The General Data Protection Regulation (GDPR) Journey

Be prepared for the future of privacy regulations.

With the scale of data collection increasing, it is not surprising that a new regulatory framework is needed to ensure that citizens have the legal right to control how and when a company uses the data collected on them.

A new data privacy regulation, the General Data Protection Regulation (GDPR), became active on May 25th, 2018. Below are some of the common questions we receive from our clients.

What is the goal of General Data Protection Regulation?

It streamlines the privacy laws across all EU states and strengthens/creates additional enforcement power and significantly higher fines. This puts the individuals in control of the data that is collected on them.

What is the reach?

If you are selling any products or services within the EU, you need to comply with the General Data Protection Regulation.

Does it apply to my business if I don’t have a physical presence in the EU?

If you are monitoring or gathering information from individuals in the EU through a website or app, you need to comply. This holds even if your business doesn’t have a physical presence within the EU.

How did FocusVision prepare?

FocusVision undertook (and continues to undertake) a number of activities to ensure that it is General Data Protection Regulation ready.

These activities include:

  • Conducting a full data mapping exercise;
  • Certifying against the EU-US Privacy Shield framework (see a copy of our certification);
  • Updating FocusVision’s standard terms of service and privacy statement (including General Data Protection Regulation disclosure requirements);
  • Reviewing and revising FocusVision’s downstream terms with its vendors;
  • Implementing measures to obtain verifiable, GDPR-standard consents from data subjects (where required);
  • Reviewing, identifying and implementing any needed product changes (including enabling deletion of data).

What does General Data Protection Regulation mean for insights leaders and their teams?

The following example will guide you through a typical scenario impacted by General Data Protection Regulation:

Olivia is an insights leader looking to reduce complexity and future proof her department with GDPR front and center.
Meet Olivia.

She’s an insights leader looking to reduce complexity and future proof her department with the General Data Protection Regulation front and center.

Roles & Responsibilities:

  • Analyzes research studies to develop insights and storytelling.
  • Leads a team of the company’s in-house research experts; management style driven by best practices.
  • Contributes thought leadership to the industry through conference speaking engagements and blog posts.
  • Focuses primarily on quant research, with some qual.
  • Primarily supports product and marketing functions within the company; occasionally helps HR and Sales with simpler surveys.


  • Developing her team.
  • Addressing technical barriers that affect her team.
  • Managing multiple suppliers.


  • Guidance and simplicity.
  • Data analysis accelerators.
  • Speed to decision making.

Olivia has experienced a tremendous amount of change, both inside and outside of her organization. As she supports a wide range of business challenges, rapid project decisions and collaboration are critical to her success.

Due to the number of suppliers she uses on any given project, the overall complexity can be quite high. Ultimately, she knows that a high degree of complexity can pose a risk to her projects.

Olivia’s typical journey, with some General Data Protection Regulation considerations…

Phase 1: Design, internal alignment, supplier bid collection

What usually happens: The internal project kicks off with a business question that Olivia is tasked with answering. She then determines the best combination of methodologies and suppliers to deliver project results on time and on budget.

GDPR questions to ask:

  • Where does this project fit in under General Data Protection Regulation?
  • On whom are we collecting data?

GDPR good to know:

Data Controller or Processor, which am I?

Since Olivia is determining the design of the study she is considered a Data Controller under General Data Protection Regulation. Data controllers determine how the data being collected will ultimately be used. Data processors include any organization that collects, stores or analyzes personal data under the instruction of the data controller.

Phase 2: External project kickoff, recruitment, project execution

What usually happens: The scope of Olivia’s project has increased. She will now need to manage a sequence of three research projects and related suppliers. As a result, project complexity has increased significantly as more global stakeholders get involved.

General Data Protection Regulation questions to ask:

  • How are my suppliers handling data?
  • Do they have a clear process for data removal?
  • What type of data are they sharing with my organization through their deliverables?
  • Will they notify me if there is a request to remove data already provided me?
  • What is their data retention policy?

General Data Protection Regulation good to know:

Understand Personal Identifiable Information

Two pieces of personal information must be combined to create what the General Data Protection Regulation considers Personal Identifiable Information (PII). General Data Protection Regulation now considers an IP address as one source of information, which can be combined with something like name, date of birth or home address to become PII.

Phase 3: Analysis, reporting, decision making

What usually happens: Olivia and her team analyze the data, review the topline results from their suppliers and bring all of the key decision makers into the room to share results. After this initial review of the findings, the report and data will be shared with a broader group, including other business units.

GDPR questions to ask:

  • Do the research findings contain PII?
  • Will any PII collected within the EU be shared outside of the EU?
  • Will anyone outside the EU be accessing project data residing on EU servers?

GDPR good to know:

Access authorization

In a global company such as Olivia’s, access to research findings is the key to moving projects forward quickly. As such, Olivia must ensure that she has tight control of her research data and findings. If a request for removal of PII is issued, both the project controller (Olivia’s company) and the data processors (suppliers) must comply.

Be GDPR-ready with FocusVision

Olivia doesn’t have the time to stay on top of the new privacy regulations or vet every supplier she works with to ensure they are GDPR-ready. And as stated earlier, managing multiple suppliers adds risk in the General Data Protection Regulation world. FocusVision eases these issues and lets customer experts like Olivia can focus on what they do best.

Our GDPR-ready, managed tech solutions power research departments in many ways:

An illustration depicting your research processes including exploration, development, and marketing evaluation.
An illustration depicting your research center and the combination of exploration, development, and marketing evaluation.

FocusVision managed tech solution blueprint

Through FocusVision’s General Data Protection Regulation ready technology layer and on-site dedicated support, we become an extension of your team.

What you get:

  • Less risk
  • Less complexity
  • More collaboration
  • More savings
  • More security

How we bill:

  • Initial one time tech migration fee
  • One invoice, billed monthly for all technology and support
  • Ad hoc premium analytics options
  • 1, 2 and 3-year agreements

Project ramp-up:

Based on project complexity; typically 2-4 months

FocusVision continually manages tech solutions for world-class research departments. We have built our technology and reputation on a foundation of data security and privacy.

We see the General Data Protection Regulation as a true opportunity. We encourage businesses and research departments to evaluate your suppliers (including FocusVision) and ask if they are prepared for changing data privacy regulations and the high likelihood of global General Data Protection Regulation adoption.

Let us help you with an on-site review and consultation.

Olivia’s Jargon Free General Data Protection Regulation self-help check list

Minimum impact

Jargon-free translation: Design projects with minimum amount of data collection. A general rule of thumb is to identify how every piece of data will be used. Is the personally identifiable information that is collected as a default critical to the success of the project?

Notice and consent

Jargon-free translation: Consent must be free, specific and informed and clearly state the purpose of data collection. Transparency with the data subject is key.

What is considered PII

Jargon-free translation: PII is comprised of two types of data. For example, if two of the items in the list below, say name and mobile device identifier, are combined it is then considered PII. Any data that can be used to identify or single out a data subject is considered PII.

Some of the types of data considered personal identifiable information are:

Name, address, email address, telephone number, mobile number, birthdate, mobile device identifier, IP address, photographs, audio and video recordings, national identifier numbers (driver’s license, social security, national insurance), user identifier assigned by your organization, social media user name, data stored within a cookie or tracking pixel/tag.

Integrity and security

Jargon-free translation: From design to reporting data and any PII should be accurate and easily updated. When it comes to data retention, shorter is always better. If you are managing a panel, the panel participants and their PII should be layered with alias’ that link to a master data sheet containing PII like name, address etc.

Transfer of data

Jargon-free translation: Research participants must consent in order for data to be disclosed. Trans-border data transfer should be in compliance with established international data laws.

Out-sourcing and sub-contracting

Jargon-free translation: When engaging with outsourced or subcontractors they must also be clear of the regulations around personal data collection and handling. Additionally, when working with subcontracting an agreement should be in place that contractually states business terms and data protection requirements and information security requirements.

Privacy notice

Jargon-free translation: Privacy notices should be easy to understand and relevant. The privacy notice should clearly outline who the data controller is and their intention to use personal data.

Download eBook


Data Privacy: The History and Future of Data Protection

Join FocusVision’s Mike Kuehne and Tom Myers as they discuss the past, present and future of data privacy.

See for yourself: Begin your journey to better customer insights

Request a demo