Wednesday, February 14, 2018

7 Things All Market Researchers Must Do To Be GPDR-Ready by May 2018


On May 25th, 2018, the General Data Protection Regulation (GDPR) regulation will enter into effect in the European Union and it will have a fundamental impact on how organizations treat data from individuals in compliance with the new privacy laws.The GDPR replaces the 22-year-old EU Data Protection Directive and is intended to streamline data privacy laws across Europe and extend their reach to include some companies with no EU presence. Online surveys, which are at the forefront of any consumer, market, or employee research, also need to be made compliant with the updated regulations.

So what does this mean for market researchers doing work in the EU? In short, it means every organization who collects data of any kind must implement a data protocol or risk being fined 4% of total revenue or $20 Million dollars, whichever is higher.

In order to make it easier for SurveyAnalytics survey software users to create and send GDPR compliant data collection surveys, we have put in place a seven step process to ensure all data being collected for market research in the EU is fully GDPR compliant. Current clients who are on EU servers will automatically have these settings turned on, however, the following information must be added and documented under the settings of SurveyAnalytics your account. 

GDPR Settings Structure


 

There are seven protocols to cover to ensure GDPR compliance. With SurveyAnalytics, we make it easy to  implement a process for to get started.

1. Designate GDPR Survey - Data Protection Officer
Every organization that is collecting data from EU citizens must have a named DP officer. This person should be empowered within the organization and represent the organization with respect to data and privacy issues.

2. Survey Data Retention Period 
GDPR relations state that companies must make it clear how long data about the  respondents and users are retained. Our default policy will be in place, however, we recommend each company to make a decision and create their own data retention policy that protects their business interests that would satisfy the principle of informed consent of subjects and respondents with regards to expiry of data.

3. Right to Look at All Survey Data Collected
GDPR calls for allowing citizens and users to be able to look at and download all the data collected on a user. Each EU respondent will have the ability to self-download survey responses when viewing the data privacy policy available on every GDPR-enabled survey.

4. Survey Data Breaches and Supervising Authority
GDPR calls for a legal obligation for the notification to supervisory authority regarding a data breach within 72 hours of knowing about it. GDPR allows for selecting a “Lead Supervising Authority” - SurveyAnalytics has selected the Dutch - DPA as the lead supervisory authority that governs data collected by SurveyAnalytics. In some cases, each of our clients may want to select their own Supervisory Authority. Our customers must then use their own supervisory authority and can notify them about a data breach as soon as we notify you.

In cases where there is a data breach without our involvement - example a laptop with data from survey respondents gets stolen, it is up to our clients to notify their own supervisory authority regarding the breach.

5. Notification to Subjects - Regarding Breaches

Processor Agreements: SurveyAnalytics will have a standard processor agreement for all customers that lists our obligations as data processors. Customers who wish to have their own agreement put in place should contact us to apply to your account. Please note this option is only available to our enterprise customers.

Right To Be Forgotten: Respondents can request that their data - on an individual response level be deleted. They can also delete all survey responses. Further - they can also ask for the system to completely “forget” - including all cookies about the user. SurveyAnalytics will automatically remove all references to the user from its servers.

Research and acknowledgement: When users click on data and privacy - the stated purpose of research and data use will be presented.

SurveyAnalytics offers default language that includes: 
     - Use of data for research purposes only
     - No commercial sale of data
     - No solicitation or marketing
SurveyAnalytics will offer default language that our customers can use. However, it's up to the customers to decide which options to choose. They may edit the content and language also.

6. GDPR and Data Processing Agreements
There are two kinds of entities as far as GDPR is concerned:
  1. Collectors
  2. Processors
In most cases - there will be a single data collection entity that uses one or more processors. Processors may in turn use other data processors also. In order to protect the chain of command, GDPR envisions that DPA (Data Processing Agreements) will be entered into between processors and sub-processors. SurveyAnalytics has a standard GDPR compliant DPA agreement that we will provide. This form / template agreement is a standard form that SurveyAnalytics provides to all our clients. No changes to this agreement will be allowed. Clients with an Enterprise License may request changes to the standard DPA agreement - however, it will take 30-60 days for approval of changes to our standard DPA.

7. List of EU GDPR Authorities by Nation
Each nation of the EU has has their own GDPR representative, and it is up to your organization to be in contact with the one within the country that you do the most business in. 

For more information and contact information, please contact us. We will be happy to answer any questions and help you apply the proper settings to get you ready for the May 25th deadline.