GDPR Implications for Market Research
Market researchers continue to refine the data collection process as states ensure compliance
What does GDPR mean for the market research industry?
It’s almost four years now since the European Union (EU)’s General Data Protection Regulation (GDPR) officially started, sending a global ripple effect regarding consumer data protection around the world and into the United States. We have seen mixed compliance in data breach reporting and subsequent fines, continued privacy advocate criticism, and state legislation follow-up with states like California adopting the California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020.
For those interested in conducting market research, it has meant new consent requirements, limited use of data, destruction of data after project completion, and other adjustments to the industry work overall. Although breach notification has increased with the GDPR and fines are starting to be imposed on companies for those breaches we are still in a period of uncertainty of how it will affect market research directly.
It is clear however GDPR rules means market researchers have to act now to refine their GDPR compliance strategies and processes before significant negative consequences are commonplace.
What is the reason for implementing GDPR?
The EU GDPR regulations went into effect formally on May 25, 2018, after gaining status as the most heavily lobbied law in the history of the EU. The goal of the GDPR was twofold: first, the government wanted to make data privacy laws consistent throughout the EU, and second, it strove to protect the basic data privacy rights of its citizens during the modern age of digital data.
One tricky component of the GDPR is that it not only affects EU companies but also applies to non-EU businesses and organizations that sell goods or services to the EU or hold personal data of people who live in the EU. In the global economy today, that really means that the GDPR has a global reach and particularly affects United States businesses and organizations.
As a result, several state governments introduced data privacy legislation in tandem with the GDPR start date in 2018 with California’s Consumer Privacy Act leading the way. Many of the other states have followed suit.
Here are some implications for companies conducting market research today:
How does GDPR work in market research?
Companies conducting market research studies must show that they have a “legal basis for processing personal information” to comply with Article 6 of the GDPR.
This means businesses can ask participants to consent to use their personal information for a specific reason. For example, a market researcher collecting customer feedback on a new line of smart home gadgets can obtain consent before a survey is conducted to gather opinions and demographic information for that purpose. However, the same company may not use that personal information for a different set of products or services without regaining consent.
In addition, companies are allowed to collect customer information for a legitimate interest, which may include checking to see if customers are satisfied upon receiving an ordered product or service or double-checking information that is collected in an interview setting. However, the GDPR specifies that a “good reason” to protect a person’s data could override that legitimate interest in some cases and that the company must limit data collection to only that information required to reach the stated goal.
Finally, data can be collected if you’re conducting research that’s related to public or government interest. This allowance makes room for census data research and other official research.
How can market research participants under GDPR, control the information companies have about them?
Until recently, market research participants who in GDPR language are known as the ‘data subject’ may have given implied consent to having their personal data collected by simply choosing not to “opt-out” of certain programs. Now to comply with GDPR regulations, a data subject has to give explicit permission for their personal data to be collected, used, and stored, essentially they have to “opt-in” for their information to be used.
For market researchers, as classified as either “data controller”, “data processor”, or both, this will be a significant challenge as well as a potentially expensive undertaking. Each individual study where personally identifiable information (PII) is gathered or solicited directly must now be clear.
Every participating individual must be offered a consent question, which is not defaulted to opt-in, to participate, and consent to have their responses used. The question must state the nature of the study and the intent and usage of the data. In addition, respondents must be notified of their rights to access, change, and erase their data.
Besides the sheer logistics of getting individual permission for every PII study, businesses will need to monitor the collected data to ensure it is not being used incorrectly. This may mean companies need to hire consent ambassadors or a data protection officer to be accountable for that fact.
What are the GDPR exemptions for marketing research companies?
Although the GDPR is fairly strict across multiple areas and industries, a few exemptions exist.
Market researchers who conduct anonymous surveys and do not collect or use personal data may disregard the GDPR. However, personal data is defined very broadly; it not only includes names, phone numbers, addresses, email addresses, photos, and personal ID numbers but also biometric information, mobile device identifiers, IP addresses, and any other more tangential or third-party data that could lead to identification.
According to Article 89, individuals studying scientific, statistical, or historical data may be allowed to access sensitive personal data without additional processing. In some rare cases, professionals may gain access to data without consent and be permitted to store the information. The data, however, must be safeguarded to be used only in the stated fashion.
In addition, if an organization is running research that’s important for national or public purposes, according to GDPR rules it may also be exempt. This could include broad medical or health studies, government planning, or economic studies that would be performed to provide information to address larger social concerns within a community, state, or country.
What has been the impact and consequences of GDPR for marketing research?
During the first year of GDPR, the reporting of data breaches has skyrocketed. Studies show that prior to GDPR, the EU received about 20,000 data breach reports per year. In the most recent 2021 aggregate report, it reveals there have been more than 281,000 data breach notifications since the application of GDPR on 25 May 2018 with Germany (77,747), The Netherlands (66,527 and the UK (30,536) topping the table for the number of data breaches notified to regulators.
This increases consumer awareness, helps individuals take proactive steps in protecting their personal data, gives regulators information regarding the problem, and provides technology companies data that they can use to prevent breaches in the future. The success in breach reporting has fueled other countries’ efforts in setting up their own notification policies and systems.
According to GDPR, the penalties for non-compliance can reach 4 percent of a company’s annual total revenues for severe infractions. Lower penalties can be imposed for lesser infringements. However, the reality is that most companies are not yet suffering from significant financial consequences as a result of GDPR. The question then arises on how, if any, changes will be made in managing personal data if consequences are, for all practical purposes, nonexistent.
According to a report by the European Data Protection Board, total penalties totaled 55 million euros during the first nine months of GDPR. That said, 50 million euros of that total was a single fine against Google, and for the behemoth company, that amounted to 0.04 percent of its 2018 revenue.
Moving forward, the EU is working to remedy these fine-related issues and other countries are refining their own personal data protection programs, processes, and systems. That means it’s just a matter of time until market research projects may be more heavily scrutinized.
Is it time to increase your investment in GDPR compliance as a market research professional?
If you haven’t already done so, it’s time to consider how the GDPR and related data protection legislation will impact future market research efforts and take steps to ensure compliance. Market research firms will have to modify their scripts, processes, and communication to their audiences, ensuring that all the required information is shared before the research is conducted. As a result, surveys may be longer as well as interviews, which will inevitably increase the cost of conducting market research. Companies should take that into account when setting market research budgets in the future.
In addition, monitoring the use, deletion, and legitimate storage of personal data may require an entirely new position or department within an organization or business if market research is a regular part of a business’s operations.
Although all 50 states as well as Washington D.C., Guam, Puerto Rico, and the Virgin Islands have breach notification laws, many individual states are still hammering out the details regarding personal data usage. More than a dozen states have specific legislation regarding privacy and data. It’s reasonable to expect that more states will continue the discussion and that the regulatory landscape will continually evolve in this area. Amendments to current legislation as well as new considerations will occur.
Market researchers should perform a GDPR readiness assessment which includes a gap assessment to see how their current processes comply with GDPR-related regulations and what steps must be taken for full compliance. This may be a moving target as regulators continue to tweak, revise, and assess current privacy data regulations and compliance.
It may be a wise move to work with other departments such as information technology, marketing, and legal to watch upcoming changes and continually reassess areas for improvement.
Data privacy and GDPR regulation are not going away. The more companies want detailed information about consumers’ personal lives, hobbies, buying behaviors, career challenges, and shopping preferences, the more data will be sought after. Data privacy regulation works to balance the value of “customized everything” with individuals’ rights to share personal data with only the organizations they select and for the purposes they choose. Market research professionals will need to walk the fine line between the two as the struggle continues.