The Evolving MR Data Privacy Mandate and What You Need to Do About It

July 9, 2024

The Evolving MR Data Privacy Mandate and What You Need to Do About It

Market researchers are currently facing a significant data privacy challenge. There are 18 states with privacy laws in place in the US, with three more trying to pass laws. Additionally, there are privacy laws and frameworks globally. The EU, including the UK, has the General Data Protection Regulation (GDPR). Other countries with privacy laws include Argentina, Australia, Canada, China, Israel, Japan, New Zealand, Singapore, South Korea, and Thailand. Many more countries are proposing or considering data privacy legislation. Moreover, the list of states and countries with individual privacy laws is continually changing, and as you might expect, these laws are not identical. Each state’s or country’s laws may differ slightly or substantially from the others.

If you collect or analyze data from participants from these states and countries, these privacy laws likely apply to you. Although there may be exceptions for small businesses or specific jurisdictions, these can create complex legal situations. For example, under GDPR, if a small entity is exempt, obligations may still exist for end clients or other organizations possessing sensitive data. Ignoring these requirements could lead to financial consequences for you and other organizations.

Survey Data Collection Best Practices

The latest market research best practice is to assume that privacy laws apply to your operations. This ensures you develop a robust privacy program that considers the diverse and evolving requirements of all jurisdictions where you collect data. Here are some considerations for establishing your data privacy program:

  1. Consent and Transparency: Always obtain explicit consent from participants before collecting their data. Clearly explain how their data will be used, stored, and shared. Transparency builds trust and ensures compliance with various privacy laws.
  2. Minimize the Data Fields: Collect only the data that is necessary for your research objectives. Avoid gathering sensitive personal information unless it is absolutely required and with explicit consent.
  3. Secure Data Storage: Implement robust security measures to protect the data you collect. Use encryption, secure servers, multi-factor authentication, and regular security audits to prevent data breaches.
  4. Anonymization and Pseudonymization: When possible, anonymize or pseudonymize the data to protect participants’ identities and reduce the risk in case of a data breach. This can also help comply with regulations that require data minimization.
  5. Participants’ Rights: Be aware of and respect participants’ rights under different privacy laws, including the right to access, correct, or delete their data. Establish and communicate clear procedures for handling these requests promptly.
  6. Conduct Third Party Audits: In order to ensure full compliance with a robust information security framework and your own internal information security policies and procedures, consider participating in a third party certification process suchg as ISO 27001. This type of certification requires that a third party auditing body reviews your controls and ensures that they are in line with both the framework’s and your internal objectives.

Sample Procurement Best Practices

  1. Ethical Sourcing: Ensure that your sample sources comply with relevant privacy laws and ethical guidelines. Partner with vendors who have strong data privacy practices. When considering a new partner, ask them to share their policies.
  2. Diverse and Representative Sampling: Procure a diverse, representative sample of your target population to obtain accurate and generalizable results while respecting the privacy and preferences of different demographic groups.
  3. Quality Control: Implement rigorous quality control measures to ensure the integrity and reliability of your sample data. This includes partnering with suppliers who have pre-validated the authenticity of participants, ensuring their participation is voluntary and informed.
  4. Contractual Agreements: If sensitive or personal data is being collected and when working with third-party vendors for sample procurement, have clear contractual agreements outlining data privacy and security obligations. Ensure all parties understand and adhere to their responsibilities.

Data Processing Best Practices

  1. Data Processing Agreements (DPAs): Clients and providers should maintain mutual DPAs that clearly outline the boundaries and expectations pertaining to data collection, storage, and deletion. The DPA should list all data sub-processors (e.g., hosting providers, SaaS software providers, and incentive providers).
  2. Access Controls: Implement strict access controls to ensure that only authorized personnel can access sensitive data. Use role-based access and regularly review and update access permissions.
  3. Data Retention Policies: Establish and enforce data retention policies that comply with relevant privacy laws. Only retain data for as long as it is necessary for your research purposes and legal obligations.
  4. Continuous Monitoring and Auditing: Continuously monitor and audit your data processing activities to identify and mitigate potential privacy risks. Regular audits help ensure compliance with privacy laws and best practices.
  5. Data Privacy Organizations: If you work in the EU and store data in the US, you should seriously consider joining the Data Privacy Framework managed by the US Department of Commerce.

What is a Strong Privacy Program for You?

All market research professionals should ensure they establish and follow information security policies and procedures that align with the current best practices associated with protecting respondent and client data. Constant maintenance and updating are essential to staying current with the evolving legislative landscape. A robust data privacy program builds trust between providers, clients, the organization, and, perhaps most importantly, your participants. By adhering to these best practices and considerations, market researchers can navigate the complex and evolving landscape of data privacy laws more effectively. This not only ensures compliance but also fosters credibility and ultimately leads to more successful and ethical research outcomes.

Don’t have the time or resources to become an expert in Data Privacy Laws? Let Research Results do it for you! Contact Ellen Pieper, Chief Client Officer, [Ellen_Pieper@researchresults.com, or 919-368-5819] today.