With the launch of the GDPR to be fully applicable in the European Union in May 2018 the research industry in Europe will take a new step to adopt the CO-REGULATION approach proposed by Regulators relative to the personal data processing of data subjects, and relevant in particular for secondary data analysis. EFAMRO and ESOMAR have agreed to cooperate in representation of the research sector to work with European regulators in order to produce a new Code of Conduct, based on the assets of the ICC/ESOMAR International Code, and as defined under article 40 of the GDPR, that sets the mandate in this terms: “The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises..”
This initiative will change the scenario of research regulation and guidelines in Europe, and will also have a progressive effect at the international level, insofar third countries or international organizations acting as controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply the appropriate safeguards including with regard to the rights of data subjects. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of the Regulation, such as with regard to:
  • fair and transparent processing;
  • the legitimate interests pursued by controllers in specific contexts;
  • the collection of personal data;
  • the pseudonymisation of personal data;
  • the information provided to the public and to data subjects;
  • the exercise of the rights of data subjects;
  • the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
  • the measures and procedures (Articles 24 and 25) and the measures to ensure security of processing (Article 32);
  • the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
  • the transfer of personal data to third countries or international organizations; or
  • out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects (pursuant to Articles 77 and 79).
The code of conduct shall also contain mechanisms that enable to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors, and also subject to the tasks and powers of supervisory authorities competent. The new Code will be drafted by industry bodies and submitted to the European Board of the supervisory authority that shall provide an opinion on whether the draft code complies with the Regulation and shall approve that draft code if it finds that it provides sufficient appropriate safeguards. The Board shall then submit its opinion to the European Commission that may decide that the approved code of conduct has general validity within the Union. In such case, the European Commission shall ensure appropriate publicity for the approved codes that have been decided as having general validity. That legal seal of guaranty can be anticipated to become a very strong signal of value in the near future.
The status of the new code of conduct then shall be an extension of the Regulation (GDPR) with relevant application to our industry and will allow those companies and organizations certified and monitored to claim such special status in front of the market. Clients are compelled to work under the GDPR, and they will value and have a preference for suppliers of research that are compliant with the new code of conduct; in particular relative to all processing of data which provenance is from secondary data sources for research and data analytics purposes, Final deadline is still to be defined but 2018 is the reference for the work to be finished in parallel with the self-regulation research guidelines that will keep its worldwide relevance. Enrique_DomingoEnrique Domingo EMB member of GRBN Chair Professional Standards Committee of ESOMAR