Join over 150k subscribers to get the latest articles, podcast episodes, and data-packed reports—in your inbox, every week.
Join over 150k subscribers to get the latest articles, podcast episodes, and data-packed reports—in your inbox, every week.
UX Research Topics
SUBSCRIBE TO OUR NEWSLETTER
October 19, 2021
What GDPR means to User Interviews customers, and what we're doing to protect your data.
Hey there 👋. Chances are, if you’re here, you want to know more about GDPR. What it is, how it affects your research, and what User Interviews is doing about it. You’ve come to the right place!
GDPR stands for the General Data Protection Regulation. It’s an EU regulation, implemented in May 2018, that helps people better control and understand how their data is used online. Violating GDPR can carry a fine of 4% of your company’s annual revenue, or €20 million, whichever number is larger. GDPR covers everyone in the EU, whether they’re a resident, a tourist, or just have a layover in a European airport, which means it’s important to understand how your business can comply with GDPR, wherever you’re based.
If you’re a researcher and want to understand how the GDPR affects your research practice, check out the User Researcher’s Guide to GDPR. It’s a comprehensive guide to which parts of the regulations you should be aware of and GDPR’s impact on the research world as a whole.
If you’re a User Interviews customer (or think you might like to be one 😉) who wants to know more about what we’re doing to protect the privacy of your team and the participants you talk to, stay right here. We’ll outline everything we’ve done so far, what we plan to do moving forward, and what it all means for you.
In short, GDPR matters to researchers because researchers handle a whole lot of personally identifying information (PII) when they are conducting studies. Since the GDPR is all about the protection of PII, user researchers need to be cognizant of how GDPR affects how they process and store information.
In our User Researcher’s Guide to GDPR, we outlined the four most important things user researchers need to be aware of when it comes to GDPR. In this article, we’ll show you steps you can take in User Interviews to be more privacy-focused, and outline processes we’ve put in place to make privacy protection easier. If you have more questions or want to speak to someone in-depth about this, email firstname.lastname@example.org.
This is possibly the most important things user researchers need to be aware of when it comes to GDPR. It’s so important that GDPR dedicated an entire chapter to it. For user researchers, this breaks down into two sections, gathering informed consent/for any and all data processing.
Informed consent means that the person who you’re collecting data from knows exactly why you need that data, how you will use it, and who will have access to it. With that knowledge, they must then give specific consent for data processing.
Typically, this manifests for user researchers in the form of consent forms and research panel opt-ins. We’ll go over how you can create these on User Interviews later in this article, and if you want to read up on how researchers can do more to collect informed consent, check out our User Researcher’s Guide to GDPR.
Data processing, under GDPR, covers a whole lot more ground than you might think. Under GDPR, data processing is more or less any time anyone interacts with personal data. So every time a researcher combs through a list of participants to choose which ones will participate in their study, that’s data processing. Same goes for every time you email a participant, sharing the list with a teammate, or saving a participant's data to a spreadsheet.
If you manage your participants through User Interviews, we keep everything in one place, which means you can keep all your participant data processing activity on our site, and worry less about the security of a multitude of different apps and processes.
GDPR has this policy called “data minimization,” which basically means companies should reduce the amount of data they collect. Specifically, they should only collect data that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” So if you don’t really need to know the last time they checked Facebook, how many children they have, or their religious beliefs, don’t ask.
Under GDPR, companies that collect data are not only responsible for what happens to that data on their own servers, but what happens once that data is distributed to third parties. GDPR distinguishes between these two types of people as “controllers” and “processors.” You can find detailed definitions of these terms at the bottom of this post, but essentially, if your company is a controller for data, you’re responsible for what third parties do with that data. This means you need to properly vet and review third party that processes data you control.
Additionally, users don’t give up control over their data after you’ve collected it. Data subjects have 8 rights, which boil down to say that data subjects have the right to ask you to correct their data, provide them with a copy of it, stop processing it, and even delete it entirely from your database.
If you’re using User Interviews to handle your recruiting participants outside of your organization, we’ll handle requests for corrections, copies, processing, and deletion.
Don’t sweat it. You can recruit from our panel based on demographics, occupation, or any other criteria, and we’ll handle participant data permissions for you. Since User Interviews is the controller for data on our participants, we’ve already secured permission, and we take care of deletion requests. As long as participant data stays on our platform, we’ll handle the data security bit.
Note: if you collect additional personal information as part of your research, you are responsible for GDPR compliance in how you handle that information.
In our User Researcher’s Guide to GDPR, we outlined four key principles researcher’s need to be aware of to comply with GDPR. They are—
We’ll go over the features we’ve created to help you keep up with these principles and exactly how you can use them within User Interviews.
Informed consent from each participant is paramount to maintaining good participant data processing practices. We’ve created in-app opt-in forms for each new participant you add to your panel, as well as consent forms which require each and every participant that enters your panel to provide their informed consent.
Share a link to your opt-in form to recruit users and get data permission without having to worry about transferring data between User Interviews and other software that might not be as secure or GDPR-conscious.
Our CRM automatically keeps track of users’ opt-in form responses, so it’s easy to filter your panel by who’s given you data approval.
The less data you’re trying to keep track of, the easier it will be to comply with GDPR standards. We’ve created a custom database that allows you to add the fields that are important to your team, and delete the ones that aren’t. To edit or delete custom fields from the Hub Participants view, click Manage > Edit fields.
If you’re using User Interviews to store your participant data, you won’t have to worry about data security between tons of different third-party apps. Since it’s all in one place, you can do everything you need to within User Interviews directly. This includes inviting participants to studies and keeping track of their activity.
Perhaps one of the most difficult things about transferring participant data to another service is what happens when a participant requests access to their data, or for it to be deleted from your database. User Interviews handles data deletion, right to be forgotten, data correction, and data retrieval requests quickly and easily.
Need to correct a participant’s data or provide them with the data you have about them? No problem! Simply head to the “Hub Participants” view, search for the participant whose data you need to edit, and edit the field you need to.
To batch-edit multiple contacts, simply upload a CSV of the folks you want to update, including columns with any new or updated data. A dialog box will appear, allowing you to choose which columns to update in your User Interviews database.
Note: User Interviews matches participants based on their email addresses. If you want to change a participant’s email address, you’ll need to delete them and then re-add them as a new contact. For help with this, you can always email email@example.com
We’re committed to data privacy, and to making it easy for our customers to be committed too. Here are some steps we’ve taken to better protect your data and the data of participants who offer their time through our platform.
We work constantly to stay on top of the latest developments around privacy and GDPR requirements. We’ll update this post as we continue to build and upgrade our products with privacy in mind.
Don’t panic. While the GDPR can seem complicated—and while the privacy landscape continues to evolve—it all boils down to three common-sense principles. Respect your users’ personal information; ask for permission before using that information; and make thoughtful choices about the tools you use to store and transfer data.
With these features and policies (and more to come!), we’re committed to making it not only possible but simple for you to stay on top of your GDPR commitments while you’re out there searching for user insights 🏞. Want to chat with a real, live human about what User Interviews is doing about GDPR and how we can help make your research process more secure? Schedule a time to chat with our research consultants!
Many of the terms around GDPR aren’t exactly self-explanatory. We’ve added definitions for terms in this article, so it’s easier to understand the whole picture.
Under GDPR, people must give specific consent for each processing activity. This means a participant can agree to each email opt-in, research database, and observed session separately. This gives people more control over how their data is used and allows them to understand why someone needs access to it.
This also means companies can no longer pre-select checkboxes, the person whose data is being collected must do that themselves.
PII stands for personally identifying information. GDPR defines personal data this way—
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In practice, this covers lots of different types of data. Of course, there are things like a person’s name, their email address, their physical address, etc. that are protected under “personal data.” But this also covers things like a person’s IP address, their salary, or their employer.
GDPR also has special rules for what it deems “sensitive information,” which is more heavily protected than other kinds of information. GDPR deems these types of information sensitive—
These types of information require their own specific consent, which means you have to double check with each person you collect this type of information from. You have to collect specific consent that says you have the right to access this specific piece of information.
A data protection officer is esentially the person in charge of ensuring your company stays up to date on your data protection practices. Ours is one of our fearless leaders, our CTO Bob! Specifically, their duties include: working towards compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, and collaborating with the supervisory authorities.
This principle makes sure that employees only have access to the bare minimum amount of protected information they need to do their jobs. In practice, that means that if our Content Creator, Carrie, needs to send some emails to researchers, she can access only the information she needs to send the email. Likely, she just needs their email address, which means that’s the information she’ll get access to.
Encrypted data needs a secret key to be read; encrypting data is a security measure to keep it safe from being read by 3rd parties. User Interviews keeps all your data encrypted in our database (when it’s “at rest”), as well as when it’s moving over the internet between our servers and your computer (when it’s “in flight”). In other words, even in the unlikely event that someone broke into a User Interviews database or intercepted data en route to you, the contents of that data would be encrypted, keeping attackers from reading them.
This means that a participant has the right to have data erased from your system. This specific article stipulates that data must be erased if it is no longer necessary for the purpose it was collected for, if the subject withdraws their consent, if the data has been unlawfully processed, or if it must be erased due to local regulations.
In practice, this means that participants can, at any point, ask that you delete their personal data from your system. So that means you’ll need to have a system set up to delete participant data if they request it, and to be able to delete certain parts of the data without compromising others. Luckily, if you’re using User Interviews to recruit participants outside of your organization, we handle deletion requests for you!
JP Allen is a Growth Marketer at User Interviews. Obsessed with languages, writing, learning, spreadsheets, and bad puns.