6 Steps to Ensuring GDPR Compliance in Research Projects
Written by: Phil Hesketh
The General Data Protection Regulation (GDPR) is the most robust global privacy law in effect today, but it shouldn’t be scary! It was designed to keep pace with how the world has changed and help people make sense of and have control over how their data is used.
Understanding and sharing the experiences and perspectives of the people we learn from means processing personal data—a lot of it. So understanding and complying with laws like GDPR is critical to ensuring we conduct safe, legal and ethical research.
Before the GDPR, different countries within the EU each had their own individual privacy laws and regulations. Believe it or not - The GDPR has made things much less complicated than they used to be!
We’ve created this short guide to help you undertake the steps necessary to ensure your practice complies with the GDPR. We will focus on what you must do and what documentation you need and provide examples within the context of user research.
Here are six steps you can take to ensure that your research practices are GDPR compliant:
Step 1: Familiarise yourself with the basics
Get to know the GDPR requirements and principles to ensure you understand your obligations as a researcher. The GDPR outlines specific rules around data protection, including consent, transparency, and data minimisation, among others.
To help you get started, we’ve written a short guide to GDPR for User Research, introducing you to the principles, people’s rights, legal bases, and other general terms.
Step 2: Map your current data flows
Knowing what you are doing right now is an excellent place to start. Perform a data audit of your research practices to understand what personal data you collect, how it is used, where it is stored, and who has access to it. A clear picture of your current practice will help you identify potential GDPR compliance issues and areas for improvement.
Because we often work in our own ways, doing this with your wider team can give you a clearer understanding of how data is handled across your team. We created a Data Mapping Workshop to help you run this remotely or in person.
Once you’ve mapped out the types of data you collect, where they’re stored and who has access to them, you can transfer this into one of the central documents to GDPR compliance - your Record of Processing Activities (ROPA). If your organisation has a Data Protection Officer, they will be able to help you with this in Step 3.
The ROPA is a document that contains information about an organisation’s processing of personal data. The ROPA provides:
- A detailed description of the type of personal data being processed.
- The purpose of the processing.
- The categories of data subjects.
- The recipients of the personal data.
- Any cross-border transfers of personal data.
The ROPA is an essential tool for GDPR compliance, as it helps organisations demonstrate their accountability and transparency concerning their processing activities. Organisations are required to maintain an up-to-date ROPA and make it available to supervisory authorities upon request.
Step 3: Make friends with your DPO
The aim of this article is to give you an understanding of how to get started with GDPR compliance. What you need can vary depending on other factors in your context. So it’s always good to get independant advice from someone who understands the data protection landscape where you are. That person will likely be the data protection officer at your organisation.
The GDPR requires an organisation to appoint a Data Protection Officer, also known as a DPO (because compliance loves an acronym). You might not have a DPO, and that’s okay. You only need to have one if your organisation:
- Is a public authority or body
- If the organisation’s core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking), or
- If your core activities consist of large-scale processing of Special Category Data or data relating to criminal convictions and offences.
The DPO’s job is to assist your organisation to:
- Monitor internal compliance
- Advise on your obligations under data protection laws
- Advise and guide you on Data Protection Impact Assessments (DPIAs), and
- Act as a point of contact for data subjects (in our context, your participants) and the data protection authorities
We’ve put this as step 3 because you’ve got someone who understands your organisation in your corner from the get-go. They may have already completed some of these steps or have templates or tools (like a ROPA and a DPIA) they would prefer you to use.
If you do have a DPO, this guide will help you start those conversations on the same page. Here are some questions you might want to ask:
- Could you see the existing ROPA?
- What is the current process for Data Protection Impact Assessments (DPIA)?
- How do we currently handle Data Subject Rights requests?
- How are incidents or breach management reported?
- How does the DPO review processors?
- How are cross-border transfer mechanisms handled?
You can skip this step if you don’t have a DPO at your organisation. Not having a DPO doesn’t mean you’re exempt from the GDPR. You’ll still need to complete the following steps. At least now you’ve got a better idea of your roadmap to compliance!
Step 4: Implement Data Protection by Design and by Default
The practice of Research Ops is to develop systems and services that enable research to happen within an organisation. When designing those systems or services, we can use design principles to help us factor in these considerations.
The core ideas behind Data Protection by Design and Default are embodied in the seven fundamental principles of Privacy by Design. Even though Privacy by Design and Data Protection by Design is not the same thing, these basic principles can serve as a basis for any privacy-related strategy.
These principles include:
- Be proactive and prevent privacy issues before they happen. Develop a culture of privacy awareness across your team.
- Privacy should be the default setting in any system, product or service. As the default setting, your participant’s data should be protected without them having to do anything.
- Design systems with data protection in mind from the start.
- Avoid trade-offs. Look for ways to incorporate all legitimate objectives while complying with your obligations.
- Implement robust security measures at every data lifecycle stage: access controls, encryption or pseudonymisation.
- Be transparent with participants about what data you collect and how you use it. Use plain language and be clear about what you record and how you will use their data.
- Prioritise the interests of participants when designing and implementing systems. Give them control and appropriate notice if things change.
Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the fundamental principles and requirements of the GDPR and forms part of the focus on accountability.
How does this related to Research Ops?
One of the ways we can implement data protection by design and default into our research practice is by using Data Protection Impact Assessments, or DPIAs.
You’ll need to do a DPIA whenever you plan to:
- Embark on a new project involving the collection of personal data;
- Introduce new IT systems for storing and accessing personal information;
- Participate in a new data-sharing initiative with other organisations;
- Initiate actions based on a policy of identifying particular demographics;
- Use existing data for a “new and unexpected or more intrusive purpose”;
- Review or audit an existing system or activity.
Further to this, Article 35(1) says that you must do a DPIA where processing operations are likely to result in a high risk to the rights and freedoms of individuals.
DPIA’s will have a direct impact on your teams and their workflow, but depending on the scope and context of your research you might not have to do one for each project. The ICO who are the Data Protection Authority in the UK have some great guidance on how to complete a DPIA.
Step 5: Obtain valid consent
Ensure that you have obtained valid and informed consent from research participants that are transparent about how their data will be collected, used, and shared. Consent should be obtained clearly and understandably, and participants should have the right to withdraw their consent at any time.
During the process of obtaining consent, you’ll need to evidence:
- The information disclosed to your participant at the point of obtaining consent
- Precisely how your participant was asked for consent
- When your participant gave their consent
At first glance, this might sound quite straightforward. But if you think about all of the different ways that you obtain consent (remotely, in person, via a third-party recruiter or tool), keeping track of this across all of those channels and across your entire team is far from easy.
It’s also good to consider your participant’s experience during this phase. Do they need to print, scan, or install any plugins or software to sign the form? Is the format accessible? For example, will it work with a screen reader? Are you using plain language that is simple to understand? Are you disclosing information in the participant’s first language?
Step 6: Implement appropriate security measures
This should go without saying, but it’s essential to make sure that personal data is safe and secure throughout the research process. This may include pseudonymisation, encryption, and access controls to protect against unauthorised access, loss, or theft of personal data.
Your data map from step 2 should highlight the security measures you have in place across your research workflow. Some quick wins that can dramatically improve your security are:
- Use a password manager (like 1Password) or Single Sign On (SSO) for account management.
- Enable 2 Factor Authentication (2FA) on all accounts holding your participant’s data.
- Use dedicated tools with encryption and access controls for larger data sets, such as your participant database or research repository.
Cross border transfers
Another less talked about issue for security (at least in terms of the GDPR) is cross-border transfers. Cross-border transfers in GDPR involve moving personal information from the EU or EEA to a third country. The GDPR has strict rules to protect people’s personal information during these transfers. Although personal information can be transferred for valid reasons like business or legal purposes, it must comply with GDPR rules to protect people’s rights and to ensure it’s protected.
Cross-border transfers are important because not all countries have the same levels of protection in place to protect their citizen’s personal data. And, because of how cloud-based software is built, there is often a combination of providers (aka Subprocessors) behind each app. So it’s essential to understand precisely where personal data travels as you use each tool.
The GDPR requires that the data controller or processor transferring personal data outside the EU/EEA must ensure an adequate level of protection for the data. This might mean:
- Obtaining explicit consent from the data subjects
- Signing a data processing agreement with the recipient, or
- Relying on specific legal mechanisms, such as standard contractual clauses or binding corporate rules.
Establishing a GDPR-compliant research practice and working toward Privacy by Design and Default principles is a constantly moving target. By following these steps and working closely with data protection professionals like your DPO, you can ensure that your research practices are GDPR compliant and continue to put the privacy and rights of research participants at the forefront of your work.