring that no visual personal information from the environment is picked up on photos, or video.
Step 6. Ensure that all data storage is encrypted and secure. Access should be limited to password holders, and be scheduled to end on a specified date. The location of all data relating to individual participants is required to be logged, and a deletion date set, including emails arranging the face to face interview.
Maintaining Good GDPR Practice
Qualitative research depends on a relationship based on trust between the interviewer and their participant. GDPR is an important building block in that relationship. Highlighting the emphasis you place the legal requirement for data to remain private is reassuring for interviewees, and underpins your professional status.