Last updated: May 21, 2018
A new data privacy regulation affecting all European Union (EU) citizens, the General Data Protection Regulation (GDPR), will be enforced as of May 25th, 2018.
In an effort to keep you informed, we would like to share some of the common questions we receive from our clients. We will be continually updating this page as more questions arise, so check back often.
Disclaimer: This information is for general informational purposes only and is not intended, in any way, to be legal advice. Please consult with your own legal counsel to obtain advice on specific or general issues or questions.
What is the goal of GDPR?
It streamlines privacy laws across all EU states, and strengthens/creates additional enforcement power and significantly higher fines. It also ensures transparency and that individuals are in control of the data that is collected on them.
Does it apply to my business if I don’t have a physical presence in the EU?
If you are monitoring or gathering personal data from individuals in the EU, for example through a website or app, you will need to comply. This applies even if your business doesn’t have a physical presence within the EU.
What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data. The processor is an entity which processes personal data on behalf of the controller. FocusVision is a data processor.
What is considered to be Personal Data (PII)?
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
How has FocusVision prepared for GDPR?
We undertook a number of activities to ensure GDPR-readiness. This includes:
- A full data mapping exercise;
- EU-US Privacy Shield framework certification (view our certification);
- Reviewed and revised our downstream terms with our vendors;
- Implemented measures to obtain verifiable, GDPR-standard consents from data subjects (where required);
- Reviewed, identified and implemented any needed product changes (including enabling the deletion of data).
These steps are just the beginning of an ongoing process to ensure privacy and security across our entire offering.
Are the third parties that FocusVision interacts with also GDPR-ready?
Yes. Whenever we are in the client (or data controller) role, we are responsible for conducting a vendor assessment and confirming GDPR-readiness prior to using their services.
Which data protection methods does FocusVision use?
We use a variety of methods. These include Data encryption at rest, Data encryption in transit, Anti-Malware, NextGen firewalls, DLP, Endpoint protection and IPS/IDS intrusion systems to protect sensitive data.
What is your personal data protection risk evaluation process?
Our risk assessment policy is currently active using GDPR’s new, risk-based approach: data protection impact assessments (DPIA). DPIAs ascertain the risk associated with personal data even before it’s processed. DPIAs also allow identification and mitigation of data breaches at an early stage to reduce any cost/damage that may occur. Assessments can be shared upon request.
What is your contingency plan for personal data leaks?
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors, like FocusVision, will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. FocusVision will comply with these data breach processes.
How does FocusVision address Data Subject’s rights under GDPR?
FocusVision has processes in place to address Data Subject’s rights and requests for information, data deletion, data correction and data portability.
I participated in a marketing research survey. How can I request to know what information you have about me? How can I request to opt-out or delete my information you have?
What steps are in place to protect FocusVision Live Video and ensure there is no unauthorized viewing of these videos?
Live/archive video access is secured through the use of a master code and password ( or secure login through FocusVision Librarian).
What happens with my PII when I log into a FocusVision Live Video stream or FocusVision Intervu?
During the login process, the first and last name and email address are shared with your company or the research agency. We store this information for the live event and for archives.
How are you meeting GDPR requirements for online communities (i.e. FocusVision Revelation)?
By isolating sensitive data, FocusVision can respond to requests for subject access or assistance with data subject requests. FocusVision will ensure that the data is aggregated and anonymized, per the GDPR requirement elaborated in Article 5.1(c) data minimization.
If a survey screener tracker contains no personal data, and a separate password-protected page carries full respondent details, is that considered GDPR-compliant?
The document with initials alone would not constitute a risk. However, the existence of the second document with “full respondent details” would automatically make both documents subject to GDPR requirements.
I am an independent qualitative moderator. Do you have tools that will help me understand specifically what I need to do to be GDPR ready?
While all entities involved in market research share the need to protect and manage PII appropriately, we cannot offer specific guidance outside of our own operations. That said, we are actively seeking general GDPR information that may be useful to our partners and clients, and will be continually updating this FAQ page as it becomes available.