Note: for a quick 2-minute summary of what you need to do as a market research firm, check out this 5-minute list of todos here.

Chances are, recently you’ve received a lot of "terms of service changes" emails in your inbox. The reason you get so many of these emails recently, is because of the new GDPR regulations that came into effect on May 25, 2018.

The rest of this blog post is divided into sections, each answering a common question about how GDPR affects you as a market research firm:

1. What is GDPR? Why does it exist?
2. Does GDPR apply to my research firm?
3. When does my firm need to be in compliance?
4. What types of personal data does GDPR cover?
5. What is the punishment for not meeting GDPR compliance?
6. Who in my firm will be handle GDPR compliance?
7. What concrete actions should I take to make sure my firm avoids GDPR penalties?
8. What will really happen if my firm does not meet GDPR compliance?

1. What is GDPR? Why does it exist?

GDPR stands for General Data Protection Regulation. It is a regulation in the law of the European Union (EU). The high-level goal of GDPR is to give EU citizens more control over their personal data collected by companies.

The reason why GDPR exists, is because there has been public concern over how companies handle personal data privacy for some time now.

Another reason is that the Data Protection Directive, EU’s previous regulation for protecting personal data, was too outdated. The Directive went into effect in 1995, before the internet became the online hub it is today (Mark Zuckerberg first had the idea for Facebook 8 years later, in 2003). The EU came up with GDPR to replace the Directive, to protect EU citizens in the modern digital economy.

2. Does GDPR apply to my market research firm?

GDPR applies to any organizations that operate:

• within the EU, or
• outside the EU, but offer goods/services to people/organizations in the EU

GDPR affects businesses of all sizes, from small boutique firms all the way to huge multinational corporations.

If your market research firm meets these requirements, then GDPR applies to your firm.

3. When does my research firm need to be in compliance?

GDPR officially came into effect on May 25, 2018.

If GDPR applies to your market research firm, your firm should be in compliance on or after that date.

4. What types of personal data does the GDPR cover?

GDPR covers personally identifiable information that can linked back to individuals:

• Basic identity info such as name, address and ID numbers
• Web data such as IP address, cookie, location
• Genetic data
• Biometric data
• Health data
• Racial or ethnic data
• Political opinions
• Sexual orientation

5. What is the punishment for not meeting GDPR compliance?

Unlike previous regulations for personal data privacy, the GDPR was designed to have regulatory teeth. The punishment for non-compliance is stated very clearly, making it very easy to enforce on rule-breakers. The penalty is:

• 4% of annual global turnover, or
• 20 million euros ($24.6 million)

Note that whichever is bigger, will be the one applied. So if 4% of annual global turnover is less than 20 million euros, then the punishment is 20 million euros.

6. Who in my research firm will be handle GDPR compliance?

The DPO (Data Protection Officer) is the person in your market research firm who you would go to for questions about GDPR. The DPO is responsible for ensuring the market research firm complies with GDPR.

GDPR calls for the mandatory appointment of a DPO for any organization that processes or stores large amounts of personal data. Even if your firm does not process large amounts of personal data, it is a good idea to either appoint someone internally as the DPO, or hire externally for a DPO.



Note that GDPR allows market research companies to hire a 3rd-party consultant as a DPO. In fact, consultant DPOs are allowed to work for multiple organizations, as there is less conflicts of interest.

You would also need to know if your firm is a "Data Controller" or a "Data Processor", or both, under GDPR.

A Data Controller is:

• typically a firm that collects personal data
• potentially outsources processing of personal data to Data Processors
• sometimes referred to as a "Data Owner"
• determines why personal data needs to be processed
• determines how personal data will be processed
• ensures outside contractors comply with GDPR

A Data Processor is:

• the firm processing personal data on behalf of controller
• either an internal staff, or outsourced consultant

7. What concrete actions should I take to make sure my firm avoids GDPR penalties?

Note: for details on each of to-do item, check out this blog post here.

1. Decide if you want to accept EU users. If none of your users are in the EU, GDPR does not apply to you. Otherwise, continue with the list below
2. Add GDPR updates to your Terms of Service on your website, contracts, and marketing materials to clarify consent controls for users. For details, check out the blog post here
3. Send emails to your users notifying them of new GDPR updates to your Terms of Service. For details, check out the blog post here
4. Get a Data Protection Officer DPO. Hire one externally, or appoint one internally
5. Do a thorough audit, or Data Protection Impact Assessment (DPIA), of your data system for security holes
6. Update internal company policies to ensure "privacy by design". For details, check out the blog post here
7. Update internal company policies to ensure "privacy by default". For details, check out the blog post here
8. Add GDPR updates to contracts with vendors that processes personal data for you
9. Add GDPR updates to contracts with clients that you process personal data for
10. Establish an incident response plan in case of a data breach
11. Schedule regular drills/tests of the incident response plan
12. Double check with a lawyer to quickly check everything is up to standards

8. What will really happen if my firm does not fully comply with GDPR?

Even though the EU gave GDPR enforcers "real teeth" by adding clear penalties that are extremely easy to enforce, for now you might not need to lose sleep.

For now, regulators are not aiming to "stick it" to organizations that don't have every control for every article in place yet. Instead, most regulators are looking to investigate the bad apples, companies that consistently show outright abuse of users’ personal data, such as the recent scandal around Cambridge Analytica.

For now, if your market research firm can show a good-faith effort to comply with GDPR, it should go a long way to protect your research firm from penalties. At a recent conference, Elizabeth Denham, the UK Information Commissioner (the ICO office is responsible for upholding GDPR), mentioned this in a speech about GDPR fines:

"…I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s (Information Commission Office’s) proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action." ^[1]

Also, even if your research firm is investigated and found to be breaching GDPR, the ICO will likely give you warnings before giving you a fine. Elizabeth Denham mentioned this in her speech:

"Because I’ve always preferred the carrot to the stick. I don’t want to punish organisations for breaching the law. I want to help stop that happening in the first place."

"Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data.

None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line."

The clock is taking. We recommend that you at least try to comply with GDPR as much as possible, as soon as possible, because it would be good for business and your research firm.

Michelle Dennedy, Chief Privacy Officer of Cisco, states it clearly:

"A good will effort [to comply] is worth a lot. ... You're definitely going to help limit your risk [of punitive action], and more importantly you're going to go a long way with your customers"^[2]

As always, the information here serves only as a guide. Consult a lawyer for details on how GDPR applies to your firm.


[1] Data Protection Conference: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/04/data-protection-practitioners-conference-2018-ed/
[2] GDPR Who Will Enforces Focus on First: https://www.darkreading.com/risk/compliance/gdpr-oddsmakers-who-where-when-will-enforcement-hit-first-/d/d-id/1331898