With GDPR just around the corner, it seems many businesses, freelance researchers and data controllers are unprepared for the massive changes that come with this new General Data Protection Regulation. Whereas most businesses saw personal data as someone’s name, address and telephone number, GDPR has extended that reach. Once GDPR is implemented, personal data will cover everything from IP addresses and mobile phone IDs, through to photos and social media posts.

However, many marketers and insight organisations collect and use these types of personal data, to better understand and target ideal audiences. Once GDPR is live, one of the big issues this type of research data will bring, is the frequency of it being transferred over international borders. Another issue is that of consent – if data is going to be used for data processing and market research, this needs to be made clear at point of consent.

Permission must be sought, to continue using existing contacts information

When it comes to existing contacts on your researchers lists or notes, you need to be clear on what their available opt-out options are. Usually, this will involve contacting them and providing a summary of why you’re contacting them, along with a simple tick box stipulating they click to unsubscribe or opt-out. You’ll need to also add a ‘Fair Processing Notice’ to your privacy policy, stating that you may be using their data to better understand their preferences etc – again, giving them a clear way to opt-out, if they’d rather not consent.

Remember, failure to opt-out isn’t consent. You need to explicitly request permission to collect and use their data – and you need new permissions for any additional marketing materials added and/or new types of research carried out. The only exception to this is with scientific and historical research – if that further research is considered ‘compatible’ to the original request.

Online and public, doesn’t mean you can automatically use it

Internet has made it so easy to find a wealth of personal information online. Whether it’s on social media platforms, search engine results or public forums and groups, you cannot just use personal information for your research. You still need to ask permission.

No matter whether you’re dealing with a new contact or an existing one, they need to know exactly what information you’re collecting on them and what it will be used for. You also need to tell them how you’re storing it and who else will be seeing or using that information.

You need to ensure you’re responsible for any personal information that is stored and used

No matter what type of business you run, if you collect any form of personal information, you need to keep it safe and be transparent about how you’re using it. All data needs to be securely stored and only stored for as long as you need it. This timescale also needs to be communicated to the person whose information you have.

If there’s a potential or confirmed data breach, you need to notify the person within 72 hours of that breach. You then need to give them details of the breach, along with exactly what information may have been compromised. You also need to tell them how you’re going to investigate what happened and what you’re going to do, to remedy the situation and ensure it doesn’t happen again.

Researchers need to be clearing out databases regularly

GDPR will mean an increase in database clean-ups. You’ll only be allowed to keep information for as long as you genuinely need it. After this time, you need to destroy it. Researchers especially are known to collect masses of information during their research periods and keep it for as long as possible, because it may come in handy. However, this will no longer the case. Databases will need to be cleared out regularly, if you don’t want to fall foul of any tiered fines.

With GDPR around the corner, it’s important that you start implementing steps now, to ensure you’re covered by May 2018.

GDPR means huge changes ahead for researchers and other businesses alike. As such, this article will barely scratch the surface of it – so please make sure you take the time now, to adequately research it, learn it and take steps to ensure you’re covered, before it’s too late. For more information, please check out the official GDPR portal: https://www.eugdpr.org/