GDPR 3 Years On — Data Security in Market Research
In just 3 short years, the EU’s General Data Protection Act of 2018 has obviously revolutionised data security practices around the world for both consumers and businesses. As was pointed out in our other blog on GDPR, this legislation redefined the relationship and balance of power between businesses and consumers when it comes to the collection, manipulation and retention of personal data.
GDPR has skyrocketed the benchmark for data security that businesses have to adhere to across the world, including those in the insights industry. GDPR even sparked similar legislation in other parts of the world with acts like the California Consumer Privacy Act (CCPA). Market research firms like ourselves rapidly adapted when the legislation first came into force, and now those practices are second nature to insight professionals everywhere.
How has GDPR Impacted Market Research?
Data security has always been important to the success of market research, so when GDPR came into existence the insights industry jumped at the opportunity to bring us up to speed and in line with the new regulations.
The three main goals of GDPR are:
- Protecting the rights of users and their data
- Ensuring privacy laws keep up with changing technological landscape
- Create unified and consistent legislation across the EU
The first two were already in line with the thinking behind data security in the insights industry anyway, but to have it laid down in law with an actual deadline spurred all organisations and professionals to review their own security practices to see where they might be lacking more thoroughly than the regular reviews beforehand.
The effect of these new practices meant that all insight teams and agencies had to improve transparency when it comes to data collection, use and retention, as well as clarify explicit consent from research respondents, improve documentation and access to information, and open channels for respondents to object to, change or erase the data businesses use.
So, GDPR impacted many practices and processes in market research, but it also paved the way for new innovative practices too. Because of the increased transparency in the use of consumer data and new protection laws, consumers are starting to become more aware of their rights when it comes to data like this, and so are starting to hold market research companies accountable for how we process and store their data.
Especially now with the advent of video contributions to market research, online video focus groups and more, insight teams now have access to some of the most confidential data customers have ever provided us with, and thus with this level of access to consumers’ everyday lives as well as a visual of their faces, having transparent data security measures and finding ways to securely record and store this prevailing data type is more important than ever.
When it comes to storing this data, GDPR stipulates that insight teams must have a valid reason for retaining consumer data beyond a reasonable timeframe. So, what reasons would insight teams need to keep data for more than a year once the data has been analysed and the insights have been used? Some stakeholders have research projects that span more years than simply one, and that data might be useful for contextual reasons. But outside of this, consumer data should be erased in the period specified by both the ruling data protection legislation.
Data protection officers are now more commonplace even in small research agencies if they handle large enough quantities of data. They have significant roles to play in ensuring the compliance of data protection practices and policies, setting the standard and maintaining the level of understanding across all members of the organisation who come into contact with this type of data. With data protection or information security officers such as our own, they are also the dedicated people in the organisation to make sure the firm is compliant with certificates like the ISO 27001 and Cyber Essentials, which are becoming more and more in demand by both research clients and respondents.
These are only a few of the many ways GDPR and recent data security acts have impacted market research. But with awareness continuing to grow and new channels for data collection become available, there is always more insight teams can do to take advantage of new opportunities while protecting consumer and client data to the best of our ability.
The Future of Insight-Based Data Security
The future of data security in our industry will depend a lot on the level of technological integration the insights industry adopts throughout the coming years.
The increasing adoption of smart technology for example means that market research has the chance to adopt a new data collection channel, but even passively they are currently contributing to the data collection for some big companies such as Amazon, Google, and Apple. This data is relatively unprotected and unknown to the general consumer who, even though they are starting to become more aware still do not know enough about their rights to know where to start when researching how these new technologies will impact their daily lives.
But the future will also depend on the level of knowledge that insight teams, clients and consumers obtain. Consumers deserve to be fairly compensated for their contributions but how can they go about requesting this when they don’t know enough to keep up with the rapidly evolving technological environment they’re living in? We are living in an age where a large number of users will still unfortunately use “P4ssword!” or a similar variety as their log in passwords, even while data security awareness grows. It might be a good idea to educate them further on how to be safe while technological advancements dominate the market.
As the research industry continues to market themselves as a safe haven for insight generation, we will need to adhere to the security measures our clients want as well as the measures put in place by law to protect consumers. Without our clients the industry will not be able to function for long.
But outside of general speculation and estimation, we really cannot know what the future of data security in the market research will throw at us, all we know is that we need to be prepared to adapt as quickly as we did when faced with revolutionary GDPR.
This article was originally published on the FlexMR Insight Blog and can be accessed here.