As you could read in our previous blog post, the EU GDPR affects all companies, that deal with data of EU citizens. Every company needs to be aware their data flows, whether it is related to ‘generic’ customer data, or data is collected for well defined purposes.
Having an overall data-flow, attached to the company procedures in practice, will be your biggest help pinpointing risks, vulnerabilities, or improvement possibilities. Having said that, it has to be one of the very first steps, describing the INs and OUTs of all your data you need to deal with.
Next, and two of the most important, steps are classifying the data, and your role related to it - this requires continuous attention from your staff, as soon as new processes are established, that affect the data-flow. In our previous blog post we described the roles and data classification types. Not all data requires attention - this though sounds to be a case easy to deal with, you still need to guarantee, that a certain point you do not start mixing this data with personal identifiers or sensitive data. For the data, that you need to handle with high attention, the following factors have to be considered:
- in what format that data exists (do not allow yourself to merely focus on data sitting in databases, as there are files, emails, documents, tables around and this is still just digital data, there can be data on paper as printed lists, in sound recordings, etc)
- How is the data transferred between destinations, does the transfer method have the appropriate characteristics in terms of security, control and accessibility
- storage location chosen
- who can access the data in each destination
- who is accountable for the data in each destination
- lifecycle of data - when does it appear in your system, how and when it can be removed, or whether removing is an option at all
This list may look a bit abstract at first glance, but let’s examine some market research practices (without the aim of completeness) per different mode, and pinpoint challenges from these aspects.
Mode specific considerations: CATI
CATI interviews can start on two different paths:
- start with an RDD (or semi-RDD) sample
- start with a ‘normal’ sample
In both cases, you can end up in a few “feels tricky” situations. First and most important, is that you need to be aware of laws, that apply to your activity. This includes whether or not RDD sample is allowed to use at all, and also indicates, if do not call lists (blacklists) have to be applied.