Last updated: August 23, 2018
FocusVision Positioning on GDPR
Like any responsible organization that takes its data privacy commitments seriously, FocusVision has been assessing its, and its clients’, data protection responsibilities under the GDPR. This note explains how FocusVision helps its clients to fulfill their GDPR compliance responsibilities when conducting research projects.
The GDPR requires that research participants or “data subjects” must be provided with transparency about the organization(s), which determine the “purpose and means of controlling processing the personal data”. In GDPR terms, these organizations are the “data controllers”, i.e. the client who is the research sponsor and their research agency, and the data subject must be informed of their identity in order for personal data to be shared.
However, the GDPR applies only to un-anonymized personal data. Data that has been anonymized falls outside of the scope of the GDPR. As a result of this, where the GDPR applies FocusVision’s position is that:
- If a data controller (client/agency) wishes to view a research interview in non-anonymized form, the client’s identity must be disclosed to the data subject (see below for when disclosure must be provided).
- If a client wishes to view a research interview in the anonymized form, the client’s identity does not need to be disclosed to the data subject.
When does the GDPR apply?
The GDPR has specific rules that govern when it applies. In simple terms, however, FocusVision’s assessment is that the GDPR will be in scope when:
- the research itself is conducted in the EEA (e.g. at an EEA location, regardless of the nationality of the research participants); or
- a data controller of the research data (e.g. the research sponsor/client/research agency) is established in the European Economic Area (“EEA”) (regardless of where, geographically, the research is actually conducted)
When must the client’s identity be disclosed?
As described above, when the GDPR applies and a client wishes to view a research interview or research data in the non-anonymized form, then the client’s identity must be disclosed to the research participant to comply with GDPR transparency requirements.
The GDPR says that this transparency must be provided “at the time” the research participant’s data is collected, but does not indicate whether transparency must be provided at the outset or the conclusion of the interview.
Clients should assess their own compliance requirements in consultation with their legal advisors but, in general, most clients choose to provide identification to the data subject at the end of the research session.
This approach was supported at a major EEA trade organization event where it was generally suggested that data subjects should be asked whether they want to know the data controller’s identity at the start of the interview or are happy to wait until the end.
FocusVision’s view is that this approach is aligned with the spirit of the GDPR and avoids the negative (and unintended) consequences that providing early transparency might otherwise cause – namely, biasing research. However, each client must seek its own independent legal advice as to the specific compliance measures it needs to take.
A new data privacy regulation affecting all EEA residents, the General Data Protection Regulation (GDPR), went into effect on May 25th, 2018.
In an effort to keep you informed, we would like to share some of the common questions we receive from our clients. We will be continually updating this page as more questions arise, so check back often.
Disclaimer: This information is for general informational purposes only and is not intended, in any way, to be legal advice. Please consult with your own legal counsel to obtain advice on specific or general issues or questions.
What is the goal of GDPR?
It streamlines privacy laws across all EEA states and strengthens/creates additional enforcement power and significantly higher fines. It also ensures transparency and that individuals are in control of the data that is collected on them.
Does it apply to my business if I don’t have a physical presence in the EEA?
If you are monitoring or gathering personal data from individuals in the EEA, for example through a website or app, you will need to comply. This applies even if your business doesn’t have a physical presence within the EEA.
What is the difference between a data processor and a data controller?
A controller is an entity that determines the purposes, conditions, and means of the processing of personal data. The processor is an entity which processes personal data on behalf of the controller. FocusVision is a data processor.
What is considered to be Personal Data (PD)?
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
How has FocusVision prepared for GDPR?
We undertook a number of activities to ensure GDPR-readiness. This includes:
- A full data mapping exercise;
- EU-US Privacy Shield framework certification (view our certification);
- Reviewed and revised our downstream terms with our vendors;
- Implemented measures to obtain verifiable, GDPR-standard consents from data subjects (where required);
- Reviewed, identified and implemented any needed product changes (including enabling the deletion of data).
These steps are just the beginning of an ongoing process to ensure privacy and security across our entire offering.
Are the third parties that FocusVision interacts with also GDPR-ready?
Yes. Whenever we are in the client (or data controller) role, we are responsible for conducting a vendor assessment and confirming GDPR-readiness prior to using their services.
Which data protection methods does FocusVision use?
We use a variety of methods. These include Data encryption at rest, Data encryption in transit, Anti-Malware, NextGen firewalls, DLP, Endpoint protection and IPS/IDS intrusion systems to protect sensitive data.
What is your personal data protection risk evaluation process?
Our risk assessment policy is currently active using GDPR’s new, risk-based approach: data protection impact assessments (DPIA). DPIAs ascertain the risk associated with personal data even before it’s processed. DPIAs also allow identification and mitigation of data breaches at an early stage to reduce any cost/damage that may occur. Assessments can be shared upon request.
What is your contingency plan for personal data leaks?
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors, like FocusVision, will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. FocusVision will comply with these data breach processes.
How does FocusVision address Data Subject’s rights under GDPR?
FocusVision has processes in place to address Data Subject’s rights and requests for information, data deletion, data correction and data portability.
Q. Now that GDPR is in place, what has changed about how I use your services?
A. FocusVision is GDPR ready which means you can continue to use our services as before assuming you have received consent from the data subject. In cases where the data controller will not identify themselves, some services will require a change in setup. In most cases, this means the anonymization of the data subject’s personal data. In either case, you can be sure we are properly managing all personal data that we receive according to GDPR regulations.
Q. What is the difference between the Data Controller and Data Processor? I am with the research agency supporting my client, am I a Data Processor?
A. While there are some grey areas the general definitions are as follows:
- A Data Controller is the entity that determines the purposes, conditions, and means of the processing of personal data.
- The Data Processor is an entity which processes personal data on behalf of the controller.
Please note that agencies are often seen as a data controller. FocusVision would be a Data Processor.
Q. I am being told that I can’t see un-anonymized images or video unless the data subjects have been informed of my company’s identity. Is this true?
A. Under new GDPR guidance, Data Controllers may not have access to un-anonymized PD of a data subject unless the Data Controller has first been identified to the data subject.
However, Clients may view anonymized transmissions without ever disclosing their identity. FocusVision offers solutions for anonymizing PD for all our services.
Q. In cases when I am only allowed to see an anonymized video I am being told that the data subject’s voice must also be anonymized?
A. GDPR guidelines are ambiguous on whether a data subject’s voice constitutes personally identifiable information. Our interpretation of GDPR is that anonymization of data subject voices is not necessary unless the data subject is a publicly known person. Please note that data subject voices may only be anonymized on our Live Video service at this time. We will update this section as we expand this solution to other services.
Q: What is considered PD?
A: PD is any information related to a natural person, or “Data Subject”, that can be used to directly or indirectly identify that person or identifiable to a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. In some cases, data by itself is not PD unless it is combined with another piece of data.
Q: Do GDPR regulations apply in any way to aggregate data and reports primarily presented in summary form (typically in percent’s or mean scores, etc.), coming from a research buyer who purchases research services from suppliers?
A: Only data that qualifies as PD would be subject to GDPR requirements.
Q. Will FocusVision automatically anonymize data that is subject to GDPR guidelines?
A: No. FocusVision offers several options for anonymizing data. Whether anonymization is required is determined by the data controller(s) which would be aware if GDPR guideless, particularly including informed consent of the data subject, have been followed.
Q. Do research buyers have a responsibility to ensure their suppliers are GDPR compliant?
A: Yes. You are responsible for ensuring that any vendor you use is GDPR ready if the data in question relates to EEA residents.
Q: If data properly collected on EEA residents is stored in the United States, is it still GDPR-compliant?
A: Yes, if the party storing the data is Privacy Shield-certified or have entered model clauses with the client (Data Controller), then the transfer of data to the U.S. is allowed.
Q: How does FocusVision view and consider personal data that your platform(s) collect or use, such as IP addresses, cookies, mobile identifiers, etc.?
A: FocusVision will identify all PD collected, apply necessary safeguards and follow GDPR guidance as required.
Q: My company is still uncertain what we need to do to be GDPR ready. Do you have tools that will help me understand specifically what I need to do to be GDPR ready?
A: While all entities involved in market research share the need to protect and manage PD appropriately, FocusVision cannot offer specific guidance outside of our own operations. However, we are actively consolidating general GDPR information that may be useful to our partners and clients and will be sharing this information on this page as it becomes available.
Q: How does FocusVision address a Data Subject Access Request (DSARs or SARs) for access or erasure?
A: Given that FocusVision is typically removed from direct contact with data subjects, we anticipate these requests will come from the data controller or another processor. If FocusVision receives a SAR directly from a data subject it will be communicated to the client prior to taking action. In either case, we are prepared to comply with the requests, per GDPR guidelines. Requests should be sent to firstname.lastname@example.org.
Q: If a document with data subject information such as a respondent screener tracker or worksheet uses only initials and no other PD details, but a separate password protected page carries full data subject details, is that considered GDPR-compliant?
A: The document with anonymized PD only would not constitute a risk. However, the existence of the second document with “data subject details” would automatically make both documents subject to GDPR requirements since they could be used together at some point in the future.
Q. How long do you keep data respondent information? If I downloaded data from a project, how long do I need to keep it?
A: FocusVision’s data retention policy varies by service and your account contact can provide our policy for a particular service. GDPR guidelines state that data should only be kept as long as is necessary, so your company’s retention policy must keep this in mind.
Q: How does FocusVision address Data Subject Access Requests (SARs)? GDPR requires that SAR or DSAR request for access or erasure must be responded to quickly and completely.
A: Given that FocusVision is typically removed from direct contact with subjects, we anticipate these requests will come directly from the data controller or another processor. In either case, we will comply with the requests, per the guidelines.
Q: I am an independent qualitative moderator. Do you have tools that will help me understand specifically what I need to do to be GDPR ready?
A: While all entities involved in market research share the need to protect and manage PD appropriately, FocusVision cannot offer specific guidance outside of our own operations. However, we are actively seeking relevant GDPR information that may be useful to our partners and clients and will be sharing this as it becomes available.
Q: Is there a kind of GDPR “diploma” proving you are GDPR compliant?
A: No. There is no ruling authority for GDPR, which evaluates and certifies data controllers or processors.
Q: What, if any, are the research settings needed to make surveys GDPR-compliant when programming? (i.e. pre-set consent screens or templates to enter controller information, or check for relevant countries to determine if GDPR applies, etc.)
A: Consents addressing the intended data use should be obtained prior to data collection. This consent may be obtained in advance of the survey (collection point) event or immediately prior.
Q: Will you be able to share FocusVision archives of EEA interviews with companies and clients in the United States?
A: US-based clients may access EEA resident data provided the appropriate consents are in place based on our Privacy Shield certification.
Q: If viewing a focus group using FocusVision technology, but without access to data subject information other than their face/image and the related discussion, is this still considered PD?
A: A data subject’s image, and in some cases voice (if the data subject is a publicly known person) are considered PD.
Q: When using InterVu, we (or our supplier) send you PD on the data subjects through e-mail via excel spreadsheets. Will this process change?
A: All data subject information we receive via email, or otherwise, will be subject to GDPR guidance. As such, it will be stored, managed and erased accordingly.
Q: Can you share the reasons why FocusVision will not automatically blur faces on live video streaming from Germany, given the more stringent data privacy laws in that market?
A: FocusVision is a data processor working on the directives of the data controller (end-client or agency). We provide options to anonymize images if requested by the client. The client needs to make the decision to use these tools or not.