Market researchers must continue to refine data collection strategies
as state lawmakers struggle to ensure compliance.
It’s been a year such the European Union (EU)’s General Data Protection Regulation (GDPR) officially started, sending a global ripple effect regarding consumer data protection around the world and into the United States. The intense, pre-adoption debate and lobbying noise has simply been followed by implementation challenges, privacy advocate criticism, state legislation follow-up, and compliance struggles.
For those interested in conducting market research, it has meant new consent requirements, limited use of data, destruction of data after project completion, and other adjustments to the industry work overall. Although breach notification has increased with the GDPR, heavy financial penalties have not yet been regularly imposed on companies for those breaches. Fortunately, those GDPR growing pains mean market researchers have a little more time to refine their compliance strategies and processes before significant negative consequences are common place.
Origins and Background
The EU GDPR went into effect formally on May 25, 2018, after gaining status as the most heavily lobbied law in the history of the EU. The goal of the GDPR was twofold: first, the government wanted to make privacy laws consistent throughout the EU, and second, it strove to protect basic privacy rights of its citizens during the modern age of digital data.
One tricky component of the GDPR is that it not only affects EU companies but also applies to non-EU businesses and organizations that sell goods or services to the EU or hold personal data of people who live in the EU. In the global economy today, that really means that the GDPR has global reach and particularly affects United States businesses and organizations.
As a result, several state governments introduced data privacy legislation in tandem with the GDPR start date last year, with California’s Consumer Privacy Act leading the way. Many of the other states have followed suit.
Here are some implications for companies conducting market research today.
Lawful Basis for Processing Data
Companies conducting market research studies must show that they have a “lawful basis for processing personal information” to comply with Article 6 of the GDPR.
This means businesses can ask participants to consent to using their personal information for a specific reason. For example, a market researcher collecting customer feedback on a new line of smart home gadgets can obtain consent before a survey is conducted to gather opinions and demographic information for that purpose. However, the same company may not use that personal information for a different set of products or services without regaining consent.
In addition, companies are allowed to collect customer information for a legitimate interest, which may include checking to see if customers are satisfied upon receiving an ordered product or service or double checking information that is collected in an interview setting. However, the GDPR specifies that a “good reason” to protect a person’s data could override that legitimate interest in some cases, and that the company must limit data collection to only that information required to reach the stated goal.
Finally, data can be collected if you’re conducting research that’s related to public or government interest. This allowance makes room for census data research and other official research.
Opting Out vs. Opting In
Until recently, market research subjects may have given implied consent to having their personal data collected by simply choosing not to “opt out” of certain programs. In order to comply with GDPR, those individuals have to give explicit permission for their personal data to be collected, used, and stored, essentially they have to “opt in” for their information to be used.
For market researchers, this will be a significant challenge as well as potentially expensive undertaking. Each individual study must now be clearly defined with set parameters, and every participating individual must choose to participate and consent to have their responses used. If a related study is conducted later, they must undergo the entire process again. In addition, respondents must be notified of their rights to access, change, and erase their data.
Besides the sheer logistics of getting individual permission for every study, businesses will need to monitor the collected data to ensure it is not being used incorrectly. This may mean companies need to hire consent ambassadors or a data protection officer to be accountable for that fact.
Although the GDPR is fairly strict across multiple areas and industries, a few exemptions exist.
Market researchers who conduct anonymous surveys and do not collect or use personal data may disregard the GDPR. However, personal data is defined very broadly; it not only includes names, phone numbers, addresses, email addresses, photos, and personal ID numbers but also biometric information, mobile device identifiers, IP addresses and any other more tangential data that could lead to identification.
According to Article 89, individuals studying scientific, statistical, or historical data may be allowed to access sensitive data without additional processing. In some rare cases, professionals may gain access to data without consent and be permitted to store the information. The data, however, must be safeguarded to be used only in the stated fashion.
In addition, if an organization is running research that’s important for national or public purposes, it may also be exempt. This could include broad medical or health studies, government planning, or economic studies that would be performed to provide information to address larger social concerns within a community, state, or country.
Impact and Consequences of GDPR
During the first year of GDPR, the reporting of data breaches have skyrocketed. Studies show that prior to GDPR, the EU received about 20,000 data breach reports per year. This number is expected to double in 2019. This increases consumer awareness, helps individuals take proactive steps in protecting their personal data, gives regulators information regarding the problem, and provides technology companies data that they can use to prevent breaches in the future. The success in breach reporting has fueled other countries’ efforts in setting up their own notification policies and systems.
According to GDPR, the penalties for non-compliance can reach 4 percent of a company’s annual total revenues for severe infractions. Lower penalties can be imposed for lesser infringements. However, the reality is that most companies are not yet suffering from significant financial consequences as a result of GDPR. The question then arises on how, if any, changes will be made in managing personal data if consequences are, for all practical purposes, nonexistent.
According to a report by the European Data Protection Board, total penalties totaled 55 million euros during the first nine months of GDPR. That said, 50 million euros of that total was a single fine against Google, and for the behemoth company, that amounted to 0.04 percent of its 2018 revenue.
Moving forward, the EU is working to remedy these fine-related issues and other countries are refining their own personal data protection programs, processes, and systems. That means it’s just a matter of time until market research projects may be more heavily scrutinized.
Time to Boost Investment in Compliance
If you haven’t already done so, it’s time to consider how the GDPR and related data protection legislation will impact future market research efforts and take steps to ensure compliance. Market research firms will have to modify their scripts, processes, and communication to their audiences, ensuring that all the required information is shared before research is conducted. As a result, surveys may be longer as well as interviews, which will inevitably increase the cost of conducting market research. Companies should take that into account when setting market research budgets in the future.
In addition, monitoring the use, deletion, and legitimate storage of personal data may require an entirely new position or department within an organization or business if market research is a regular part of a business’ operations.
Although all 50 states as well as Washington D.C., Guam, Puerto Rico, and the Virgin Islands have breach notification laws, many individual states are still hammering out the details regarding personal data usage. More than a dozen states have specific legislation regarding privacy and data. It’s reasonable to expect that more states will continue the discussion and that the regulatory landscape will continually evolve in this area. Amendments to current legislation as well as new considerations will occur.
Market researchers should perform a gap assessment to see how their current processes comply with GDPR-related regulations and what steps must be taken for full compliance. This may be a moving target as regulators continue to tweak, revise, and assess current privacy data regulations and compliance. It may be a wise move to work with other departments such as information technology, marketing, and legal to watch upcoming changes and continually reassess areas for improvement.
Privacy data protection is not going away. The more companies want detailed information about consumers’ personal lives, hobbies, buying behaviors, career challenges, and shopping preferences, the more data will be sought after. Privacy data regulation works to balance the value of “customized everything” with individuals’ rights to share personal data with only the organizations they select and for the purposes they choose. Market research professionals will need to walk the fine line between the two as the struggle continues.
Jim Whaley is CEO of OvationMR and posts frequently on The Standard Ovation and other Industry Blogs.
Ovation MR is a global provider of first party data for those seeking solutions that require data for informed business decisions. Ovation MR is a leader in delivering insights and reliable data across a variety of industry sectors around the globe consistently for market research professionals and management consultants. Visit: https://www.ovationmr.com