There are two responses I’ve heard about the fast approaching GDPR roll out in EU:
- “I can feel the anxiety, the heartburn and the headache already.”
- “Wait, what’s GDPR?”
If you’re the first, breathe; If you’re the latter, you have some research to do, and you can start here. Regardless of where you currently stand, there’s a better response. I argue everyone should feel that it’s about time we’ve seen something like GDPR. While the headaches and the hard work are certainly ahead, GDPR represents a huge opportunity for market research. This could be the start of a beautiful new era of respondent trust, and we must seize it.
Let’s start with what GDPR is. GDPR is legislation that the EU adopted in 2016 and is rolling out in May 2018. It moves to protect EU citizens’ data more strictly and more rigorously defines consent. The basis is to give EU citizens greater control of their data and the ability to revoke consent at any time—regardless of where that data resides. You live in Germany, but Facebook’s data tower is in Ireland? Doesn’t matter. As an EU citizen, you now have the right to be forgotten. You want to download all the information a company has collected about you? Now, the company must comply and deliver your data in an easy machine-readable format (aka something like a CSV file.) These are just some of the benefits citizens will now reap and just the beginning of some of the challenges companies will face. GDPR requires privacy notices be written in plain language rather than legal terminology, give confirmation that users’ data is being processed, grant respondents ability to change inaccurate data, and honor their right to be forgotten completely. Starting in May, these aren’t just good practices and provide a uniform way of doing business.
These rights give greater control to EU citizens, but present technical challenges to companies with how to make these privileges a reality. It challenges not only how we collect and process data but how we organize our database, how quickly we can access specific data, and how we share information with other organizations. For example, if a user wants to be forgotten, they must be deleted not just from a general database, but their information must be removed from any algorithm that might have been built with it and on any third-party database.
If this all feels out of left-field, it shouldn’t. GDPR has been a long time coming. We’ve seen iterations of GDPR in the Data Protection Act in 1998 and the following Safe Harbor Act. And we will continue to see more iterations of user data privacy laws as we continue to find more ways of generating and collecting data, both in the EU and across the world. If you were thinking because you are an American company this doesn’t apply, you’re wrong. If you work with EU citizens, directly or indirectly, you must adhere to GPDR guidelines. Just ask Facebook and Google.
While research has the most exceptions for GDPR requirements, GDPR is an unprecedented opportunity to create trust and reexamine our databases. GDPR forces market research to start asking the right questions. What do we do to protect our respondents? Do they understand what they are signing up for? How safe is our database from a breach? Would we know if we were hacked? Do we understand and track how we share information with vendors and third parties?
In our next article, we’ll discuss the lessons we can learn through the GDPR roll out and what organization opportunities it provides.