Today is the day Global Data Protection Regulation (GDPR) rolls out globally and data privacy continues to flood the news. In our previous blog post, we discussed what GDPR is, how our view on data is shifting and how our lives as individuals, not just as a global economy, is changing.  Since our last post, Mark Zuckerberg testified to congress about data privacy and Facebook announced its expanding GDPR-compliance features globally. Data-privacy has seemed to be an inescapable topic even across the pond. But what does GDPR mean for market research specifically? In this post, I argue three key aspects of GDPR market researchers should be attuned to in the coming months.

1. Data Flow Has your organization considered its Data Flow weak links?

I should state first and foremost that there are exceptional provisions for market research under GDPR. These provisions allow us to conduct research much the same way we always have. This is because good research design already embeds many of the same principles of GDPR including ethics, consent, and privacy of respondents. However, GDPR does alter how our organizations deal with digital capital and how we communicate. Understanding how you acquire, process, store, and share data is more critical now than ever. Even if you aren’t working directly with EU citizens, trust that there is someone in your chain of respondents, vendors, clients, and internal stakeholders that is. That now affects you. Data is only as clean and as secure as the weakest link.

Every organization should have a data flow map and everyone in your organization should know it. Creating a data flow map is important in understanding how complex data management is for your company. If you haven’t made one, be prepared for it to get unruly quickly. Think about how you get data from your vendors, respondents, and clients. Think about in how many forms it comes in: via portals, emails, phone calls, text messages, snail mail, fax, pigeon carrier. Where do you store all that? And how? Is all your Personally Identifiable Information (PII) encrypted? Locked with a password? Or sitting in an excel file in a folder called “Contacts?’ Now is the time to start thinking about our data, how to do this right, and more importantly, what could go wrong.

2. The “oh no…” plan: Has your organization prepared to protect each individual’s data at all costs?

Loosely stored data is like a zombie- apocalypse but with less Hollywood makeup. Data never really dies, and it can rear its ugly head spontaneously. Data can get messy fast if you neglect quality, management, or security. This is all common sense for business/ IT policies within your company, but what does this have to do with GDPR and market research? Many systems are set up to just protect the database, but we must start thinking about information on a personal level. GDPR stipulates an individual’s PII be forgotten and mandates that they be notified if their data is breached. Are you prepared to forget all information about a respondent at a moment’s notice? Or does your database have PII data that could be easily anonymized to reduce security issues? GDPR forces us to not just think about keeping files and data safe but keeping individual people safe. Data is no longer just a number, but an individual.

3. Perspective: While GDPR is a big shift, it presents some tremendous opportunities.

Individuals drive market research and GDPR present a fantastic opportunity for us to shift perspective. We as a country continue to talk about data-privacy as if our data was stolen and we are taking it back! I admit it, I’ve been stalked by a pair of shoes before via internet advertisements and was thoroughly unnerved. But we must continue to push ourselves to change the way we talk about data-privacy. Market research survives only because people are willing to share their opinion and information with us knowing it’s secure. As we improve our data-privacy practices thanks to GDPR, we can start talking about data-privacy as a reason to trust us more, not less. Data privacy should be framed as freedom, not through fear. I believe we can improve relationships with our clients, respondents, vendors, panelists, and future businesses by embracing GDPR and communicating how we are going to do better in managing data.