Zlatko Vucetic from FocusVision outlines the three questions every research team needs to ask themselves
Over the past decade we have watched marketing become ever more sophisticated and targeted. From market research, audience mapping, location-based advertising and 1:1 engagement, the path to purchase for brands has been entirely focused on learning (and acting on) deep customer and behavioral data. Knowledge was power and data reigned supreme.
ENTER THE GDPR
The GDPR streamlines privacy laws across all EU states and will impose much more significant fines on any company found to be breaching the directive – up to $24 million or four percent of global annual revenue, whichever is greater.
There is serious house-cleaning across the Atlantic n advance of the May 25 deadline but, despite the many column inches devoted to the subject here in the U.S. the same sense of preparation is not as palpable. Anyone monitoring or gathering information from consumers in the EU, via the internet will need to comply – whether based in the EU or not. For those in the research and insights industry there are a few more steps to ensure that you stay on the right side of the regulation.
IS YOUR COMMUNITY COMPLIANT?
Speak to all of your service providers, suppliers and partners to ensure that they have conducted data mapping exercises to resolve any potential points of failure. Certifications, terms of service and privacy statements will determine that they have implemented any necessary product changes (including enabling deletion of data). You may not be your partner’s keeper but a GDPR misstep by an organization you’re working with can quickly impact you too.
WHERE IS MY DATA COMING FROM?
Beyond the myriad methodologies and suppliers needed to deliver a project to deadline and within budget, anyone leading an insights study will be considered to be a Data Controller under the GDPR.
A Data Controller is the individual who determines the purposes for how and why personal data is processed. In contrast, Data Processors include any organization that collects, stores or analyzes personal data under the instruction of the Data Controller. Either role you are also assuming responsibility for compliance with the GDPR legislation and the provision of information to individuals about whom you hold personal data among others.
WHAT CONSTITUTES PERSONAL IDENTIFIABLE INFORMATION?
Two pieces of personal information must be combined to create what GDPR considers Personal Identifiable Information (PII). GDPR now considers an IP address as one source of information, which can be combined with something like name, date of birth or home address to become PII. As part of any insights study, the team must ascertain whether the research findings contain PII? At every stage of the research, the lead must ensure tight control of the research data and findings.
The GDPR constitutes the biggest revolution to data privacy in over a generation but, companies that already adhere to best practices will already be well positioned. Asking the three questions above will ensure you can still have access to the dat you need without exposing your team or business to potentially expensive risk.
The Australian Market and Social Research Society is linked globally to 45 associations through its partnership with the Global Research Business Network (GRBN) and the Asia Pacific Research Committee (APRC). Click here to read about the AMSRS global network. This article is originally sourced from GRBN website.