Written by Bernhard Witt
Since May 2018, every company using EU related personal data needs to be GDPR compliant. For many companies outside the European Union, the concept of GDPR is hard to understand. Use the following explanation to avoid problems and penalties, which can be pretty high.
1. Who needs to care about EU-GDPR?
This is pretty simple: Every non-private usage of personal data that is related to European persons. Even if your company is located outside the EU, you need to be complient to the GDPR. Usage means collecting, storing and analyzing data. So if you are doing surveys and use European respondents, your organisation needs to follow the GDPR rules. Similar, GDPR applies also to data, when the data processing happens inside the EU, even if the personal data comes from Non-EU persons.
2. What does GDPR mean for companies outside the EU?
While most European Companies know more or less about GDPR and their duties, companies outside the European Union are often confused. Based on GDPR, every usage of personal data is forbidden if there is no exception available. The exceptions are a set of possibilities and contain also the possibility of a non-permanent agreement of a person. But GDPR means not only to protect personal data but also to follow specific rules and more important to document processes. Especially the last point is very important as the documentation of processes is part of regular investigations of GDPR authorithies.
- Every company needs to create a dictionary that contains formal descriptions of all processes that are related to personal data. The
documentation needs to state what personal data is used, how it is used, why it is used and what possible problems might happen when the data is stolen, lost or disclosed to third parties. There
are some sort of special information that you can only use with the explicit agreement from the person. Examples for these special
information are ethnicity, religion, sexual interrest and some more.
- Every company must describe the technical and organisational ways to protect personal data. This starts with access control of PC's and
data centers and also covers encryption of data. Some important rules for the market research arise from this part of GDPR:
- All personal data must be encrypted during transport. This means that all your survey systems need to use https protocols.
- Additionally to #1, personal data cannot be sent via unencrypted emails. While https is more or less a standard for websites, nearly all emails are send unencrypted. Email encryption is unfortunately still very complicated because the exchange of certificates is not generally regulated. The safest way is not to send personal data via email. Use some sort of secure space for uploading data and send the receiver a download link instead.
- Personal data can only be processed within the EU or in some other countries. Because of the different way that the USA or many other countries protect personal data, the list is very
small. So any service of a US based company like dropbox or others cannot be used to store or process personal data. Many hosted survey solutions do not fulfil this needand therefore
cannot be used.
- Everybody has now a wide range of rights which you need to fullfill.
Every person can request to ...
- ... get a report from any company, which should containing the personal data which are available about that person. This is usually a big problem because many personal data is not centralized stored but can be part of different data silos. Imagine all the Excel and SAV files which are located on different computers in a companie's organisation. It can take days of research to find all personal data of a single person. Once a report is requested, it has to be delivered within 1 month.
- ... delete the available personal data. Although for most companies information is their capital: Personal data need to be deleted if the person requests it. There are exceptions of this rule, but for market research these usually do not work. (One exception would be that an invoice to a person cannot be deleted for tax and other legal reasons)
- ... restrict the use of personal data. This means that a person can ask you to keep existing data but not to use it anymore.
- ... revoke already given agreements. If somebody gave a written agreement that their data can be used, it is always possible to revoke this agreement. So you need to be prepared that anybody can tell you to delete the already collected data, even if you had the right to do so.
Finally, the responsible company is always in charge to proof that they made everything right. Any person could claim that your company does not work in compliance with his or her data without the need to proof that "feeling". However, it's the responsible company to proof that everything worked fine. That means you need to follow very strict policies to make sure your can make that proof.
EU-GDPR is only the first step towards data privacy and protection of information. Once companies know what to do, it is in general easy to follow. Use the 2x4 experience to speed up your GDPR compliant way of working and avoid the risk of fines and lost trust from your customers and panel members.