How the first six months of GDPR changed user research & recruitment
People for Research recently ran its second webinar, this time with a focus on GDPR and how the last six months have affected the way the user research and user recruitment industries handle data and communicate with participants. Our guest this time was expert Ed Boal, Technology and Data Protection lawyer at Gregg Latchams.
With the UX sector constantly evolving and more companies setting up their own research practices every day, this was the right time to go over the last six months and the new data protection regulation. The goal of this webinar was to share expert advice on how to apply the legislation and update your internal policies to make sure you are not only working in line with the law, but also that you are putting the user at the centre of your research process, which can be a massive challenge for any team or company.
Keep reading to find out the top three tips we shared during the webinar.
1. Legitimate reasons to process personal data
If you want to process personal data for any purpose, you need to satisfy one of six legal grounds for doing so, the two most relevant legal grounds being legitimate interest and consent.
This ground applies where the processing of someone’s personal data is necessary to achieve your legitimate interests or, in the case of an agency, the legitimate interests of the agency’s end client and the processing will have a minimal impact to the privacy of participants.
Relying on legitimate interest “requires a careful assessment and should be documented through something called a legitimate interest assessment or LIA”, according to Ed Boal. The Information Commissioner’s Office (ICO) provides a sample template online that you can find here.
If recruiting participants for user research, for example, this means obtaining the participants’ permission to get in touch with them, hold their data, etc. This is the legal ground with which most people will be familiar and has always been perceived as the ‘gold standard’ in data processing. However, anyone expecting to use consent as a legal ground should be aware that the GDPR sets the bar very high when defining it – “it must be clear, concise and unambiguous. It must be freely given. It must be specific in relation to the purposes you want to process personal data for and it must be as easy for individuals to withdraw their consent as it was for them to give it in the first place,” says Ed Boal.
Whether you are working with a user recruitment agency like People for Research or doing the recruitment yourself, this slide offers some useful advice on how to handle consent.
2. People have the right to know what happens to their data
If there is a keyword connected with GDPR, that keyword is ‘transparency’. The GDPR requires that “organisations must explain in clear and plain language what personal data they collect, what they do with it, what legal basis they rely upon for using it, who it will be shared with, how long it will be kept and whether it will be transferred outside the EEA [European Economic Area].”
PFR’s Business Development Director Jess Lewes, who hosted the webinar, says: “It is impossible to run research without generating a lot of data and duplicating that data by sharing information with all stakeholders. At the same time, one of the key principles of the GDPR is that you do not ask for more personal data than you really need, for example, to fulfill the research objectives.” Achieving this balance is the challenge.
Three useful tips shared during the webinar:
Jess also recommends taking a look at the workshop Kate Towsey (formerly of GDS and BBC) ran at UX Bristol 2018. “We mapped out all the different things you collect from a user during the research process – from consent forms through to photos of them, and all the different places you might put these things. This will help you to understand who will need access to the data, how you are going to keep track of the elements and maintain their security, and, of course, when it comes to deleting data – actually deleting all the duplicates.”
3. It’s important to understand responsibilities
“Identifying the roles of the parties is important, because a controller is subject to considerably more obligations than processors and a controller will generally be liable for a breach of the GDPR, unless it can prove it is without fault,” according to data protection expert Ed Boal.
These three questions will help you identify who is the controller and who is the processor when working with a third-party:
Who is responsible for recruiting?
What method are you using to source people?
Who will be capturing data?
If you would like to listen to the complete webinar, hit play on the recording below.
The PFR webinars will be back next year with a new topic and a new expert guest. If you have any suggestions, drop our Marketing team an email at firstname.lastname@example.org
With the #UX sector evolving and more companies setting up their own research practices, we wanted to go over the last 6 months of #GDPR and how the new #DataProtection rules have changed #UserResearch and recruitment | #Webinar recording + recap here – https://t.co/uCLM32cuVu pic.twitter.com/pWEj7expvW
— People for Research (@people4research) December 7, 2018
Single-tool approach in user recruitment
If you would like to find out more about our in-house participant recruitment service for user testing or market research get in touch on 0117 921 0008 or email@example.com.
About the author: Maria Santos is the Digital Marketing Manager at People for Research. You can find her on the People for Research’s Facebook or Twitter accounts, regularly engaging with potential participants, market research experts and the UX community.
About People for Research: We recruit participants for UX and usability testing and market research. We work with award winning UX agencies across the UK and partner with a number of end clients who are leading the way with in-house user experience and insight.
Contact us for…
Pick our brains, we love chatting about people and how to find them.
Each brief is unique, for a cost for your particular brief, please contact us.
Viewing facility / usability lab
People for Research have a flexible lab space, with the ability to host usability testing, focus groups and in depth interviews.
- 0117 921 0008
People for Research
Queen Charlotte Street
91 Wimpole Street