To celebrate compliancy, we’re providing a quick checklist that any research agency can use to ask their sample provider about the GDPR.* Why are we doing this? Well, we genuinely believe the GDPR will improve the industry. You see, people are at the center of market research, and that’s why it’s important to respect and protect the panelists. The GDPR ensures we continue to do just that. See where to begin with the checklist below.
*Please see our legal disclaimers and frequently asked questions at the bottom of the page. Reach out to firstname.lastname@example.org or your favorite Netquest contact for our official communication on the steps we’ve taken to become GDPR compliant.
7 Questions to Ask Your Panel Provider:
☐ Are you GDPR compliant?
This seems like an obvious question, but it’s a question you are going to want to document. Those who process data (collect, purchase, analyze, etc.) of people protected by the GDPR must make sure the source of the data is compliant. Proving you’ve done your due diligence will be useful in a worst case scenario.
☐ Who is your Data Protection Officer?
In most circumstances, organizations controlling or processing data of people protected by the GDPR need to have an appointed Data Protection Officer. You should ask for the contact information of this person and inquire about their credibility. If the panel provider fails to give you this information, play it safe by collecting data from an organization that can provide DPO information.
☐ Can panelists access and export their data easily?
People protected by the GDPR now have the power to request data that organizations are storing about them. Make sure the panel company is complying with this measure by allowing panelists to easily access and export survey responses, demographic info, and any other data that is kept on file.
☐ Have panelists given explicit consent to be on your panel?
People have to provide explicit consent to become a part of a panel for market research. In order to get that consent the terms, conditions, and privacy policies should be written clearly enough for the average person to understand; obsolete of legal jargon. Make sure your panel provider complies with the GDPR on this front.
☐ Can I see the privacy policies communicated to panelists?
It isn’t enough that the privacy policies and other legal conditions about data collection and storage are easy to understand. These terms also have to be easy to access at anytime for reference. Ask your panel provider for a copy or a link to the policies, or even try to access them yourself on their website. That way you’ll know for yourself if they are complying with the GDPR.
☐ What if during an ongoing project, respondents request to be removed from the panel?
The GDPR enforces the right to be forgotten, known as Data Erasure. Meaning, panelists have the right to to be easily removed from panels and ongoing research. They also have the right remove their data from databases as well. If Data Erasure eventually ends up significantly affecting your ongoing research project’s sample, it’s something to sort out in the terms of your contract with your panel provider.
☐ What are your data retention policies?
In the case of purchasing ‘back data’ or ‘profiling’ information, you’re going to want to know the specifics about how the panel company stores data. The GDPR’s rules for data storage is vague yet enforced, stating personal data should not be retained longer than necessary in relation to the purpose for which such data is processed. Find out the details about the company's data retention model and use your best judgement on whether or not the use of this data would be classified as compliant.
Frequently Asked Questions:
What is the GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. Source.
Who does the GDPR affect?
The GDPR affects organizations in the European Union and organizations utilizing information about citizens from the European Union, despite the company’s location. If you collect, purchase, store, manage, track, or analyze data of people protected under the GDPR, you have to be compliant as of May 25, 2018. This is critical for market research agencies, research departments, and panel companies alike being as people and their information are at the center of our industry.
What’s on the line?
Organizations who do not comply with GDPR can be fined up to 4% of annual global turnover or 20 million Euros, whichever is greater. It’s also important to consider, if news leaks, what will happen to the reputation of the establishment in breach of the GDPR.
Why should you care as market research agency or research department?
You have to be cautious of where the data you’re using is coming from; if the data is not coming from a data compliant source, even the research body (you and your organization) can be hit with hefty fines (see above).
Netquest, and entities under Netquest, are not your legal advisors and will not be liable in any way if you mistakenly believe this is a legal report for you to follow. This is not a legal GDPR implementation guide.
Please bear in mind that this provided content, and any other GDPR content produced by Netquest and its entities, is not a source of legal advice. This article and all other materials about GDPR, are curated by Netquest as marketing materials to promote and support the need to be compliant with the new regulations.
To become GDPR compliant and to understand how to work with other organization who should be compliant (such as panel providers), we recommend you contact and work closely with a legal advisor.
Every company is different and therefore, needs different adaptations to the GDPR. In a nutshell, we are so happy you read until here, but please do not rely on this paper as legal advice, nor as any applicable legal interpretation.
Reach out to email@example.com or your favorite Netquest contact for our official communication on the steps we’ve taken to become GDPR compliant.