People for Research recently ran its second webinar, this time with a focus on GDPR and how the last six months have affected the way the user research and user recruitment industries handle data and communicate with participants. Our guest this time was expert Ed Boal, Technology and Data Protection lawyer at Gregg Latchams.

With the UX sector constantly evolving and more companies setting up their own research practices every day, this was the right time to go over the last six months and the new data protection regulation. The goal of this webinar was to share expert advice on how to apply the legislation and update your internal policies to make sure you are not only working in line with the law, but also that you are putting the user at the centre of your research process, which can be a massive challenge for any team or company. 

Keep reading to find out the top three tips we shared during the webinar. 

Legitimate reasons to process personal data

If you want to process personal data for any purpose, you need to satisfy one of six legal grounds for doing so, the two most relevant legal grounds being legitimate interest and consent.

+ Legitimate interest

This ground applies where the processing of someone’s personal data is necessary to achieve your legitimate interests or, in the case of an agency, the legitimate interests of the agency’s end client and the processing will have a minimal impact to the privacy of participants. 

Relying on legitimate interest “requires a careful assessment and should be documented through something called a legitimate interest assessment or LIA”, according to Ed Boal. The Information Commissioner’s Office (ICO) provides a sample template online that you can find here.

+ Consent

If recruiting participants for user research, for example, this means obtaining the participants’ permission to get in touch with them, hold their data, etc. This is the legal ground with which most people will be familiar and has always been perceived as the ‘gold standard’ in data processing. However, anyone expecting to use consent as a legal ground should be aware that the GDPR sets the bar very high when defining it – “it must be clear, concise and unambiguous. It must be freely given. It must be specific in relation to the purposes you want to process personal data for and it must be as easy for individuals to withdraw their consent as it was for them to give it in the first place,” says Ed Boal. 

Whether you are working with a user recruitment agency like People for Research or doing the recruitment yourself, this slide offers some useful advice on how to handle consent. 

People have the right to know what happens to their data

If there is a keyword connected with GDPR, that keyword is ‘transparency’. The GDPR requires that “organisations must explain in clear and plain language what personal data they collect, what they do with it, what legal basis they rely upon for using it, who it will be shared with, how long it will be kept and whether it will be transferred outside the EEA [European Economic Area].” 

PFR’s Business Development Director Jess Lewes, who hosted the webinar, says: “It is impossible to run research without generating a lot of data and duplicating that data by sharing information with all stakeholders. At the same time, one of the key principles of the GDPR is that you do not ask for more personal data than you really need, for example, to fulfill the research objectives.” Achieving this balance is the challenge. 

Three useful tips shared during the webinar: 

Jess also recommends taking a look at the workshop Kate Towsey (formerly of GDS and BBC) ran at UX Bristol 2018. “We mapped out all the different things you collect from a user during the research process – from consent forms through to photos of them, and all the different places you might put these things. This will help you to understand who will need access to the data, how you are going to keep track of the elements and maintain their security, and, of course, when it comes to deleting data – actually deleting all the duplicates.” 

It’s important to understand responsibilities

“Identifying the roles of the parties is important, because a controller is subject to considerably more obligations than processors and a controller will generally be liable for a breach of the GDPR, unless it can prove it is without fault,” according to data protection expert Ed Boal. 

These three questions will help you identify who is the controller and who is the processor when working with a third-party: 

+ Who is responsible for recruiting?

+ What method are you using to source people?

+ Who will be capturing data?

If you would like to listen to the complete webinar, hit play on the recording below.

Maria Santos, Head of Digital Ops & Data Protection

If you would like to find out more about our in-house participant recruitment service for user testing or market research get in touch on 0117 921 0008 or info@peopleforresearch.co.uk.

At People for Research, we recruit participants for UX and usability testing and market research. We work with award winning UX agencies across the UK and partner up with a number of end clients who are leading the way with in-house user experience and insight.