This is our second blog in the series introducing GDPR and the implications this new regulation will have on user recruitment and research. This first blog was a brief introduction, so here we hope to provide a more specific guide on what GDPR means.

What needs to be done and how best can companies reach compliance with this new legislation?

🔏 Ensure transparency

People for Research have started to look at changes we need to make in our online documentation and processes in order to comply – in effect data protection by design. By being completely transparent in our approach to data protection we felt that this was the best approach that would be appreciated by our clients and our participants who sign up in large numbers week by week to our database to participate in user research and usability testing.

🔏 Audit your data flow

In order to ensure we are being transparent and have identified any risks within our day to day processes we have spent several hours auditing data flow. Risks can include how you hold data and how secure it is, what you do with it, and how long you need to hold on to it.

🔏 Be prepared to take action

Essentially, we have looked at the risks associated with our data protection – both online and offline and looked to mitigate the risks by taking action accordingly. The key word here is accordingly. The action needs to be equal to the level of risk that you start with and based on what is proportionate to the funds that are available. In some cases we will be spending money on new online automated process and reporting and in others we will simply create an internal awareness and training campaign for all our staff to help build a culture around data assets and data protection.

🔏 Communicate with everyone involved in your data exchange

Back to transparency, People for Research are going to be very clear with clients, employees and our participants about what options they have as far as their data is concerned. We are going to treat them as we want to be treated by others.

This will mean new content areas on the website, guidelines for staff and clients, updates to statements on online web pages outlining what we do with data we collect, updates to email content and consent content and options, new links to privacy policies and updates to those policies. It will also mean updates to security policies related to internal processes both for servers, access to database admin areas and physical access to information assets.

🔏 Monitor your performance

Preparing for GDPR compliance is not a one off task, it involves putting in place new processes which ensure compliance continues. We are planning ongoing audits of our performance, and ongoing training to ensure we get feedback internally.

As we monitor we will need to take into account all our processes as they develop and even new ones. To maintain a high level of compliance we will continue to look to mitigate risks in the best way we can and look at all of our information security measures.

With this in mind we are working with our third party IT partner to develop ongoing Managed Security across our business working towards achieving ISO27001:2013, which is a specification for information security management systems, and the government programme Cyber Essentials.

If you need help and guidance on what GDPR means to your user research programme and how to remain compliant when recruiting users then get in touch with People for Research:



If you would like to find out more about our in-house participant recruitment service for user testing or market research get in touch on 0117 921 0008 or

At People for Research, we recruit participants for UX and usability testing and market research. We work with award winning UX agencies across the UK and partner up with a number of end clients who are leading the way with in-house user experience and insight.