30 November 2017
What do I do if...?
The new GDPR offers fresh challenges to our industry. We offer answers to a few basic questions on the topic, with a longer version of this article appearing online.
If your eyes have a tendency to glaze over at the mention of data protection — then you are not alone. The General Data Protection Regulation (GDPR), however, will wait for no man — or woman — and will apply in the UK from 25 May 2018, a start date unaffected by our decision to leave the EU.
AQR offers helpful links on its home page, but some of our members have expressed concerns that, despite the wealth of information out there, their needs — and queries — are more basic. So, taking a very rough straw poll, In Brief decided to make a note of these questions and asked Wendy Durn, quality and development manager at Research Opinions, for her take. She offers these responses as guidance only. People may need to take legal or professional advice where necessary,
The MRS is going to have a GDPR guide on its website before the end of the year which will be written for researchers and recruiters and answer a lot of questions.
Where are we in the chain? For example, when are we data controllers — when referring to online communities, say, where there are lots of parties with access?
If you decide how the personal identifiable data is going to be ‘processed’, then you are the data controller. In an online community the research agency would be the data controller as they would be deciding how to use the data. Any observers to the community would not be controllers. It is possible to have more than one data controller. For instance, if you were working from client supplied sample it is probable that they would be data controllers and so would the research agency. Everyone in the supply chain should have a contract which spells out their responsibilities regarding personal data.
What exactly are the ramifications of not following GDPR? Is this tiered, or would you receive the same punishment for keeping one small set of data vs a huge database?
If you are a data controller you will have to pay a fee to the ICO, as you do now, and the scale of fees will reflect size and turnover and the amount of data you hold — we haven’t been told the fee scale yet.
Do the ramifications depend on the size of the organisation? For instance, as a sole trader, what happens if I just ignore this?
You must follow the GDPR: it is the law! One of the main ramifications of not doing so is if you have a data breach. The volume of data lost/stolen/accessed unlawfully will obviously come into play, but the sensitivity of the data and the amount of detail is very important. As researchers and recruiters, we can store a lot of sensitive data such as health conditions without really realising it.