Brace yourselves: GDPR is here

We’ve been writing a lot about GDPR and how to remain compliant with the new regulation if you work in user research. This is a summary of the best advice we shared on the blog.

Doomsday is upon us; and who would have though that the four horsemen of the apocalypse were actually these four harmless letters: G-D-P-R. If you feel like we are exaggerating, remember that #GDPRday has been trending on Twitter for several hours and that several US websites are temporarily unavailable in Europe… and also that your inbox is probably Armageddon right now.

We feel like this cartoon by Mr Scruff, originally shared on Twitter, is extremely accurate.

Now that GDPR is finally here, it’s ok to take a deep breath and look back at the measures you have (hopefully) been implementing to make sure you are compliant, regardless of the industry your business operates in because we all have something in common: we need to communicate with our users, and GDPR is going to change the way we all do it.

At People for Research, we have been preparing for several months to make sure that, once the new guidelines came into play, we would be ready and fully compliant. Along the way, we gathered a lot of useful information on how to stay compliant when storing user data, running user research or recruiting participants from customer lists for business research — information that we’ve shared regularly on our blog.

Below is a mash-up of advice both from our team at People for Research and Konrad Black, Principal Experience Consultant at Edo.

First of all, what is GDPR?

The General Data Protection Regulation (GDPR) is the new data protection regulation, and it affects how all businesses process and store data. For a more detailed overview of what impact this may have on your business, we recommend visiting the Information Commissioners Office website and getting informed about the basics.

Key tips to assure basic compliance

  1. Be transparent in the way you handle and protect data.
  2. Audit your data flow –identify the risks within your day-to-day processes, including how you hold data and how secure it is, what you do with it, and how long you need to hold on to it.
  3. Once you’ve looked at the risks associated with data protection, be prepared to take action. The action needs to be equal to the level of risk that you start with and based on what is proportionate to the funds that are available.
  4. Communicate clearly and regularly with everyone involved in your data exchange. In our case, this includes clients, employees and our participants — when it comes to the participants, we make sure they know about their options as far as their data is concerned.
  5. Monitor your performance. Preparing for GDPR is not a one-off task — it involves putting in place new processes which ensure compliance continues. Conduct ongoing audits of our performance, and ongoing training to ensure we get feedback internally.

Compliance in user recruitment and user research

Keep reading for our GDPR tips related specifically to user recruitment and research.

Using an external recruiter to find your users?

  1. Ask your recruiter who is screening participants, if they are compliant, and how they are managing the data exchange between all parties involved — the more people involved, the higher the potential risk.
  2. Check what data they will be capturing on your behalf.
  3. Ask how they store participant data and if this is secure.
  4. Check how they intend to share data with you and whether this is in line with your own GDPR policy.

Recruiting from a list of your own customers?

  1. Again, be transparent with your customers.
  2. Ask your customers to opt-in.
  3. Manage opt-outs properly.
  4. Make sure you get voluntary informed consent.
  5. Anonymise your data before transferring it, as this reduces any risks significantly. If you do need to transfer personal data specifically for the research session, then do so using a secure data transfer service.
  6. Don’t forget about the non-disclosure agreement

Agency working with an ‘end client’?

  1. Anonymise personal data by removing identifiable data, unless these details are essential for the research project.
  2. Ensure your client is aware of your data protection policy and that they understand and comply with their own policy.
  3. Use a tool — such as SharePoint or Google Drive — that limits access to shared documents unless the user logs in.
  4. Set expiry dates on documents, again, this is something SharePoint allows you to do.
  5. Inform participants how their personal data may be used during and after the research session and do this before the session takes place. It is good practice to get informed consent from the participant.

Recruiting vulnerable participants?

Certain categories of data require more protection; this type of data may be required when recruiting against certain types of projects. The Information Commissioners Office (ICO) have listed all categories that come under this section of the GDPR and we recommend taking a look.


Pro tips from one of our clients

We recently invited Konrad Black, Principal Experience Consultant at Bristol-based user-centred consultancy Edo, to share some insights on the PFR blog on how to protect user data at all stages of user research in accordance to the new General Data Protection Regulation.

GDPR protects all personally identifiable data that can be linked to a living individual. During primary user research, you may collect personally identifiable data such as name, phone number, email address, etc. Storage of this data could be just as varied, including cloud storage of audio/video recordings or transcripts, notes taken during a research session written in a notebook, spreadsheets, etc.

How to protect data before research

  1. Ensure the privacy policies and terms of service between all partners who may need to access this data are up to date and relevant.
  2. Provide a clear and easy way for participants to get in touch and request to see their data or have their data removed.
  3. All participant screeners and research time plans must be owned and protected by whom ever is completing recruiting.
  4. Only anonymised participant details to be shared with wider project team and/or client.
  5. Never share any personally identifiable participant details with clients.
  6. Print/download a copy of the research time plan and audience background document if you aren’t sure you can view it online.

During research

  1. All research notes captured during activities such as interviews, ethnographic research, usability testing, etc. are to be kept as anonymous as possible.
  2. If recording a research session (video/audio) attempt to omit or edit out any personal data, unless it’s critical to the research.
  3. Try not to capture any real personal data, unless it’s critical to the nature of the research.
  4. When conducting online surveys anonymise user data collection by not capturing IP, GeoLocation and switching off audience profiling analytics.
  5. If offering a prize draw as incentive for participating, create a second survey to act as a collector for the name and email address of those who opt in. The two surveys must be kept independent of one another so prize draw participants cannot be linked back to their entry in the main survey.
  6. For all research, whether face-to-face or online/remote, always inform participants of your privacy policies or where they can access them.
  7. If recording a session, you must always ask for permission to do so.
  8. When offering an incentive to participants in person, you must receive confirmation that they have both received and accepted it.

After research

  1. Ensure notebooks, transcripts, video/audio recordings, etc. are kept anonymous by removing all references to participants where possible (or password protected/encrypted/kept in a safe place).
  2. If participant time plans are saved on a device or printed, we recommend they are permanently deleted or shredded immediately after the research session.
  3. All research permission slips and incentive confirmations that contain personal data should be kept under lock and key.
  4. Store all video/audio files on a separate drive, not on the researcher’s local machine in case the machine is lost or stolen.
  5. On completion of a project, any/all shared documents should have access permissions revoked, preventing ongoing access to user data (e.g. participant screeners, time plans etc.).
  6. Any data collected as part of a survey prize draw must be shared only with the research company (or client if surveying internal staff) in order to issue the prize. The prize draw collector survey itself must be deleted.
“GDPR isn’t the most sexy or glamorous subject out there, but it is extremely important to be aware of if you wish to stay on the right side of the law.” Konrad Black —you can read the full blog here.

We hope these tips are useful! Whether you are a user researcher or UX designer, work at an agency or in-house, let us know if you have any questions about GDPR or if you would like to know more regarding how People for Research are handling the new data protection legislation.