In a series of three blog posts we're considering implications of the GDPR in regards to marketing research industry. The previous two blog article touched upon how GDPR might influence conducting CATI and WAPI interviews. In this one I'd like to ponder on how the new legislation may affect conducting CAPI surveys, as well as Mixed-mode studies and mode independent research projects.  

Mode specific considerations: CAPI

As CAPI mode is a personal (F2F) interview, it gives a chance for collecting different type of data than in WAPI or CATI mode, that also needs different handling:

In a series of three blog posts we're considering implications of the GDPR in regards to marketing research industry. The previous blog article touched upon how GDPR might influence conducting CATI interviews. In this one I'd like to ponder on how the new legislation may affect conducting WAPI surveys. 

Mode specific considerations: WAPI

As you could read in our previous blog post, the EU GDPR affects all companies, that deal with data of EU citizens. Every company needs to be aware their data flows, whether it is related to ‘generic’ customer data, or data is collected for well defined purposes.

Having an overall data-flow, attached to the company procedures in practice, will be your biggest help pinpointing risks, vulnerabilities, or improvement possibilities. Having said that, it has to be one of the very first steps, describing the INs and OUTs of all your data you need to deal with.

Next, and two of the most important, steps are classifying the data, and your role related to it - this requires continuous attention from your staff, as soon as new processes are established, that affect the data-flow. In our previous blog post we described the roles and data classification types. Not all data requires attention - this though sounds to be a case easy to deal with, you still need to guarantee, that a certain point you do not start mixing this data with personal identifiers or sensitive data. For the data, that you need to handle with high attention, the following factors have to be considered:

• in what format that data exists (do not allow yourself to merely focus on data sitting in databases, as there are files, emails, documents, tables around and this is still just digital data, there can be data on paper as printed lists, in sound recordings, etc)
• How is the data transferred between destinations, does the transfer method have the appropriate characteristics in terms of security, control and accessibility
• storage location chosen
• who can access the data in each destination
• who is accountable for the data in each destination
• lifecycle of data - when does it appear in your system, how and when it can be removed, or whether removing is an option at all

This list may look a bit abstract at first glance, but let’s examine some market research practices (without the aim of completeness) per different mode, and pinpoint challenges from these aspects.

Mode specific considerations: CATI

CATI interviews can start on two different paths:

• start with an RDD (or semi-RDD) sample
• start with a ‘normal’ sample

In both cases, you can end up in a few “feels tricky” situations. First and most important, is that you need to be aware of laws, that apply to your activity. This includes whether or not RDD sample is allowed to use at all, and also indicates, if do not call lists (blacklists) have to be applied.

After publishing our previous blog post (about a new Nebu Dub InterViewer functionality helping users to comply with the upcoming GDPR), we've received a lot of inquiries regarding solutions that already exist in the system, and future developments to be released to clients before 25th of May 2018, when the new legislation comes into force.

First of all, we've made the GDPR a priority from Dub InterViewer development point of view. We've analyzed the requirements and obligations of the legislation with regards to the marketing research industry, which has resulted in a list of (planned) developments, as part of our release cycle before May 2018. In summary, this boils down to:

In the previous two articles posted in the GDPR category on Nebu's blog, we've covered the high-level overview of what the GDPR requirements and principles are. Now, let's dive into more specific, product-driven details.

More and more, clients ask us about Nebu Dub InterViewer's functionalities supporting them in complying with the upcoming GDPR legislation. One of the frequently reoccurring inquiries concerns removing respondent data from the project. 

When the respondent completed the interview, and a project is not a longitudinal study, often there is no use anymore for the client to keep the respondent data. In the light of GDPR removing or anonymizing that data even becomes a necessity.

In such case, it makes sense that the respondent data is 'disconnected' from the answers by removing the personally identifiable information from the sample data. Let's see how Nebu Dub InterViewer handles that for you.

Indeed, the functionality we're introducing in this blog post is one of key elements of complying with the GDPR as it fulfils four of six GDPR principles. Having an ability to set up an automated flow on how sample data will be processed in a project upfront will help fieldwork and marketing researchers adhere to:

In the previous post, we explained what the main new roles introduced by GDPR are and what the impact of the new legislation is. Now, let's dive into more details.

Who is concerned?

Everyone!

If you process EU citizens data as part of your activity, regardless whether that processing occurs in or out of the EU, then the GDPR applies to you. Bear in mind that employee data and customer data ARE personal data. And the simple fact of storing that data is considered a processing activity.

Six principles of the GDPR 

The GDPR is not simply a ticking boxes process to avoid a big fine. It is principles driven and aim to change the way we perceive and treat personal data. There are six principles, listed below:

Most likely, you have heard about upcoming new legislation in relation to the processing of personal data. This General Data Protection Regulation (GDPR) will be in effect per May 25th, 2018, and has a big impact on Market Research, as well as other industries.

In many market research projects, personal data is being collected, which means you have to have a basic understanding at least, of what GDPR entails. In this article we want to inform you about steps you can take to ensure you comply with the new legislation, to avoid potentially high penalties.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission, intended to strengthen and unify data protection for all individuals within the European Union (EU). The GDPR aims primarily to give control

Nowadays securing data is one of the biggest challenges for the Market Research Industry. When you keep information online you can't lock it away to be 100% sure that no one else can see it. You need to be aware that during any transfer process both you and your customer might lose control over the data, and over who is accessing it. You need to do everything possible to prevent this from happening. You should secure devices, both on the browser and the hosting side. Unfortunately the pipes of the online world are out of your hands, but don't worry, there is something you can do.

The IT security has an important role in the Market Research Industry. Not only does it need to be robust so that fieldwork is completed reliably and on time, but needs to be secure to ensure data collected is accessible and usable by those able to do so, but also so that Personally Identifiable Data is kept confidential. It is essential to secure the data you collect, but sometimes it can cause headaches because of the number of attacks on your data.

First, let me clarify what a Penetration test is and how it usually works.

In this blog post we will target explaining the importance of server and environment maintenance from security point of view. In our industry security is proven to be a key element and as is, needs continuous attention, instead of assuming that with a one time action proper security level can be achieved. This latest statement can be odd, you can think about why is that? How it can be ruined if once it is made great? Software components can contain bugs, security leaks, which are already there, but has not been discovered yet - when such a vulnerability has been identified and made public, servers or software components with this vulnerability can be easy target.

Therefore Nebu decided to perform more frequent server maintenance: it always has been important to keep servers up-to-date, but we clearly realized that updates have to be frequent enough to increase security and to decrease downtime.