FocusVision recently hosted a webinar addressing data privacy and how best to view and handle personally identifiable information (PII). As the deadline for EU General Data Protection Regulation (GDPR) readiness approaches, many questions still exist. Some of these questions were asked during the webinar, and we are sharing our answers here for your reference.
Disclaimer: This information is for general informational purposes only and is not intended, in any way, to be legal advice. Please consult with your own legal counsel to obtain advice on specific or general issues or questions.
Questions posed during our Data Privacy Webinar on April 19, 2018:
Q: Do GDPR regulations apply in any way to aggregate data and reports primarily presented in summary form (typically in percent’s or mean scores, etc.), coming from a research buyer who purchases research services from suppliers? Also, do research buyers have a responsibility to ensure their suppliers are GDPR compliant?
A: First, any data that does not qualify as PII, or can’t be connected in any way to PII, would not be subject to GDPR requirements. Second, you are responsible for ensuring that any vendor you use is GDPR ready, if the data in question relates to EU citizens.
Q: What, if any, are the research settings needed to make surveys GDPR-compliant when programming? (i.e. pre-set consent screens or templates to enter controller information, or check for relevant countries to determine if GDPR applies, etc.)
A: Consents addressing the intended data use should be obtained prior to data collection. This consent may be obtained in advance of the survey (collection point) event or immediately prior.
Q: If data properly collected on EU citizens is stored in United States, is it still GDPR-compliant?
A: Yes, if the party storing the data is Privacy Shield-certified, then transfer of data to the U.S. is allowed.
Q: Do you have a list of items that considered PII? And, as you mentioned that the combination of certain data is considered PII, can you provide a full list?
A: PII is considered any information related to a natural person, or “Data Subject”, that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Q: How does FocusVision view and consider personal data that your platform(s) collect or use, such as IP addresses, cookies, mobile identifiers, etc.?
A: FocusVision will identify all PII data collected, apply necessary safeguards and follow GDPR guidance as required.
Q: I am an independent qualitative moderator. Do you have tools that will help me understand specifically what I need to do to be GDPR ready?
A: While all entities involved in market research share the need to protect and manage PII appropriately, FocusVision cannot offer specific guidance outside of our own operations. However, we are actively seeking general GDPR information that may be useful to our partners and clients, and will be sharing this on our designated GDPR page as it becomes available.
Q: How does FocusVision address Subject Access Requests (SARs)? GDPR requires that SAR or DSAR request for access or erasure must be responded to quickly and completely.
A: Given that FocusVision is typically removed from direct contact with subjects, we anticipate these requests will come directly from the data controller or another processor. In either case, we will comply with the requests, per the guidelines.
Q: If a respondent screener tracker uses only initials and no other PII details, and a separate password protected page carries full respondent details, is that considered GDPR-compliant?
A: The document with initials alone would not constitute a risk. However, the existence of the second document with “full respondent details” would automatically make both documents subject to GDPR requirements.
Q: How can users find out more about FocusVision’s GDPR compliance program? Do you have a compliance statement?
A: Yes, we will be sharing this on our designated GDPR page.
Q: Will you be able to share FocusVision archives of EU interviews with companies and clients in the United States?
A: US-based clients may access EU citizen data provided they, and any relevant processors, are GDPR ready.
Q: If viewing a focus group using FocusVision technology, but without access to respondent information other than their face/image and the related discussion, is this still considered PII data?
A: A respondent’s image, and in some cases voice, are considered PII.
Q: Is there a kind of GDPR “diploma” proving you are GDPR compliant?
A: No. There is no ruling authority for GDPR, which evaluates and certifies data controllers or processors.
Q: When using InterVu, PII is currently passed through e-mail via excel spreadsheets when booking respondents. Will this process change?
A: The respondent data we receive via email, or otherwise, will be subject to GDPR guidance. As such, it will be stored, managed and erased accordingly.
Q: Can you share the reasons why FocusVision will not automatically blur faces on live video streaming from Germany, given the more stringent data privacy laws in that market?
A: FocusVision is a data processor working on the directives of the data controller (client). We provide options to blur faces if requested by the client. The client needs to make the decision and inform us on how the data should be shown.
We encourage everyone to keep an open dialogue regarding privacy and GDPR, and welcome additional questions. Ultimately, you are the true expert regarding the most appropriate privacy protection policies and programs for your company…but we are happy to help!