Although the General Data Protection Regulation or GDPR has been enforced for well over a year, numerous market researchers are still unable to fully understand its effects and consequences. This can be highly disadvantageous since companies that violate this regulation will be subject to heavy sanctions.
The Information Commissioner’s Office (ICO), responsible for enforcing data protection legislations in the UK, has reported and imposed hefty fines on multiple major non-compliant companies in the past. These include Facebook and Equifax, both fined £500,000 for not protecting their users’ personal information. Additionally, Google also went under investigation over GDPR violation claims.
But why wait until you've breached privacy and security regulations? Whether you're working in-house or independently, you must stay on top of essential things required by market research GDPR. In this article, we've compiled a list of things to avoid to maintain GDPR compliance:
Mistakes to Avoid for GDPR Compliance
1. Not Designating a Data Protection Officer
If an organization collects data within the European Union (EU), assigning a data protection officer with extensive data protection knowledge is crucial. This makes protecting users' personal information easier as they’re responsible for representing the organization regarding data and privacy issues.
2. Having an Unclear Data Retention Policy
According to the GDPR survey data regulation, companies must ensure that respondents know how long their data will be stored in a company’s database. Companies should have a data retention policy that satisfies the respondents’ preferences while ensuring that the company still meets its goals.
3. Refusal to Let Subjects View and Download Collected Survey Data
Among the individual rights in market research GDPR include the right of access and data portability. This allows the data subject to access, copy, move, and transfer their personal data. Failure to do so violates compliance regulations.
4. Not Notifying a Supervisory Authority and Involved Individuals After Data Breaches
Article 33 of GDPR states that data breaches must be reported within 72 hours to their supervisory authority. If the client resides in a state different from the company, they may choose to use their own local supervisory authority. In the past, companies that failed to do this were sanctioned heavily (e.g., Uber was fined £385,000).
5. Refusal to Delete Data Subject Data When Requested by Said Individual
The right to erasure / be forgotten is another individual right within GDPR. This means data subjects have the right to have their data destroyed when it’s no longer necessary for the purpose it was collected, if they withdraw their consent, or if their data was unlawfully processed. You must also notify third parties to whom the personal information was disclosed.
What to do for GDPR Compliant Market Research
GDPR non-compliance can lead to multiple fines and penalties, so it's important to ensure you fully understand what you must and must not do for GDPR compliance in market research. It may seem complicated at first, but remember to always ask for a contact's consent first and foremost.
Always ask for consent before contacting market research respondents, only send non-essential information when it is requested, and only use personal data for the purpose it was collected.
Trust that Participant Data is Secure with Civicom® Marketing Research Service
Civicom maintains compliance with privacy and security policies (GDPR and HIPAA) when conducting sensitive market research studies. Any private data is encrypted and stored safely in our database to prevent unwanted threats. Rest assured that your respondents' personally identifiable information is safeguarded and kept confidential. Know more about our services and how we help you.