GDPR has shaken many areas of the market research industry, reaching far beyond those companies operating within the European Economic Area (EEA). Of the many companies with which I’ve had GDPR conversations, none feel they fully understand GDPR or that their efforts to be compliant are 100% challenge-proof. There is too much ambiguity built into the new law to have that level of confidence.
This ambiguity and ensuing uncertainty came through loud and clear from the questions posed during our recent GDPR update webinar. Below you’ll find answers to the most common questions that we received.
Please note that the below opinions do not constitute legal opinions on the provisions and definitions provided by the GDPR.
What is personal data?
According to the Irish Data Protection Commission, personal data is [any] “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in or is likely to come into the possession of the data controller. This can be a very wide definition depending on the circumstances.”
Is natural voice personal data?
Here at FocusVision, we have taken the position that a data subject’s natural voice is not personal data. Unless that person is publicly known, i.e., a celebrity or public figure, a person’s voice by itself it is anonymous data and identification by voice alone would require efforts exceeding that deemed reasonable.
Per GDPR (Recital 26)
“To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
However, we do offer voice anonymization, which we’ll cover shortly.
Who is the data controller?
Identifying the data controller is a critical aspect of GDPR. The data controller must be identified to the data subject in order to have any access to the personal data of the data subject; like their image when viewing an interview.
The definition of a data controller is sufficiently broad to make it difficult for an end-client or research agency involved in the fielding of a research project to declare otherwise, GDPR says a Data Controller is:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
In market research, the research sponsor is almost always a controller, and in most cases, the client and their agency share that role (i.e., joint controllers).
What about identification of the Data Controller to the Data Subject?
We believe that a data controller can only access personal data if the data controller has been identified to the data subject. Unless you identify, you can’t watch an IDI or group interview, login into a survey with uploaded data subject images or see data subject homework which may contain personal data.
If you say “OK, we will identify,” when do you need to do it?
From Article 13, the exact wording from GDPR is:
“Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with…identity and contact details of the controller…”
Moreover, per GDPR Recital 61 “Time of Information” says:
“The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject…”
What GDPR is stating here is that identification should occur sometime after you start speaking with the data subject and before you stop. Some companies and trade organizations appear to be leaning toward identifying at the end of an interview given the bias that pre-identification introduces. Some companies ask the respondent if they want to know who the data controller is up front but promise to reveal at the close.
If you say “No, we won’t identify,” what information can you see?
Nothing that would be considered personal data. In FocusVision’s world, that means image (and voice, should you feel this is necessary).
How does FocusVision anonymize image?
It depends on which FocusVision service you are using. To anonymize image for a live stream we blur your view, for InterVu we forgo webcams, and for Decipher and Revelation, we block access to questions that might contain video responses.
How does FocusVision anonymize voice?
Upon request, FocusVision can anonymize data subject’s voices by changing the audio to a higher pitch. This approach was reviewed and approved by our transcription partners to ensure clarity was not compromised.
What can I do to support lobbying efforts by the Market Research industry?
The “unintended consequences” of GDPR on our industry are serious, and our action is needed. We applaud the lobbying efforts that the trade groups have made and continue to make, and we encourage members of these organization to remind their respective boards to keep the pressure up. We are also encouraged to see that organizations are combining forces in their communication with the European Data Protection Board (EDPB), in particular, the current efforts to develop a GDPR approved Code of Conduct for the Market Research industry. For those interested, EFAMRO and ESOMAR are running a free webinar on this initiative later this month. This will be an opportunity to offer your input and show support.
For more information on GDPR, and how FocusVision is addressing it, see our Resource Center.