GDPR for UX research agencies
You can’t read any business publication, blog or LinkedIn feed at the moment without running into a wild load of nonsense about GDPR. The truth is, if you handle customer data correctly at the moment, there’s probably not much you need to do.
But if you’re a UX agency conducting research on behalf of clients, there are things you need to think about. Keeping your participant’s data safe — particularly in the case of usability studies or interviews, which might have super sensitive and private information about people — is obviously important.
But sharing this data with your clients is about to get a little bit trickier. According to the new GDPR rules, people have the right to know who has their data, but also the right to ask for their data to be deleted. If you’re an agency and you share a usability video with a client, where does that leave your participant?
Turns out, there’s no simple answer — and no one answer — to this problem.
How we handle it at UX company The User Story
We consulted with the experts at Mills & Reeve to help our participants better understand how their data is used, and to make sure we’re doing things the right way to comply with new legal obligations. It might not be perfect — and it might not work for you — but here’s what we’ve changed.
Our recruitment platform LAB allows research participants to sign up, and receive notifications whenever we’re performing research, so they can quickly apply. We collect lots of user data through the platform, so we’ve updated our privacy policy (natch) to cover how we’re using data.
But because we share our research videos and data with our clients, we have to let our participants know who has their information. Telling them who the client is before they carry out the research might skew our data, though — so once we’ve got agreement and carried out the research, we’ve built in a feature to tell our participants who we’ve sent their data to after the research study.
Users already had the right to delete their information from LAB whenever they like. Now they have the knowledge of who else has their data, so they can ask for their research data to be deleted by our client too, if they need to.
There’s an argument that our client has a legitimate business interest into the participant data — but that would be for them to argue.
We think the solution is neat, complies with GDPR, and fully informs our participants what’s happening with their personal info. Up to now, we’ve never been asked to remove a users’ research info anyway — but it is great to remind our participants that their comfort, rights and freedoms come first.
What about you? If you collect user research insights for your clients, how are you complying with GDPR?
