panel provider
May 21, 2018

GDPR impacts: 7 Questions to Ask Your research panel provider

By Paul Laughlin

How does GDPR impact your use of a research panel provider?

Last month, we shared various posts related to market research. Balancing our content focussed on data & analytics, with tips & resources for research leaders.

This month, with May 25th deadline looming, we have focussed on GDPR. So, I’m glad to have a guest post to share, that covers both those themes. Guest blogger Johnny Caldwell (and his team from Netquest) returns with a focus on GDPR impact, on your use of a panel provider.

In this post, Katie Hagan shares 7 questions that GDPR should prompt you to raise of any research panel provider. Over to Katie to show us how GDPR has impact of research leaders, not just data & analytics ones…

We’re providing a quick checklist that any research agency can use, to ask their sample provider about GDPR. Why are we doing this? Well, we genuinely believe GDPR will improve the industry.

You see, people are at the center of market research, and that’s why it’s important to respect and protect the panelists. GDPR ensures we continue to do just that. See where to begin with the checklist below.

Why GDPR questions for your panel provider?

We’re providing a quick checklist, that any research manager can use, to ask their sample provider about GDPR. Why are we doing this? Well, we genuinely believe the GDPR will improve the industry. You see, people are at the center of market research, and that’s why it’s important to respect and protect the panelists. The GDPR ensures we continue to do just that. See where to begin with the checklist below.

Panel Provider: Are you GDPR compliant?

This seems like an obvious question, but it’s a question you are going to want to document. Those who process data  (collect, purchase, analyze, etc.) of people protected by the GDPR, must make sure the source of the data is compliant. Proving you’ve done your due diligence, will be useful in a worst case scenario.

Panel Provider: Who is your DPO?

In most circumstances, agencies controlling or processing personal data (protected by GDPR) need to have an appointed Data Protection Officer (DPO). You should ask for the contact information of this person, and inquire about their credibility. If the panel provider fails to give you this information, play it safe. Instead, collect data from an organisation that can provide DPO information.

Panel Provider: Can panelists access and export their data easily?

People protected by GDPR now have the power, to request data that organizations are storing about them. Make sure the panel company is complying with this measure. Allowing panelists to easily access and export survey responses, demographic info, and any other data that is kept on file.

Panel Provider: Have panelists given explicit consent to be on your panel?

People have to provide explicit consent, to become a part of a panel for market research. In order to get that consent, the terms, conditions, and privacy policies should be published. These need to be written clearly enough for the average person to understand; obsolete of legal jargon. Make sure your panel provider complies with GDPR on this front.

Panel Provider: Can I see the privacy policies communicated to panelists?

It isn’t enough that the privacy policies, and other legal conditions about data collection & storage, are easy to understand. These terms also have to be easy to access, at anytime, for reference. Ask your panel provider for a copy, or a link, to the policies, or even try to access them yourself on their website. That way you’ll know for yourself if they are complying with GDPR.

Panel Provider: What if during an ongoing project, respondents request to be removed from the panel?

The GDPR enforces the right to be forgotten, known as Data Erasure. Meaning, panelists have the right to be easily removed from panels, and ongoing research. They also have the right  remove their data from databases as well. Data Erasure could end up significantly affecting your ongoing research project’s sample. So, it’s something to sort out in the terms of your contract with your panel provider.

Panel Provider: What are your data retention policies?

In the case of purchasing ‘back data’, or ‘profiling’ information, you’re going to want to know the specifics about how the panel company stores data. GDPR’s rules for data storage are vague, yet enforced. Stating personal data should not be retained longer than necessary, in relation to the purpose, for which such data is processed. Find out the details about the company’s data retention model. Use your best judgement on whether or not the use of this data would be classified as compliant (reasonable).

Netquest’s Legal Disclaimer

Thanks to Johnny, Katie & Netquest team for that post. As with many such GDPR related posts, they also included a legal disclaimer:

Netquest, and entities under Netquest, are not your legal advisors and will not be liable in any way if you mistakenly believe this is a legal report for you to follow. This is not a legal GDPR implementation guide.

Please bear in mind that this provided content, and any other GDPR content produced by Netquest and its entities, is not a source of legal advice. This article and all other materials about GDPR, are curated by Netquest as marketing materials to promote and support the need to be compliant with the new regulations. To become GDPR compliant and to understand how to work with other organization who should be compliant (such as panel providers),  we recommend you contact and work closely with a legal advisor.

Every company is different and therefore, needs different adaptations to the GDPR. In a nutshell, we are so happy you read until here, but please do not rely on this paper as legal advice, nor as any applicable legal interpretation.

Stay genuine.

How ready is your Panel Provider, for GDPR

I hope that gave you some reasons to reflect on your GDPR readiness. Have you already made such GDPR checks of your research panel providers? What about all your data providers or 3rd party data processors?

If you’ve got experience to share, regarding this, or other impacts of GDPR on your operating model – I’d love to hear from you. Feel free to share below, in our comments box, or via social media.

The journey will not be over come May 25th, in fact it looks like that will be more like the starting gun. Let’s keep sharing, to spur each other on towards best practice.