General Data Protection Regulation (GDPR) and user research

Article by Steph Troeth and Erica Kucharczyk. Edited by Kate Towsey

As user researchers, we often collect and store information about our participants, especially if we are recruiting them for research sessions.

If you are undertaking user research in any form, you will therefore need to be aware of how General Data Protection Regulation (GDPR) affects your practice and process when it comes into effect on 25th May 2018 in the UK and all EU member states. It applies to any entity that handles data on UK & EU citizens regardless of where the organisation is based. The good news is that if you are already compliant with the Data Protection Act 1998, there appear to be only a few minor changes to consider involving collecting data, recruiting participants, obtaining consent and ongoing data administration.

In this article, we want to examine how user researchers might implement the Information Commissioner’s Office GDPR guidance.

We are not legal experts, so it is advisable that you clarify with your legal team regarding what your organisation needs to do.

Data collection

There are some easy best practices for collecting data lawfully:

1. Only ask users for information you need.
2. Only use information or data according to your original reasons for collecting them.
3. For every piece of data you collect, you’ll need to have what’s called a ‘lawful basis’ for processing that data.

To have a lawful basis for collecting and processing data, you’ll first need to identify what data is necessary for the research. Then, for each piece of data you’re collecting, define the rationale for how it’s used at the outset — and stick to that decision throughout the process.

For example, if the lawful basis for which you collect a user’s email address is so that you can send them a link to a remote session, it won’t be legal to send them a marketing email later on, unless they have explicitly opted in to receive marketing emails.

In addition, there is a category of data which needs to be treated with more care. These are special category data: personal data that are more sensitive, and could potentially put individuals at risk of discrimination. If you need to collect sensitive data, you’ll need to be specific about what you’re using that data for and gain explicit consent from the user, unless the reason for processing meets one of the other nine special conditions for processing this data.

Recruitment

Allow people to opt-in to research invites

It might be tempting to send research opportunities to people in your organisation’s database who have opted into marketing communications or product updates. In a pre-GDPR world it has not always been clear what we’re signing up for when we (intentionally or accidentally) opt in to marketing contact lists.

If you want to use your organisation’s contacts to identify participants for research and you’re not sure if they have consented to this previously, it’s better to run a fresh campaign that asks people to opt in specifically to be contacted about user research opportunities. It’s likely your organisation is going to be reviewing the way they gain consent to be sent marketing communications under GDPR, so you could piggyback on this process to ensure that consent for research opportunities is explicit in any sign-up forms.

For more detail, People for Research, a recruitment agency based in Bristol, has produced a useful blog post on how to ethically recruit your own customers.

If you already have a panel of people who have opted into research and you’re confident that they gave explicit consent to be in the panel and to participate in research, you shouldn’t need to run a fresh recruitment campaign.

Whichever way you are recruiting, make it easy for people to opt-out of research communications.

Declare why you are collecting data

Whether you are doing the recruitment yourself, or using a third party provider, it’s advisable to let people know on the recruitment sign-up form how you’re going to use the information about them that you’re collecting. This might mean adding supporting text explanations next to each relevant field on the form. For example, you may explain that the reason you’re collecting their telephone number is so you can call them to arrange the session, or the reason for collecting their email address is so you can send them a gift voucher.

This is more transparent and helps to reassure users they’re not going to get unsolicited emails from the company because they’ve shared their details with the researcher, or that their data won’t be unlawfully provided to a third party.

Detailed consent

Managing consent is one of the key areas where GDPR would have the greatest impact. Under GDPR, consent forms will need to provide more detail about how you intend to process and store specific data collected during research. We also need to take into account the participant’s right to withdraw consent. You might find it useful to split the form into an information section and consent statements.

The following are some best practice tips for gaining informed consent.

Be granular

GDPR-compliant consent forms need to be granular: this means that users need to give consent for each individual piece of data collected. This could mean respondents need to tick a separate box to agree to the recording of an interview, as well as explicit consent to how data might be processed and shared — such as making a highlights reel from a video recording to share with people in the business.

This allows the user to have some control over how much they want to disclose. For example, if having their screen recorded is a requirement of the study and this is specific data you intend to share with your team, make that clear early on. You are entitled to exclude the person from the study if they do not consent to share this data.

Make it clear who else has access to the data

You’ll need to be transparent about any third parties you might be sharing the outputs of the research with. For example, this could involve a transcription service you’re using, or a service that may be storing videos from the research sessions.

Even if you don’t disclose the names of the interviewees to the transcriber, they may be able to deduce who the person you interviewed from the content of the interview, or by correlating it with information that may be available elsewhere in the public domain, such as on social media. For example, you may have conducted an interview with a managing director of a well-known company, and while their name was not mentioned or disclosed in the material that had been shared forward, a simple web search would likely identify them.

In these cases, by sharing the recordings, you are essentially sharing personal data, so you will need to obtain the participants’ consent in order to do so.

Avoid jargon to get informed consent

Users must understand the content of the consent form: information should be written in plain English, avoiding acronyms and technical language.

If you’re gaining consent from children or vulnerable adults taking part in research, you’ll need to produce a consent form that they understand and will need an adult or care-giver to be present when you give consent. In these special cases you could consider designing the consent form with somebody from your target user group.

Give participants time to reflect

To give informed consent, people need time to read and process information about what you intend to do with the data about them. If possible, you should share the consent form and research information with users at least 24 hours in advance, rather than at the time where they arrive for the research session.

You can still verbally run through the main points of the form at the beginning of the research session — this would give people chance to ask questions before they sign the form. If you’re doing guerilla research, make sure to build in time for users to read and understand the form, and to ask questions. Another good practice is to confirm that your participant still gives their consent at the end of the session, in case they have changed their mind based on what they might have disclosed during the session.

Don’t confuse your forms

The consent form should not be confused with a non-disclosure agreement (NDA) or an agreement with terms and conditions. Ideally, the consent form should have a section for general information about the study and a separate section with consent statements. If you need to use an NDA, use a separate form to keep things clear.

Consent form structure

Although the structure of a good consent form won’t change much under GDPR, you might need to add a little more detail than you’re used to. You should also keep a copy of consent forms so that you have evidence of what people agreed to. The following is the anatomy of a good consent form:

1. Project details:

• Agreed incentive amount
• Describe the research in plain language
• Indicate the person responsible for the research
• Describe the shape/length of the session
• Describe what the participants are expected to do

2. How data will be used:

• Describe what happens to the output of the research
• Describe what data would be shared, and how
• Tell people how they can withdraw their data

3. How to make a complaint or ask a question

4. Statements of consent:

• Allow participant to indicate consent separately for each data processing procedure e.g a tick box to consent to being recorded and another to consent for data being shared with others.

Data administration

The fourth area where GDPR will have an impact is data administration — how you manage your data long term.

Honouring data retrieval and erasure rights

Under GDPR, people have the right to access personal information held about them by an organisation. You also need to have process in place to ensure you can permanently delete the data if requested. These rights apply to both adults and children. To be compliant with data requests, you’ll need to be able to easily retrieve personal information you are holding about an individual.

This means being extra diligent with how you organise your data: from pseudonymised participant IDs and naming conventions of raw data. If a person who took part in an interview and a usability session 12 months ago makes a data request, you’ll want to ensure you are able to retrieve transcripts, videos and any other data you’re holding and provide it within one month of the request date.

Whilst participants have the right to retrieve or request deletion of personally identifiable data such as recordings, transcripts and contact details, you don’t have to retrieve or delete data that has been analysed and aggregated that cannot be traced back to the user. For example, an anonymised quote from an interview in a report won’t be affected.

Regular data housekeeping

For everything you collect, keep tabs on how long you need it for. Then, set aside a time period to purge data you no longer need. You may need to keep some data for a longer period if you’re conducting a longitudinal study, whereas data that relates only to a design sprint may have a shorter lifespan.

For regular rounds of user research, the value of the data is in the participant profile, and not in any individual details such as name, contact details and any other individually identifiable traits. While you may need to keep a single source of the contact details for you to trace back a certain participant should they request data retrieval — access to this should be restricted and stored securely separately from the outputs of the research.

Align your GDPR practices with your legal team

As we mentioned in the beginning, we’re not legal experts and this article is our interpretation of how user researchers might implement the Information Commissioner’s Office GDPR guidance.

We think that guidance will become clearer as more organisations implement GDPR-compliant policies: we’d love to hear your thoughts on how you plan to adapt your practice.