Why does GDPR matter to user researchers?

In short, GDPR matters to researchers because researchers handle a whole lot of personally identifying information (PII) when they are conducting studies. Since the GDPR is all about the protection of PII, user researchers need to be cognizant of how GDPR affects how they process and store information. 

In our User Researcher’s Guide to GDPR, we outlined the four most important things user researchers need to be aware of when it comes to GDPR. In this article, we’ll show you steps you can take in User Interviews to be more privacy-focused, and outline processes we’ve put in place to make privacy protection easier. If you have more questions or want to speak to someone in-depth about this, email sales@userinterviews.com.

1. Gather informed consent for any and all data processing

This is possibly the most important things user researchers need to be aware of when it comes to GDPR. It’s so important that GDPR dedicated an entire chapter to it. For user researchers, this breaks down into two sections, gathering informed consent/for any and all data processing. 

Gather informed consent…

Informed consent means that the person who you’re collecting data from knows exactly why you need that data, how you will use it, and who will have access to it. With that knowledge, they must then give specific consent for data processing. 

Typically, this manifests for user researchers in the form of consent forms and research panel opt-ins. We’ll go over how you can create these on User Interviews later in this article, and if you want to read up on how researchers can do more to collect informed consent, check out our User Researcher’s Guide to GDPR. 

...for any and all data processing.

Data processing, under GDPR, covers a whole lot more ground than you might think. Under GDPR, data processing is more or less any time anyone interacts with personal data. So every time a researcher combs through a list of participants to choose which ones will participate in their study, that’s data processing. Same goes for every time you email a participant, sharing the list with a teammate, or saving a participant's data to a spreadsheet. 

If you manage your participants through User Interviews, we keep everything in one place, which means you can keep all your participant data processing activity on our site, and worry less about the security of a multitude of different apps and processes. 

2. Only collect and store the information you need

GDPR has this policy called “data minimization,” which basically means companies should reduce the amount of data they collect. Specifically, they should only collect data that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” So if you don’t really need to know the last time they checked Facebook, how many children they have, or their religious beliefs, don’t ask. 

3. Ensure that all user data is being stored and processed securely (including by 3rd-party tools)

Under GDPR, companies that collect data are not only responsible for what happens to that data on their own servers, but what happens once that data is distributed to third parties. GDPR distinguishes between these two types of people as “controllers” and “processors.” You can find detailed definitions of these terms at the bottom of this post, but essentially, if your company is a controller for data, you’re responsible for what third parties do with that data. This means you need to properly vet and review third party that processes data you control. 

4. Give users control over their data

A big part of informed consent is allowing users to actively choose to be a part of your data set. This means the days of pre-checked “I have read the privacy policy” boxes and automatic cookies are as good as gone. Now, users need to opt-in to sharing their data with you in the first place, not opt-out after the fact. 

Additionally, users don’t give up control over their data after you’ve collected it. Data subjects have 8 rights, which boil down to say that data subjects have the right to ask you to correct their data, provide them with a copy of it, stop processing it, and even delete it entirely from your database. 

If you’re using User Interviews to handle your recruiting participants outside of your organization, we’ll handle requests for corrections, copies, processing, and deletion. 

How to use User Interviews in your GDPR compliance efforts:

With participants you recruit from our panel 

Don’t sweat it. You can recruit from our panel based on demographics, occupation, or any other criteria, and we’ll handle participant data permissions for you. Since User Interviews is the controller for data on our participants, we’ve already secured permission, and we take care of deletion requests. As long as participant data stays on our platform, we’ll handle the data security bit. 

Note: if you collect additional personal information as part of your research,  you are responsible for GDPR compliance in how you handle that information.

With participants you upload or recruit yourself 

In our User Researcher’s Guide to GDPR, we outlined four key principles researcher’s need to be aware of to comply with GDPR. They are—

• gather informed consent for any and all data processing
• only collect and store the information you need
• ensure that all user data is being stored and processed securely (including by 3rd party tools)
• give users control over their data
  

We’ll go over the features we’ve created to help you keep up with these principles and exactly how you can use them within User Interviews. 

1. Gather informed consent for any and all data processing

Informed consent from each participant is paramount to maintaining good participant data processing practices. We’ve created in-app opt-in forms for each new participant you add to your panel, as well as consent forms which require each and every participant that enters your panel to provide their informed consent.

• Use an opt-in form to grow your panel
  To invite your users to join your research panel without applying to a specific project, create an opt-in form: a persistent, branded page where your users can sign themselves up to join your research pool. To set yours up, head to Participants > Hub Participants, click “Build,” and then “Manage opt-in form.”
  
  

Share a link to your opt-in form to recruit users and get data permission without having to worry about transferring data between User Interviews and other software that might not be as secure or GDPR-conscious.

• Add a data consent notice
  A data consent notice acts as a heads-up to any users you invite to do research with your company, explaining how you’ll use their data and allowing them to proactively opt in to data collection. It’s a simple, powerful tool to help comply with your GDPR responsibilities.
  
  Head to My Team > Consent Settings to add your notice. Once you switch it on, it will appear on your opt-in form as well as on the invite pages for any projects with your own users—a single, consistent opt-in experience across all your research.
  

Our CRM automatically keeps track of users’ opt-in form responses, so it’s easy to filter your panel by who’s given you data approval.

2. Only collect and store the information you need

The less data you’re trying to keep track of, the easier it will be to comply with GDPR standards. We’ve created a custom database that allows you to add the fields that are important to your team, and delete the ones that aren’t. To edit or delete custom fields from the Hub Participants view, click Manage > Edit fields.

3. Ensure that all user data is being stored and processed securely (including by 3rd party tools)

If you’re using User Interviews to store your participant data, you won’t have to worry about data security between tons of different third-party apps. Since it’s all in one place, you can do everything you need to within User Interviews directly. This includes inviting participants to studies and keeping track of their activity. 

• Invite and keep track of users without leaving our platform
  You can invite participants to projects, review their history with your organization, and build participant lists with custom filters—all without leaving or transferring data outside of our secure CRM.
  

4. Give users control over their data

Perhaps one of the most difficult things about transferring participant data to another service is what happens when a participant requests access to their data, or for it to be deleted from your database. User Interviews handles data deletion, right to be forgotten, data correction, and data retrieval requests quickly and easily.

• Easily process data deletion and “right to be forgotten” requests
  To delete info for 1 participant, simply check the box next to their name in the “Hub Participants” view and click “Delete” at the bottom of the window.
  To batch-delete many participants at once, you can upload a list and add a label—something like “to be deleted”—then delete all participants with that label attached by selecting everyone with that tag and deleting them from your database.
  We automatically disassociate any survey data from deleted participants.
  

• Easily process data correction and data retrieval requests

Need to correct a participant’s data or provide them with the data you have about them? No problem! Simply head to the “Hub Participants” view, search for the participant whose data you need to edit, and edit the field you need to. 

To batch-edit multiple contacts, simply upload a CSV of the folks you want to update, including columns with any new or updated data. A dialog box will appear, allowing you to choose which columns to update in your User Interviews database.
Note: User Interviews matches participants based on their email addresses. If you want to change a participant’s email address, you’ll need to delete them and then re-add them as a new contact. For help with this, you can always email projects@userinterviews.com

What User Interviews has done to protect researcher and participant privacy

We’re committed to data privacy, and to making it easy for our customers to be committed too. Here are some steps we’ve taken to better protect your data and the data of participants who offer their time through our platform.

Policy and procedure upgrades

• Updated our Terms of Service and Privacy Policy 
• Added a Cookie Policy
• Appointed a Data Protection Officer
• Appointed an EU Representative

• Reviewed our contracts and signed Data Processing Agreements with all of our sub-processors (aka the vendors we use to host our website, deliver our emails, process support tickets, etc.)
• Created a Data Processing Agreement for our customers (contact us for a copy)
• Created a comprehensive set of internal information security policies, including procedures for data breaches (contact us for a copy)
• Built security training into our new hire onboarding and committed to annual security training for all User Interviews employees
• Committed to annual vulnerability assessments and penetration tests
• Created internal procedures for responding to data access and data deletion requests
• Clarified our policies and streamlined our products so you never have to worry about figuring out whether you or User Interviewers is the “controller” or “processor” of user data in any given instance.
  

Product improvements

• Ensured that all personally identifiable information (PII) is encrypted at-rest and in-flight
• Implemented role-based access to customer data based on the principle of least privilege. In short, we’ve gotten more sophisticated about who can access customer data and under what circumstances.
• Updated all consent notices on our site to request explicit consent (opt-in instead of opt-out)
• Built a Privacy Preference Center that allows visitors to set cookie and privacy preferences. If you visit our website in the EU (or with a VPN gateway in the EU!), you’ll see a small black banner at the bottom of your screen, which will take you to a panel where you can set your preferences.
  

We work constantly to stay on top of the latest developments around privacy and GDPR requirements. We’ll update this post as we continue to build and upgrade our products with privacy in mind.

Conclusion

Don’t panic. While the GDPR can seem complicated—and while the privacy landscape continues to evolve—it all boils down to three common-sense principles. Respect your users’ personal information; ask for permission before using that information; and make thoughtful choices about the tools you use to store and transfer data. 

With these features and policies (and more to come!), we’re committed to making it not only possible but simple for you to stay on top of your GDPR commitments while you’re out there searching for user insights 🏞. Want to chat with a real, live human about what User Interviews is doing about GDPR and how we can help make your research process more secure? Schedule a time to chat with our research consultants!

‍

Definitions

Many of the terms around GDPR aren’t exactly self-explanatory. We’ve added definitions for terms in this article, so it’s easier to understand the whole picture. 

Opt-in vs. opt-out 

Under GDPR, people must give specific consent for each processing activity. This means a participant can agree to each email opt-in, research database, and observed session separately. This gives people more control over how their data is used and allows them to understand why someone needs access to it. 

This also means companies can no longer pre-select checkboxes, the person whose data is being collected must do that themselves. 

PII 

PII stands for personally identifying information. GDPR defines personal data this way—

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

In practice, this covers lots of different types of data. Of course, there are things like a person’s name, their email address, their physical address, etc. that are protected under “personal data.” But this also covers things like a person’s IP address, their salary, or their employer. 

GDPR also has special rules for what it deems “sensitive information,” which is more heavily protected than other kinds of information. GDPR deems these types of information sensitive—

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
• data concerning health
• data concerning a natural person’s sex life or sexual orientation
  

These types of information require their own specific consent, which means you have to double check with each person you collect this type of information from. You have to collect specific consent that says you have the right to access this specific piece of information. 

Data protection officer 

A data protection officer is esentially the person in charge of ensuring your company stays up to date on your data protection practices. Ours is one of our fearless leaders, our CTO Bob! Specifically, their duties include: working towards compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, and collaborating with the supervisory authorities. 

Principle of least privilege

This principle makes sure that employees only have access to the bare minimum amount of protected information they need to do their jobs. In practice, that means that if our Content Creator, Carrie, needs to send some emails to researchers, she can access only the information she needs to send the email. Likely, she just needs their email address, which means that’s the information she’ll get access to. 

At-rest and in-flight encryption

Encrypted data needs a secret key to be read; encrypting data is a security measure to keep it safe from being read by 3rd parties. User Interviews keeps all your data encrypted in our database (when it’s “at rest”), as well as when it’s moving over the internet between our servers and your computer (when it’s “in flight”). In other words, even in the unlikely event that someone broke into a User Interviews database or intercepted data en route to you, the contents of that data would be encrypted, keeping attackers from reading them.

Right to be forgotten

This means that a participant has the right to have data erased from your system. This specific article stipulates that data must be erased if it is no longer necessary for the purpose it was collected for, if the subject withdraws their consent, if the data has been unlawfully processed, or if it must be erased due to local regulations. 

In practice, this means that participants can, at any point, ask that you delete their personal data from your system. So that means you’ll need to have a system set up to delete participant data if they request it, and to be able to delete certain parts of the data without compromising others. Luckily, if you’re using User Interviews to recruit participants outside of your organization, we handle deletion requests for you!