- Decide if you want to accept EU users. If none of your users are in the EU, GDPR does not apply to you. Otherwise, continue with the list below
- Add GDPR updates to your Terms of Service on your website, contracts, and marketing materials to clarify consent controls for users
- Send emails to your users notifying them of new GDPR updates to your Terms of Service
- Get a Data Protection Officer DPO. Hire one externally, or appoint one internally
- Do a thorough audit, or Data Protection Impact Assessment (DPIA), of your data system for security holes
- Update internal company policies to ensure "privacy by design"
- Update internal company policies to ensure "privacy by default"
- Add GDPR updates to contracts with vendors that processes personal data for you
- Add GDPR updates to contracts with clients that you process personal data for
- Establish an incident response plan in case of a data breach
- Schedule regular drills/tests of the incident response plan
- Double check with a lawyer to quickly check everything is up to standards
Note: for more details on GDPR, check out this post about common questions about how GDPR affects market research firms.
Unless you’ve been living under a rock, you’ve probably received a lot of "terms of service changes" emails in your inbox recently. These emails typically consists of companies saying they have updated their terms of service, and would ask you to opt-in again, to continue receiving marketing materials.
The reason you are getting so many of these emails lately, is because the new GDPR regulations came into effect on May 25, 2018.
The clock ticking. If your company has not started taking action to comply with GDPR, at the very least you should know what your research firm needs to do, and what it means for your firm.
The list above shows some common and practical to-dos for your firm to act on, to avoid penalties under the new GDPR laws.
The sections below describe in more detail some of the to-do items in the list above.
1. Decide if you want to accept EU users
If none of your users/customers are in the EU, GDPR does not apply to you, and you would not need to worry about complying with it.
Another option is to show a different service/product to your EU customers. Some companies, such as Forbes.com and USA Today, shows a separate version of their website to EU visitors, with all the tracking programs removed. This way, they don’t collect personal data from EU customers, and GDPR would not apply.
Another possibility is to block EU users/customers from accessing your service/product. It’s a bit extreme, but not uncommon. Major US publications like The LA Times, the Chicago Tribune and the New York Daily News all have websites that currently block EU users [1].
2. Add GDPR updates to your Terms of Service on your website, contracts, and marketing materials to clarify consent controls for users
At its core, GDPR’s goal is to give consumers more control over their personal data. Specifically, companies under GDPR have to let consumers:
- access their personal data that is being stored by companies
- find out where and for what purpose their personal data is being used
- have "the right to be forgotten"
- that is, to have companies erase their personal data, and to stop third parties from processing their personal data
- withdraw consent easily
- that is, it should be easy for consumers to choose not to have a company record their personal data
- for children under 16, parents must opt-in to data collection on their behalf
Also, GDPR wants companies to communicate clearly to consumers their policies for personal data. Companies will not be able to use confusing or complex statements, or bundle together consent requests for different things, to get consumers to agree to give them data.
"If you have a page of different consent, and saying by clicking here you consent to lots of things, that will be wrong. You need to be able to apply that consent individually"
Harry Small, a partner at law firm Baker & McKenzie [2]
As a market research firm, you should add clauses to your Terms of Service and Privacy Policies, to:
- clearly communicate that you now offer the new GDPR controls, specified in the list above
- request separate consents for the different ways you are collecting/processing personal data
- simplify your consent agreement forms to reduce confusion with consumers
3. Send emails to your users notifying them of new GDPR updates to your Terms of Service
After you have updated your Terms of Service in the section directly above, send an email to your users/customers notifying them of the new updates, and also ask them for consent to the new policies.
Let your users/customers know you are committed to handling their personal data with care.
4. Get a Data Protection Officer (DPO)
You can appoint one internally from inside your market research firm, or hire one externally.
If you hire externally, you can hire someone full-time or hire a 3rd-party consultant as a DPO. For more details, see check out "Data Protection Officer" in the blog post here.
5. Do a thorough audit, or Data Protection Impact Assessment (DPIA), of your data system
Create a data flow mapping of current company processes or systems that store or collect personal data. Create a document and "map out" all the places where personal data flows into your company, where is leads to within your company, and where it leads back out, such as to vendors and other consumers.
Do a full security audit of any company processes or systems that store or collect personal data. Look for security holes. You may want to consult with a 3rd-party security expert if you are not familiar with computer security.
6. Update internal company policies to ensure "privacy by design"
Update company policies so that new processes, new systems, and new product development takes GDPR privacy into account.
You should also modify existing processes, systems, and products to comply with GDPR privacy.
This way, GDPR privacy is built-in during the whole life cycle of company processes/systems/products that touch personal data.
7. Update internal company policies to ensure "privacy by default"
For any company system that collects personal data, make sure it collects only the least amount of personal data required for products/services to function properly.
8. Establish an incident response plan in case of a data breach
One of GDPR’s goals is to ensure companies protect user personal data from misuse and exploitation.
To do that, GDPR requires research firms to report any personal data breaches to authorities and to affected consumers within 72 hours. This applies even if the personal data breach happened at a vendor instead of your research firm.
Data breaches inevitably happen. Even the most secure corporations get hacked. You should establish an Incident Response Plan for your research firm, so you will already know how to respond within the 72-hour window.
The Incident Response Plan should have these action items:
- Notifying affected consumers
- must be a one-to-one direct correspondence (e.g. email)
- cannot be a press release
- must have the contact details of the Data Protection Officer
- Notify the EU
- you should find out ahead of time, the contact info for the Supervisory Authority responsible for enforcing GDPR for your firm
- Notify your clients
- applies if you process personal data for your clients
- find out who you should call within the client’s company. Is it the procurement department? The accounts department? Their Data Protection Officer?
Also you should make sure your vendors have an Incident Response Plan. If they are hacked, they should know how to respond to meet GDPR compliance. They should know who within your research firm they should call. Make sure they have the contact info ahead of time.
A GDPR regulator is not going to say you shouldn’t have had a breach. The regulator is going to say, hey, you should have had the procedures, the response plans in place to solve for potential data breaches quickly. A customer or client is going to expect the same.
9. Schedule regular drills/tests of the incident response plan
Conduct regular drills of the Incident Response Plan, to make sure company staff knows what to do in case of data breaches, and can comply with GDPR’s 72-hour response window.
10. Double check with a lawyer to quickly check everything is up to standards
As always, the information here serves only as a guide. Consult a lawyer for details on how to GDPR applies to your firm.
[1] GDPR Fails: https://www.theregister.co.uk/AMP/2018/06/25/gdpr_fails/
[2] GDPR Everything You Need to Know: https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html