Data Protection & Information Security Archives - GRBN.ORG

GDPR Research Code Update

GRBN_News — Wed, 15 May 2019 06:56:15 +0000

Almost one year on from the implementation of the General Data Protection Regulation (GDPR), regulatory authorities across the EU, have turned their attention to the promotion of Codes of Conduct, new sector-driven GDPR accountability tools. EFAMRO and ESOMAR, working together with national associations across the EU, support the focus on this initiative. We are drafting a new Code, to help us maintain public trust in the research and analytics sector and assist research organisations in their compliance efforts. As you would be aware the sector is currently grappling with several complex data protection issues such as:

What is the best lawful basis (processing ground) for research studies?
Who is the controller and/or the processor?
When must you name the client in a research project?

all of these have proven to be key privacy talking points with a range of viewpoints on the best approach. The GDPR Research Code should allow us to resolve these issues and speak with a consistent voice. For research organisations, signing up to the Code will bring multiple benefits by:

assisting micro, small and medium sized organisations to comply with the extensive privacy requirements; and
providing tailored sector specific tailored guidance.

For organisations based outside the EU, this new Code will provide a powerful and effective tool to help them with their cross-border data transfers between EU and non-EU countries. It will serve as an approved legal mechanism (together with binding legal commitments) for data transfers. Clients, customers and regulators will also benefit from the clear compliance signal provided by those who voluntarily decide to sign up to the new Code. Both the European Data Protection Board (EDPB) and the UK’s Information Commissioner’s Office recently published guidance to help sector associations develop Codes of Conduct. The indicative timelines are that it will be at least Autumn 2019 before the guidance is finalised and EU wide Code submissions to regulatory authorities can begin. We in the research sector hope to be in the first tranche of approved sector Codes. Wide consultation with sector players and consumer representatives will be important in designing a robust fit-for-purpose code. We are interested in hearing from a range of organisations on the issues so if you would like to learn more about this initiative please contact us info@efamro.eu. Dr Michelle Goddard Director of Policy & Communication EFAMRO

The post GDPR Research Code Update appeared first on GRBN.ORG.

What Has Been Learned From Data Gurus So Far

GRBN_News — Mon, 13 Aug 2018 06:20:41 +0000

Data Gurus is a podcast that I launched this year to help our industry navigate the changing data ecosystem together. My mission is to bring you real-life perspectives on what’s happening in the industry and how successful companies and individuals in this niche navigate through the sea of change. Although the lines seem blurred in terms of where we are going there some common themes that have emerged throughout many of my podcast interviews. Here is brief summary below.

Brands are embracing new sets of data. Brands are embracing and empowering the use of all types of data that is accessible to them. These leaders are driving the change to diversify data portfolios, challenge teams to remain objective and find the right data sets aligned to drive business decisions (https://tinyurl.com/raviparmeswar). Proctor and Gamble tests and researches new product concepts five years prior to launch (https://tinyurl.com/tiamaurer). In order to maintain agility and budgets, DIY solutions are integral in P&Gs new product research. In addition, Tia Maurer shared that P&G uses behavioral data to create a deeper understanding of consumer behavior versus stated intentions. Lastly, Joe Catling of Relish Research shared that as we move more into the data economy, clients are integrating existing data sets with their own in house data. This linkage of data across different departments provides an opportunity within client organizations to work across functions breaking down silos (https://tinyurl.com/joecatling).

Measuring return on investment for research even more critical now.– Insights professionals and other research professionals within client organizations are being challenged as new entrants of data scientists and management consultants deepen their presence in the client organizations. As a result, there is even greater focus on supporting and helping researchers create a way to justify and measure the return on investment in research. Providing a framework of how to measure the return on investment in research ensures that research is linked to business results. GRBN and Cambiar consulting have announced a partnership in which they have created a framework and approach to help researchers measure the return on investment on research spend. Details for the framework are available in my interview with Simon Chadwick of Cambiar Consulting (https://tinyurl.com/simonchadwick).

Respondents are real people. -The participants who take surveys are central to our ecosystem. In my interview with Roddy Knowles of RNOW-SSI (https://tinyurl.com/roddyknowles), we talk about how critical it is to ensure we continue to advocate for people who participate in our surveys. There is a vital role in which artificial intelligence and automation can play to customize the experience for different participants. Certainly, there is a strong awareness of these topics and groups and initiatives that are forging the path forward. GRBN has developed a concrete solution that engages brands, market research agencies and panel/sampling providers to work together. SampleCon has facilitated and advanced the conversations. Most recently, CASE (The Coalition for Advancing Sample Excellance) has also focused on developing solutions. During this time, there are different trade-offs that clients are making. Perhaps smaller sample sizes for higher prices to ensure better quality. Others believe that blockchain technology will be creating the transparency needed to ultimately shift the economics and control back to the participants.

GDPR and consumer privacy topics are on the rise. –This has been the core topic across our industry given the GDPR compliance deadline of May 25, 2018. Although the policies do not apply to US citizens, there is certainly heightened focus on informed consent for participants in research. My talk with Ray Poynter (https://tinyurl.com/raypoynter) brings to light the implications for GDPR on the research industry both here in the US and in Europe. Within the US, there is no regulation currently to date on standards for consumer privacy. During my talk with Annie Pettit (https://tinyurl.com/anniepettit) we discuss if we can truly self regulate as an industry, since it only takes one bad actor to create chaos.

***

Written by: Sima Vasa Infinity Squared Ventures

The post What Has Been Learned From Data Gurus So Far appeared first on GRBN.ORG.

Market Research Industry in Australia Cracks Down on ‘Shonky’ Behaviour

GRBN_News — Mon, 23 Jul 2018 08:15:51 +0000

The Association of Market and Social Research Organisations (AMSRO) today launched a new digital platform ‘Phish of the Day’ (www.amsro.com.au/phishing) to highlight fake or illegitimate research activities to the public. “AMSRO believes it is incumbent on the market and social research industry in Australia to take a more proactive stance in order to protect the public from unscrupulous operators, if we are to expect ongoing co-operation from the public, whose opinions are the lifeblood of our industry,” said Craig Young, AMSRO President. “The recent Facebook and Cambridge Analytica scandal and the Banking Royal Commission’s findings of misconduct, both send a clear signal that trust and accountability are central issues for the general public and company leaders. And, whilst our member organisations take every possible precaution to protect consumer data and are bound to act in an ethical manner, unfortunately, fraudulent activity occasionally targets research companies. “Our new ‘Phish of the Day’ site is designed to work with member organisations, the public and regulators to protect people’s personal information and member companies’ reputations by targeting ‘shonky’ operators to ensure that Australians can feel confident when they provide their opinions on the matters that affect them,” Young said. A majority of fake research is undertaken to sell products or services (referred to in the industry as ‘sugging’). Phish of the Day enables AMSRO members, as well as the general public, to report any scams or non-genuine market and social research activities to the Association. These might include telemarketing or sales activity masquerading as face to face, telephone or online interviews. AMSRO will then investigate any reported non-genuine research conduct and, depending on the severity and nature of the issue, may attempt to work with the organisation to improve their operational practices so they comply with relevant legislation; or report them to relevant federal or State/Territory regulatory or enforcement bodies. AMSRO also has the power to discipline its own member companies for inappropriate research conduct, including expulsion for serious offences. AMSRO member companies have a long and successful track record in safeguarding respondent data and continue to conduct legitimate research working under strict privacy rules that protect confidentiality and prohibit any selling. In 15 years of operating under Australia’s first and only Industry-specific Privacy Code, AMSRO members have not had a single breach upheld. Personal information for market and social research (conducted by AMSRO member organisations) is collected only with consent and under strict codes and practices. This includes a registered privacy code and an industry ‘Trust Mark’ – a seal of endorsement that assures business and government organisations they are buying research that is quality-tested and meets not only ethical standards but also goes over and above minimal privacy legislation. Members working under the industry Trust Mark:

Work under Australia’s first and only registered Australian Privacy Principles (APP) Industry Privacy Code, enshrined in Australian law
Have an independent annual audit for ISO (International Organisation for Standardisation) certification
Adhere to the Industry Code of Ethics.

Research plays an important role in society with surveys often used to identify and measure community knowledge, attitudes and behaviours, which then inform government policy and commercial business decisions. AMSRO member organisations are very aware that any business handling personal information needs to be conducted by experienced and trusted users of data. Phish of the Day builds on the safeguards already established by AMSRO to ensure Australians ‘have a voice’ in matters that affect them. For more information please contact: Rochelle Burbury Third Avenue Consulting 0408 774 577 rochelle@thirdavenue.com.au Sarah Campbell Executive Director, AMSRO (02) 8017 6717 sarah@amsro.com.au

The post Market Research Industry in Australia Cracks Down on ‘Shonky’ Behaviour appeared first on GRBN.ORG.

Trust Generation: The Must Have Asset When Dealing With People’s Private Information

GRBN_News — Mon, 23 Jul 2018 07:31:38 +0000

Before the first self-service grocery store, Piggly Wiggly, opened in 1916 in Memphis, Tennessee, customers had to give their shopping lists to clerks, who would then pick out the goods. It was a personal interaction in which the clerk developed a deep knowledge of the customers preferences. The act of shopping became to some extent anonymised. The introduction of the scanner on the 26^th June 1974 in Marsh Super Market, Troy (Ohio) introduced detailed shopping information at a large scale. Later on, without losing anonymity, shopping lists became more personal again with the introduction of the Loyalty Cards in the 1990s (Kroger, Safeway, Tesco). With Loyalty Cards, retailers were able to establish a personal relationship with customers at a massive scale. Furthermore, a new turn of the screw was brought by e-commerce and predictive model, which use all sorts of individual-specific details. Until very recently, market researchers have almost exclusively interacted with respondents in a pre-Piggly Wiggly model: a one-on-one relationship between the researcher and the survey participant. Following the ICC-ESOMAR ethics code, personal information is consistently removed. It is very easy to separate personal from declared data and get an anonymised sample for analysis. However, technology disrupted this peaceful model. Researchers live in the digital world as well as their subjects of analysis. The more our lives get digital the more the data collection must be digital. If researchers want to holistically understand their customers they need to know what they do on their desktops or mobile devices in terms of online searches, browsing or apps usage. Furthermore, data related to their environment such as geolocation or audio detection and matching is also gathered to complement the analysis. Thus, we can say that in the last 10 years researchers have faced the challenges retailers experienced in 90. Survey and behavioral data complement each other, providing a 360º view of the consumer: opinion and behavior. But they are radically different regarding anonymity. While PII can be easily removed from survey data, it is deeply embedded in clickstream behavioral data (a collection of visited URLs), geolocation or audio detected data. A simple inspection into it makes it possible to identify 85% of the users (“How to protect privacy in Big Data”, ESOMAR 2016). In fact, browsing data from two users sharing a device can be easily separated by simply inspecting clickstream data (“Who is who with behavioral data”, ESOMAR 2017). The variety of datasets available in the market encourage the collaboration among different companies. The challenge in sharing clickstream data with third parties is to avoid violating individual’s privacy rights, as defined in the GDPR. This intricacy must be tackled from two different angles. On one hand, a refined Machine Learning model must be capable of masking all PII information. And on the other hand, this model can only be successful as long as companies are trustworthy enough to make people as long as share their personal information without hesitation. Joaquim Bretcha Netquest

The post Trust Generation: The Must Have Asset When Dealing With People’s Private Information appeared first on GRBN.ORG.

EphMRA Joins Forces with MRS to Deliver Policy and Professional Standards Services

GRBN_News — Mon, 23 Jul 2018 07:21:46 +0000

Global healthcare market research association, EphMRA, today announces it has partnered with MRS to enhance its Code of Conduct and develop professional standards services for its members. EphMRA aims to inspire and empower members to influence decision through expert advice and insights to help drive business performance and gain competitive advantage. MRS will advise EphMRA on its current healthcare-specific Code of Conduct and assist in drafting the annual update to reflect new data protection and privacy legislation; this will include further incorporation of the EU General Data Protection Regulation (GDPR). MRS will also advise EphMRA on the expert guidance it offers its members for the interpretation and application of the code. The new partnership extends MRS’s portfolio of work with international trade associations to promote ethics and standards within market research and analytics. This includes the provision of professional standards to the European Research Federation (EFAMRO), which represents the commercial interests of research agencies at the European level. In addition, major international research markets including the Netherlands, Singapore and Australia have adopted the MRS Fair Data scheme; a trust mark for organisations which collect, use and retain personal data properly and ethically. As well as partnering with MRS to access the latest policy and ethical standards, EphMRA, has signed up as an associate member of the Global Research Business Network (GRBN) – an important global network which seeks to promote and advance the position of research along with regional federations and national associations. Jane Frost CBE, CEO of MRS, comments: “MRS is widely recognised for its ethics, policy and professional standards expertise. Interpreting policy, creating and upholding the highest standards is fundamental to researchers’ ability to engage participants and undertake robust and ethical research. This is never more-true than when working in healthcare which relies on access to some of the most personal and sensitive data. We are delighted to be working with EphMRA to support them in maintaining the highest standards in policy and ethics, which further strengthens MRS as the centre of global excellence for research and data standards and policy.” Karsten Trautmann, Merck KGaA and EphMRA president says: “This new alliance with the MRS further strengthens the position of EphMRA as the centre of excellence for healthcare market research and business intelligence. The landscape of compliance is constantly changing, and our members need to keep up to date in order to ensure they are offering the highest level of service to their clients.” Ends Notes to Editors About MRS

The UK is the world’s second largest research market.
With members in more than 60 countries, MRS is the world’s leading research association.
It has a diverse membership of individuals at all levels of experience and seniority within agencies, consultancies, support services, client-side organisations, the public sector and the academic community.
MRS represents 80% of research agencies who commit to, and are regulated by, the MRS Code of Conduct to ensure professional and ethical research of the highest standard of excellence.
In 2013 MRS launched the Fair Data trust mark that demonstrates which organisations handle their customers’ personal data fairly.
MRS is the global leader in research qualifications and training.
Winners of the Launch of the Year prize at the International Content Marketing Awards 2013 for Impact magazine, the quarterly publication of the Market Research Society and sister title to Research-live.com.

About EphMRA

Its overall aim is to inspire and empower members to influence decision through expert advice and insights to help drive business performance and gain competitive advantage.
EphMRA is the hub for excellence to empower members to become the business partner of choice in providing insights and expert advice.
Creating a healthcare market research and analytics community that defines, develops and shares best practice.
Continuously developing and strengthening the core competencies that allow members to achieve excellence as business partners and expert advisers. Excellence means that EphMRA sets the gold-standard in healthcare market research and analytics and continues building excellence by focusing on core competencies that relate to the strategic components of market research, data and analytics and business insights. This includes primary and secondary market research, forecasting, data analysis, competitive monitoring, KPI performance specialists etc.
Furthermore, EphMRA will provide expert guidance to its members on healthcare market research and analytics standards and ethics.

For further information, please contact: Emma Molton / Harriet Crosby Camargue, on behalf of MRS +44 (0)20 7636 7366 emolton@camargue.uk / hcrosby@camargue.uk Bernadette Rogers General manager, EphMRA generalsecretary@ephmra.org

The post EphMRA Joins Forces with MRS to Deliver Policy and Professional Standards Services appeared first on GRBN.ORG.

Fair Data in a Climate of Distrust

GRBN_News — Mon, 18 Jun 2018 07:36:09 +0000

In this article first published in AMSRS Research News, Kerry Sunderland looks at the potential impact on market and social research companies and how Fair Data is part of the solution in the wake of the recent Cambridge Analytica/Facebook and Google personal data harvesting scandals. Revelations that Cambridge Analytica misused Facebook members’ personal data and more recent allegations from fellow tech giant Oracle that Google has been extracting Android mobile users’ data at the customers’ expense are just the tip of a massive iceberg, according to digital futurist Chris Riddell, who will be delivering a keynote at this year’s AMSRS Conference. ‘These recent high profile data protection scandals represent the biggest crisis Silicon Valley tech companies have ever faced and it’s not going to go away anytime soon,’ Riddell says. After it emerged that Cambridge Analytica had harvested personal data from approximately 310,000 Australian Facebook accounts, the Office of the Australian Information Commissioner (OAIC) launched a formal investigation into the behemoth. The formal investigation was, according to acting Privacy Commissioner Angelene Falk, a “timely reminder to all organisations of the value of good privacy practice to Australians.” Meanwhile, the Australian Competition and Consumer Commission (ACCC) has confirmed it will investigate reports Google harvests huge amounts of data from Android phones after the software company Oracle contacted the regulator. ‘The ACCC met with Oracle and is considering information it has provided about Google services,” ACCC chairman Rod Sims told The Guardian. ‘We are exploring how much consumers know about the use of location data and are working closely with the privacy commissioner.’ Google immediately denied the allegations but Riddell believes the theory is credible.

‘The majority of tech companies have been harvesting our information for years, some more legitimately than others. This is massive. It will be the most defining topic of 2018 for business. Companies will die if they get this wrong.’

Both cases follow numerous other breaches, stories, articles, policies, campaigns, programmes and reports that have steadily eroded over the past decade the public’s trust in the way corporations and governments manage personal data. What makes these recent scandals more volatile is that tech industry insiders are beginning to speak out, both to expose misdeeds and to corroborate them. Oracle may appear to have a vested interest as a competitor but it’s not as simple as that. ‘The lines have blurred,’ explains Riddell. ‘Competitors can also be partners and customers these days.’ When asked whether he agreed this was the biggest crisis yet for Silicon Valley, former Facebook CEO for Australia and New Zealand Stephen Scheeler said, ‘On the one hand, I’d agree. These stories are of greater scale and have been subject to more scrutiny by both the public and regulators. But Facebook and Google have probably had bigger, more existential crises in the past. I think it’s a good thing [that we’re focusing on these breaches]. It reflects a new consciousness about people’s rights.’ While there has been some debate about whether, beyond Facebook investors, tech commentators and Twitterati, the general public care very much, there is evidence to suggest they do. The mainstream media has seized upon the recent scandals, amplifying the claims levelled against its apparent competitors, but the general public has also played a role. ‘There’s been a huge wave of people sharing the stories online,’ Riddell says. The UK’s Market Research Society CEO Jane Frost agrees that privacy is important to consumers. ‘Our research continues to show a very low level of trust with handling of data. Trustworthy use of data is the number one priority for consumers.’ MRS UK published a significant report this year titled How technology impacts consumer trust following on from its 2015 report, Private lives? Putting the consumer at the heart of the privacy debate. The most recent report concluded that security of personal data was the largest single driver of trust. Respondents placed this at number one in six of seven sectors. This shows that the impact of news stories into data breaches, or their personal experience of it, affects with whom they choose to do business. The report has also attracted media attention, with the headline,

‘[Facebook founder Mark] Zuckerberg you’re wrong, kids are worried about their privacy’.

What’s more, the report found, young people punish sloppy data handling the most. While he believes it’s a discussion that’s needed, Scheeler argues we’re probably not quite ready. He believes more education is required. ‘A couple of hundred years ago, capitalism was still in its infancy. There was a very different concept of property rights then compared to now. If you asked people how they would respond if someone walked into your house and stole your toaster, 100 per cent would say it’s a crime. If you were asked about a speed camera taking your photo, it’s unclear who owns the data. You wouldn’t get the same consensus about personal data.’ Where the impact will be felt According to a study from tech research firm Techpinions, nine per cent of American Facebook users reportedly deleted their accounts in the first few weeks after the Cambridge Analytica story broke. Across the Atlantic, five per cent of Brits reportedly left Facebook immediately with a further six per cent saying they intended to delete their accounts. However, Frost says that while consumers say privacy is one of their biggest priorities, the Cambridge Analytica scandal appears to have had less influence on usage than originally thought. It has, however, driven down share prices and will continue to have an impact on regulators, opinion formers and budget holders. Riddell predicted that, following in the footsteps of Cambridge Analytica, there would be other companies closing down by the end of this year. ‘Although it’s unlikely to be the major players like Google and Facebook, second tier companies who are in the business of buying and using personal data and who have been misbehaving will not exist at the end of the year. ‘Businesses should not misunderstand how critical this is to get right. This behaviour dates back years, not just the last six to 12 months. We are entering a new era, when long complicated fine print doesn’t cut it anymore. ‘By God, be transparent and go above and beyond in showing your customers what you do with the data. You can’t default to T&Cs. You can’t just give customers the option in settings. Show them what you are doing with use.’ Frost agrees, saying that when it comes to privacy terms and conditions, most companies are still writing the equivalent of Shakespeare’s Hamlet.

‘It’s obvious that consumers cannot be expected to read Hamlet every time they want to use a digital service. Take for example, the terms and conditions on Ancestry.com. You have to be a lawyer to work out that your DNA can be used in perpetuity.’

Where Fair Data fits in ‘Anyone interacting with a customer day-to-day has to think about the fact that it’s not their data, it belongs to the customer,’ says Frost. ‘Technology has potential to make criminals of us all. Getting our own house in order is critical – we’re pre-emptively doing the right thing.’ Fair Data is an attempt to do just this. Launched in the United Kingdom in 2013, it has now been adopted in the Netherlands, Singapore and, most recently, Australia. Australian Market and Social Research Society President Vicki Arbes explains: ‘Companies that achieve accreditation can display the Fair Data mark to signal to the public best practice handling, usage and storage of customer information. Fair Data is an international standard that for the first time establishes a public facing mark to reassure consumers that the research is carried out honestly, objectively and with respect for the participant.’

Would the Cambridge Analytica scandal have happened if Facebook had been Fair Data accredited? Absolutely not, says Arbes.

The local launch of the Fair Data consumer ‘mark’ in February was deliberately timed to coincide with new changes to Australian privacy legislation. It proved to be even more fortuitous timing when only a few weeks later the Cambridge Analytica scandal was reported. After the revelations gave rise to the hashtag #deleteFacebook, Zuckerberg published full-page apologies in American newspapers and was called to appear at a joint hearing in the United States of the Senate Judiciary and Commerce committees. Riddell says Zuckerberg’s appearance in front of the US Congress demonstrates that self-regulation alone doesn’t work. ‘It’s a wake up call for governments – their relevance is being challenged. Some of the questions senators asked Zuckerberg prove how out of touch they are in understanding how technology is changing. There’s a massive gap in understanding. Regulation is needed. Companies need to know they’re going to be penalised.’ Scheeler also believes the regulators – and industry bodies – have a role. ‘It’s unchartered business and ethical territory and it shouldn’t be left to Facebook, Google or Amazon. It’s unrealistic to expect them to have all the right answers, although every company has a responsibility to comply with all relevant legislation, privacy included.’ Fair Data puts in place safeguards that exceed legislative requirements. Both Riddell and Scheeler agreed that Fair Data could be part of the solution. Those working in the market and social industry know there is a discernible difference between consciously completing a finite questionnaire and having your messages and calls tracked sans permission, but do consumers? Riddell is unsure they do, but he can see the benefit of being Fair Data accredited.

‘If you are a business that wants to go over and above [the legislative requirements] here is your time and here is the moment when you will be in demand. This is what customers want. Ultimately this is the way industry needs to go.’

AMSRS has backed the Fair Data accreditation to demonstrate its members’ commitment to safeguarding privacy and protecting data. Fair Data accredited companies agree to 10 principles, which are audited by a third party certification body annually. All Australian suppliers and clients are eligible to apply, not just AMSRS members. ‘The Fair Data accreditation quickly demonstrates that companies you deal with can be trusted to use personal data fairly,’ adds Arbes. ‘It means you don’t have to read dull and lengthy T&Cs to find out if you’re protected.’ Accreditation, however, does take time – so companies are encouraged to apply for accreditation sooner rather than later. Frost points out that many tech giants were scrambling to comply at the last minute with the European Union’s new General Data Protection Regulation (GDPR), before it took effect on 25 May – despite the two-year transition period.

‘It’s astounding how many companies were not GDPR accredited only a couple of weeks before it came into effect.’

Frost said that when it comes to Fair Data, many companies think they’re meeting the requirements but they discover otherwise when they do the first walk through. ‘For example, it’s amazing how many people still do not use BCC and CC all.’ Kerry Sunderland, Freelance Writer Note: Research News spoke with Chris Riddell after he’d finished an interview on ABC Radio, just after the Google story broke. Later that day, and he appeared on Channel 10’s The Project. Listen to/watch these interviews at www.chrisriddell.com Sources: http://www.dailymail.co.uk/sciencetech/article-5609425/New-study-shows-1-10-Americans-deleted-Facebook-accounts.html#ixzz5D5C2qoRP https://www.campaignlive.co.uk/article/one-20-brits-delete-facebook-accounts-cambridge-analytica-scandal/1460836#AWmpTVxcfT44I14M.99

The post Fair Data in a Climate of Distrust appeared first on GRBN.ORG.

Answering Your GDPR Questions – Advice on Unintentionally Housing EU Data?

GRBN_News — Mon, 18 Jun 2018 07:02:07 +0000

We were asked recently: “Have you any practical advice to US MR firms who don’t have an EU presence but may unintentionally be housing EU data (e.g., somebody gives me a sample of customers and some of those folks are in the EU)? We’ve got our US Privacy Shield in place but not sure that’s enough.” Dr Michelle Goddard, Director of Policy & Communication, EFAMRO, answers: The scope of GDPR responsibilities depends on role played and whether the agency is acting as a data controller or data processor. In this case where the sample has been passed by the client then the client is likely to be the data controller and the agency the data processor. From this it follows that:-

Obligation is on the agency as the data processor to advise the data controller client that they may be holding and processing EU data so that the client can exercise any obligations/responsibilities that they may have regarding this.
EU-US Privacy Shield is currently an adequate mechanism for transferring/processing personal data of EU residents so agency can provide assurances around security etc of data but the client has lead responsibility for ensuring compliance with GDPR

Interested in more GDPR advice? Check out these two webinars given by Dr Michelle Goddard on the topic: Webinar: EU Data Protection Reforms: Ten Things Researchers Should Know Webinar: EU Data Protection Reforms: Some practical compliance steps

The post Answering Your GDPR Questions – Advice on Unintentionally Housing EU Data? appeared first on GRBN.ORG.

Three Steps to GDPR Success

GRBN_News — Mon, 21 May 2018 14:21:43 +0000

Zlatko Vucetic from FocusVision outlines the three questions every research team needs to ask themselves Over the past decade we have watched marketing become ever more sophisticated and targeted. From market research, audience mapping, location-based advertising and 1:1 engagement, the path to purchase for brands has been entirely focused on learning (and acting on) deep customer and behavioral data. Knowledge was power and data reigned supreme.

Enter the GDPR

The GDPR streamlines privacy laws across all EU states and will impose much more significant fines on any company found to be breaching the directive – up to $24 million or four percent of global annual revenue, whichever is greater. There is serious house-cleaning across the Atlantic n advance of the May 25 deadline but, despite the many column inches devoted to the subject here in the U.S. the same sense of preparation is not as palpable. Anyone monitoring or gathering information from consumers in the EU, via the internet will need to comply – whether based in the EU or not. For those in the research and insights industry there are a few more steps to ensure that you stay on the right side of the regulation.

Is your community compliant?

Speak to all of your service providers, suppliers and partners to ensure that they have conducted data mapping exercises to resolve any potential points of failure. Certifications, terms of service and privacy statements will determine that they have implemented any necessary product changes (including enabling deletion of data). You may not be your partner’s keeper but a GDPR misstep by an organization you’re working with can quickly impact you too.

Where is my data coming from?

Beyond the myriad methodologies and suppliers needed to deliver a project to deadline and within budget, anyone leading an insights study will be considered to be a Data Controller under the GDPR. A Data Controller is the individual who determines the purposes for how and why personal data is processed. In contrast, Data Processors include any organization that collects, stores or analyzes personal data under the instruction of the Data Controller. Either role you are also assuming responsibility for compliance with the GDPR legislation and the provision of information to individuals about whom you hold personal data among others.

What constitutes Personal Identifiable Information?

Two pieces of personal information must be combined to create what GDPR considers Personal Identifiable Information (PII). GDPR now considers an IP address as one source of information, which can be combined with something like name, date of birth or home address to become PII. As part of any insights study, the team must ascertain whether the research findings contain PII? At every stage of the research, the lead must ensure tight control of the research data and findings. The GDPR constitutes the biggest revolution to data privacy in over a generation but, companies that already adhere to best practices will already be well positioned. Asking the three questions above will ensure you can still have access to the dat you need without exposing your team or business to potentially expensive risk.

The post Three Steps to GDPR Success appeared first on GRBN.ORG.

Updated GRBN Privacy and Cookies Policy

GRBN_News — Mon, 21 May 2018 14:20:49 +0000

We have updated our own Privacy and Cookies policy. Please take a moment to read it through.

The post Updated GRBN Privacy and Cookies Policy appeared first on GRBN.ORG.

GDPR, what you need to do – Part 2

GRBN_News — Mon, 04 Dec 2017 06:56:44 +0000

The General Data Protection Regulation will come into force in all of the 28 Member States of the European Union (EU) on 25 May 2018. This will herald a significant change in the regulatory landscape for data protection giving EU citizens greater control of their personal data. The new Regulation directly affects both EU and non-EU based businesses as it applies to organisations processing and holding personal data of data subjects in the EU, regardless of the organisation’s location.

so what should you be doing ?

Due to the wide scope of GDPR it will cover more many more businesses than before. If you have not already started getting ready, with 6 months to go before implementation, you need to be getting ready now. So where do you start…? (If you missed them, you can read tips 1 to 5 in the first article here)

Determine if you need to appoint a Data Privacy Officer (DPO). These are required when:
1. Core activities require regular and systematic monitoring of data subjects on a large scale or
2. Large scale processing of sensitive data

Research organisations generally collect personal data, including sensitive data, as part of their core activities, and they do this on a large scale so a DPO is likley to be needed by research organisations. MRS has some guidance on appointing DPOs.

Build an organisation wide comprehensive privacy compliance programme and structure to ensure that all the necessary activities are completed.

Prioritise all areas within your business which have the highest risk and highest potential impact on your organisation, including areas with he highest fines such as consent, sensitive data and compatibility of systems with new rights.

Start undertaking Privacy Impact Assessments (sometimes called Data Protection Impact Assessments) for your activities. This is how privacy by design and default becomes embedded in your corporate thinking. These assessments should describe your data flows and identify and minimise compliance risks. As a minimum the Assessment should include:
1. A description of the envisaged data processing
2. An assessment of the need for processing and risks to the data subjects
3. Measures to mitigate these risk and to ensure GDPR compliance.

And lastly prepare for breach notifications. Set up internal procedures and strategies for data breach notifications, and processes for detecting breaches.

Debrah Harding Managing Director, MRS

The post GDPR, what you need to do – Part 2 appeared first on GRBN.ORG.