As those of us who work with data (and these days that’s almost all of us) are well aware, the General Data Protection Regulation (GDPR) will come into effect very soon. Over the last year, there have been seminars, white papers and articles a-plenty attempting to help us navigate the legislation and build the systems and processes that ensure our compliance and ability to demonstrate it. However, for most people GDPR remains a daunting prospect. Expletives may apply.
In W5 we have committed considerable time and resources to understand and meet the demands of the new regulation by 25 May – now a very real deadline. For one, we have invested in achieving Information Security Management System 27001 accreditation which proves our data is secure.
We have also taken the time to read and distil the regulations to make sense of them in a ‘Voice of the Customer’ (VOC) context. Though nigh on impossible to capture in 800 words, here we offer what we think is important to understand and action. It is important to say that we are not lawyers and this article is not legal advice and should not be taken as such. Specific legal advice should be taken in relation to any specific legal problems or matters.
There are seven principles
- Lawful, fair, and transparent processing. Gather and use data in a way that is legal, fair and transparent to data subjects.
- Purpose limitation. Have a lawful and legitimate, specified purpose for the data at the time of collection.
- Data minimisation. Only collect the data you need to fulfil a specified purpose.
- Accuracy. Hold only up-to-date, accurate data, if not amend or erase it.
- Storage limitation. Avoid unnecessary storage, erase redundant or replicated data.
- Confidentiality and security. Protect the integrity and privacy of data by making sure it is secure online and in the real, paper world at all times.
- Accountability. Be compliant and be able to demonstrate your compliance.
Two keys roles: Processor or a Controller
GDPR defines two roles: data controller and data processor and clarifies the relationship and responsibilities of each. In the VOC context the data controller (our client) determines what data is to be collected, from whom, how it is to be collected, and how it is to be used. The data processor (W5) executes the instructions of the data controller. Each has specific legal obligations. GDPR dictates that there are detailed contracts between the controller and processor with specific provisions and clear determinations including the nature, purpose and duration of the processing, the type of personal data and obligations and rights of the controller.
Lawful grounds for processing data
GDPR defines a number of lawful grounds for processing data. We foresee that W5 VOC clients will chiefly be finding grounds for processing data based on consent and for private sector organisations, legitimate interest unless this is outweighed by harm to the research participants rights and interests.
The definition of consent is pretty clear: ‘any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her…’
Legitimate interest Is a little less clear cut and provision is made within GDPR for a Legitimate Interests Assessment (LIA) if there is uncertainty. This includes a ‘balancing test’, which seeks to weigh up a controller’s legitimate interest in research and a data subject’s rights.
We believe that Voice of the Customer research should pass a LIA as:
- A legitimate interest exists for a client in understanding their customers’ assessment of their products and services
- Processing is necessary as there is no other way of capturing customer feedback
- Customers might reasonably expect to be given an opportunity to feedback their views on goods/services
- The impact of processing is minimal and safeguards are in place
Managing data for research
GDPR states that controllers that process personal data for research purposes must implement “appropriate safeguards” and put in place “technical and organisational measures” to ensure that they process only the personal data necessary for that purpose, in accordance with the principle of data minimization.
The good news is that anonymous data is out of scope of GDPR. Once data records / survey responses contain no personal data and cannot be traced back to an individual, they no longer fall under GDPR.
The majority of the data analysis and reporting that we do in VOC programmes does not require personal data. Best practice is therefore that personal data is removed as soon as possible after data collection. In the case of closed loop feedback the data subject will be asked to confirm their permission to get a follow up call.
It is hoped these four considerations take away some of the dread of GDPR. As with all legislation it is detailed and complex. But there is a way through and, though tough and onerous, ultimately it will safeguard us as professionals as well as protect us as individuals. As they say, no pain, no gain…
Clare Kavanagh is Managing Director of specialist customer experience measurement and insight consultancy, W5.