Compliance & Responsible Research
GDPR for User Research (an introduction)
Written by: Phil Hesketh
Published on:
As User researchers, we constantly collect and analyse data to understand user behaviour and create better products and services. With the implementation of the General Data Protection Regulation (more commonly known as GDPR) in May 2018, we need to be aware of these regulations and how they impact our work.
Introduced by the European Union (EU) in 2018, The GDPR gives people more control over their personal data. The regulation applies to all organisations that collect, process and store the personal data of EU citizens, regardless of where they are based. So, even if your organisation is outside the EU, if it collects data on EU citizens, you must comply with the GDPR.
Because you can only do research by collecting people’s personal information, it’s crucial to understand how the GDPR will affect your work. We’ve split this article up into the key things that you need to know about the GDPR:
In this article, we'll cover:
Definitions found in GDPR
Data subject
Any living person whose personal information is collected and processed by an organisation. For example, a Data Subject could be a customer, employee, or client. Most commonly, in research, this will be your participant.
Data processing
Any operation or set of operations performed on personal data. Collecting, recording, organising, and analysing personal data obtained from the research participants, such as their demographic information, feedback, and opinions, are all examples of data processing.
What counts as personal data?
Personal data under the GDPR is any information that can directly or indirectly identify a person. Personal data includes a person’s name, email address, phone number, IP address, and other information used to identify them. Indirect identifiers are pieces of information that do not directly identify an individual on their own but can lead to the identification of an individual when combined with other data.
User researchers should ensure that they are only collecting data necessary for their research (see the principle of Data Minimisation) and that they are not collecting any unnecessary data that could be considered personal data.
Here are ten examples of direct and indirect identifiers of personal data under the GDPR:
Direct identifiers | Indirect identifiers |
Full name | Occupation |
Identification numbers (social security, passport number, driver’s license number, etc) | Education level |
Home Address | Income |
Email address | Job title |
Telephone number | Zip or postal code |
Date of Birth | Place of Birth |
Photos or video recordings | Physical or mental health information |
Bank account information | Purchase history |
IP Address or MAC address | Employer name or business name |
Usernames or online pseudonyms | Social media posts or activity |
This is not an exhaustive list. Other pieces of personal data could also qualify as direct or indirect identifiers under the GDPR.
Special category data
There is another category of personal data you will come across as a researcher. Special Category Data is considered particularly sensitive and requires extra protection under the General Data Protection Regulation (GDPR).
The GDPR defines special category data as personal data that reveals or concerns:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (used for the purpose of uniquely identifying a natural person)
Health data
Data concerning a person’s sex life or sexual orientation
Personal data that fits into this category is more sensitive than other types of personal data because it can be used to discriminate against individuals and may be associated with a higher risk of harm if it is mishandled or disclosed.
Imagine recording a remote interview on a video call. The chances of inadvertently collecting Special Category Data could be high - even if you did not intend to.
Under the GDPR, the processing of Special Category Data is prohibited unless certain conditions are met. These conditions include obtaining explicit consent from the individual, processing the data for specific purposes in the public interest, or processing the data for specific legal purposes, such as employment, social security, or social protection law.
In addition to the requirements for processing special category data, the GDPR also requires organisations to take extra measures to protect this type of data. These measures may include implementing additional technical and organisational measures, such as encryption or access controls, to prevent unauthorised access or disclosure of the data. A Data Protection Impact Assessment (aka a DPIA) is one way you can work through and evidence how you will achieve this.
It is essential for organisations, including user researchers, to be aware of the requirements for processing special category data under the GDPR and to take steps to ensure that this type of data is handled with the appropriate level of care and protection.
What are the GDPR’s principles for processing personal data?
The GDPR sets out six principles for processing personal data. These principles are:
Lawfulness, fairness, and transparency Any personal data must be processed legally, fairly, and transparently.
Purpose limitation Any personal data must be collected for specific, explicit, and legitimate purposes.
Data minimisation Personal data should be limited to only what is necessary for the purposes for which it is being processed. In other words, only ask for it if you actually need it.
Accuracy Any personal data must be kept accurate and up to date.
Storage limitation Only keep personal data for as long as is necessary for the purposes for which it is being processed.
Integrity and confidentiality Security and confidentiality should be ensured in any processing of Personal data.
As researchers, the onus is on us to ensure that we process personal data in compliance with these principles. We must be transparent about the purpose of our research, collect only the necessary data, and ensure that it is accurate, up-to-date and stored securely.
What are the legal bases for processing personal data under the GDPR?
Before any personal data is processed, you must choose one of six legal bases. These legal bases are:
Consent: The participant has given their consent for you to process their personal data for a given, specific purpose.
Contract: The processing of personal data is necessary for the performance of a contract.
Legal obligation: The processing of personal data is necessary for compliance with a legal obligation.
Vital interests: The processing of personal data is necessary to protect the individual’s vital interests.
Public task: The processing of personal data is necessary for performing a task in the public interest.
Legitimate interests: The processing of personal data is necessary for the legitimate interests of the controller or a third party unless the interests of the individual override those legitimate interests.
In most cases, consent will be the legal basis for research purposes. However, in some cases, you might also use Legitimate Interest. Regardless of whether your basis is consent or legitimate interest, User researchers must still meet the criteria of transparency defined in the Principles before collecting their data for research. Which the informed part of informed consent is designed to do!
How should user researchers obtain consent for processing personal data?
Under the GDPR, consent must be:
Freely given
Specific
Informed, and
Unambiguous
User researchers must obtain explicit consent from participants before collecting their personal data. Researchers must provide clear information about the following:
The purpose of the research
The types of personal data that will be collected
How will that data be used
Who will have access to it?
User researchers should also allow participants to withdraw their consent at any time.
Take a look at our informed consent checklist if you want a step-by-step playbook for setting up and managing your informed consent process for research. Or - see how Consent Kit will help you to implement and scale a consistent data governance strategy across your teams - watch a quick demo video.
Your participant’s rights under the GDPR?
The GDPR gives individuals several rights concerning their personal data. These rights include:
The right to be informed Participants have the right to know how their personal data is collected and used.
The right of access Participants have the right to access any of their personal data processed by an organisation.
The right to rectification Participants have the right to ask that their personal data be corrected if it needs to be corrected or completed.
The right to erasure Participants have the right to ask that their personal data be erased under certain circumstances.
The right to restrict processing Participants have the right to request that the processing of their personal data be restricted under certain circumstances.
The right to data portability Participants have the right to a copy of their personal data in a structured and commonly used machine-readable format.
The right to object Participants have the right to object to any processing of their personal data under certain circumstances.
However, the specific rights afforded to data subjects can differ depending on the legal basis for processing. For example:
Legal basis | Applicable rights |
Consent | Right to withdraw at any time Right to erasure |
Contract | Right to access Right to amend Right to erasure Right to restrict processing |
Legal obligation | Right to access Right to amend Right to erasure Right to object |
Legitimate Interest | Right to object Right to access (optional) Right to rectification (optional) Right to erasure (optional) Right to restrict processing (optional) |
From a Research Ops perspective, we must be aware of these rights and ensure we can respond to requests from individuals who exercise them under the GDPR.
One of the big challenges in operationalising the delivery of these rights is maintaining consistency in how your data is collected. Research happens in lots of different ways, and often researchers have their own ways of logging the admin of their research.
The main benefits of using a platform like Consent Kit is that it supports the multitude of ways research happens - giving you that important consistency across your entire team - while providing you with the tools to find, rectify, download or delete your participant’s information, from a single source of truth.
What are the consequences of not complying with the GDPR?
The GDPR imposes significant penalties on businesses that fail to comply with the regulation. These penalties can include fines of up to 4% of a business’s global annual revenue or €20 million, whichever is greater. In addition to financial penalties, non-compliance with the GDPR can result in reputational damage and loss of customer trust.
Establishing trust between the researcher and the participant is vital to the job. Showing your participants that you handle their data carefully and respectfully builds trust.
Wrapping up
In conclusion, the GDPR has significant implications for user researchers who collect, process and store personal data. User researchers must ensure that they comply with the GDPR’s principles for processing personal data, obtaining consent in a clear and informed manner, and responding to individuals’ requests for access, rectification, erasure, and portability of their personal data.
By understanding the GDPR and its requirements, user researchers can ensure that they are protecting the personal data of individuals and complying with the regulation. Not only does this help to avoid penalties and reputational damage, but it also builds trust with your participants and creates better products and services.