The General Data Protection Regulation (GDPR) is creating a lot of additional work for most businesses, even those who, like PFR, act responsibly and look after their users’ data. Although we have been talking more about it in the last few months, we have actually been getting our head around what GDPR is and how it differs from past data protection legislation since last summer.

We have already written a blog introducing and outlining a few general things you can do to prepare, and now we have put together some tips related specifically to user recruitment and research.

Using an external recruiter?

People for Research are different to a lot of companies who offer user recruitment: all our recruitment is conducted by the team based in our Bristol office, therefore we can easily reassure clients that we have appropriate processes in place.

If you are not working with us, here are some top tips to help you determine if your user recruitment supplier is compliant or not:

1. Ask your recruiter who is screening participants, if they are compliant, and how they are managing the data exchange between all parties involved – the more people involved, the higher the potential risk.
2. Check what data they will be capturing on your behalf.
3. Ask how they store participant data and if this is secure.
4. Check how they intend to share data with you and whether this is in line with your own GDPR policy.

All companies should have their own data protection or GDPR policy by 25th May, which you may ask to see.

Recruiting from a list of your customers?

Having ready access to a customer base can be really handy and a cost-effective way of setting up testing or research with people who are using your service. However, just because they are a customer, doesn’t mean they have consented to participating in research or to be contacted by your company to do so.

We wrote a slightly longer and more detailed blog post about this last year. You can read it here, but for now here are our top tips:

1. Be transparent
2. Ask your customers to opt-in
3. Manage opt-outs properly
4. Make sure you get voluntary informed consent

We recommend anonymising data before you transfer it as this reduces any risks significantly. If you do need to transfer data specifically for the research session, then do so using a secure data transfer service.

Are you an agency working with an ‘end client’?

Many of our clients are agencies who work closely with their clients and have stakeholders come along to view their research and testing. This process involves revealing some information about the participants ahead of, or during the research session. Often this is due to making sure that the relevant participants are being included in the research.

Some top tips:

1. Anonymise personal data by removing identifiable data such as name and email address from the participant data, unless these details are essential for the research project.
2. Ensure your client is aware of your data protection policy and that they understand and comply with their own policy.
3. Use a tool – such as SharePoint or Google Drive – that limits access to shared documents unless the user logs in. This reinforces the idea of responsibility, as it is possible to view a log of who has views and changes the data in any way.
4. Set expiry dates on documents, again, this is something SharePoint allows you to do.
5. Inform participants how their personal data may be used during and after the research session and do this before the session takes place. It is good practice to get informed consent from the participant.

The key is to be transparent and clear, so if, for example, you require participants to sign a non-disclosure agreement, perhaps include information in the agreement confirming how you are going to handle their data. Everything should be written in clear language that is easy to understand. We always advise sending non-disclosure agreements to participants, so they can read the document ahead of the research session.

Recruiting vulnerable participants?

Certain categories of data require more protection; this type of data may be required when recruiting against certain types of projects. For example, we support certain government departments who run research with people living and working in the UK on certain types of visa or with disabled people.

The Information Commissioners Office (ICO) have listed all categories that come under this section of the GDPR and we recommend taking a look.

It is essential you are aware of what comes under this and you ensure you are taking the right precautions to protect this data and gain explicit consent from the participant to process this data. ‘Explicit’ means that the participant understands that you have captured this data and is aware of how you will be using it and takes positive action to gain their consent.

These are just some tips that you can use as a starting point based on queries we have had from clients. We are currently working on more comprehensive guides to share with our clients, so keep an eye on our blog and social media channels like Twitter.

If your team would like further support on what actions you can take to be compliant with GDPR and you think People for Research can help, please get in touch by emailing



If you would like to find out more about our in-house participant recruitment service for user testing or market research get in touch on 0117 921 0008 or

At People for Research, we recruit participants for UX and usability testing and market research. We work with award winning UX agencies across the UK and partner up with a number of end clients who are leading the way with in-house user experience and insight.