Editor’s note: Zoltan Szuhai is director, research and development, and data protection officer of market research firm Nebu, the Netherlands. This is an edited version of a post that originally appeared under the title, “GDPR – market research implications #1 – CATI.” 

As we discussed in a previous blog post, the EU General Data Protection Regulation (GDPR) affects all companies that deal with data of EU citizens. Every company needs to be aware of data flow, whether it is related to generic customer data or data collected for well-defined purposes.

Having an overall data flow attached to the company procedures in practice will be your biggest help pinpointing risks, vulnerabilities or improvement possibilities. Having said that, one of the very first steps is describing the ins and outs of all the data you need to deal with.

Next you must classify the data and your role related to it – this requires continuous attention from your staff as soon as new processes are established that affect the data flow. In our previous blog post we described the roles and data classification types. Not all data requires attention but you still need to guarantee that you do not start mixing this data with personal identifiers or sensitive data. Consider the following factors for data you need to handle with high attention:

  • In what format does the data exist? Do not allow yourself to merely focus on data sitting in databases as there are also files, e-mails, documents and tables – this is just digital data. There can be data on paper as printed lists, in sound recordings, etc.
  • How is the data transferred between destinations? Does the transfer method have the appropriate characteristics in terms of security, control and accessibility?
  • What storage location will be chosen?
  • Who can access the data in each destination?
  • Who is accountable for the data in each destination?
  • What is the life cycle of data? When does it appear in your system? How and when can it be removed? Is removing data an option?

This list may look a bit abstract at first glance but let’s examine a market research practice (without the aim of completeness) and pinpoint challenges.

CATI

Computer-assisted telephone interviewing (CATI) can start on two different paths: with an RDD (or semi-RDD) sample and with a “normal” sample. 

In both cases you can end up in a few tricky situations. First and most important you need to be aware of laws that apply to your activity. This includes whether or not RDD sample is allowed and also indicates if do not call lists (blacklists) have to be applied.

For normal samples, you need to consider all the characteristics mentioned in the data-flow section:

  • Do you send e-mails with sample files where the sample files are not password protected and not encrypted? It is really easy to Cc many people but is it necessary? Can you confirm that only the relevant people will get the content?
  • Do you use normal FTP instead of FTPs/sFTP? Are the access credentials managed properly? Can you guarantee that users use different (unique) logins and access rights?
  • Can sample files end up in various local workstations or local file shares? If so, for how long? Do you have an established data retention/cleanup policy?
  • If data comes from Web services or external database connections do they use proper authentication and encrypted data transfer?
  • Phone numbers are personal identifiable information. Are those hidden from the interviewers?
  • If you use manual dialing, do you have an appropriate policy on it?
  • What about your sound recordings? It’s evident that respondents have to be made aware a recording is being created but the purpose of the recording and life cycle of the recording are just as important. Since sensitive data and personal data also can be asked, you need to apply the same rules for sound recordings and it must be part of your data flow.
  • Logging calls in software has to be designed properly so as not to spread personal data to places where it should not appear. When personal data appears in log files (bad practice) then you need to pay attention to their life cycle, actually introducing more risks than necessary. 

Disclaimer: This blog was created by Nebu in order to provide a high-level, general understanding of GDPR and should by no means be considered or used as a substitute for legal advice. Nebu does not accept any responsibility or liability for the accuracy, completeness, legality or reliability of the information contained on this blog.