SUBSCRIBE TO OUR NEWSLETTER
Don't panic. GDPR may seem huge but we've boiled it down to the 4 most important things for UXRs and a guide to how it affects your research
In short, GDPR is an EU regulation that empowers consumers to understand and control how their data is used. It was implemented on May 28, 2018, and violating GDPR can carry a fine of 4% of your company's annual revenue, or €20 million, whichever number is larger. Since the internet doesn’t quite adhere to traditional land boundaries, and GDPR covers all personal information collected from people on EU soil, it has had a sweeping impact on many businesses, even outside of the EU.
Researchers typically use lots of Personally Identifying Information (or PII) to recruit participants, ensure they’re contacting the right people for research, and gather additional context for research sessions. Since PII is pretty much the main thing GDPR protects, it’s important for user researchers to take steps to collect information properly, allow participants to give informed consent, and set up processes for data processing when research is finished.
Even if you don’t live or work in the EU (which still includes the UK! 👀), chances are you’ll work with participants that do. Since GDPR covers everyone on EU soil, even tourists, it’s better to cover your bases than risk the fine.
Plus, many of the rules laid out by GDPR are beginning to be widely accepted as ethical practices for processing personal data. Even if you’re not worried about GDPR compliance, many of the rules of GDPR can be implemented to create a better and more ethical research practice, and who doesn’t want that? It’s also only a matter of time until other countries start adopting GDPR-like regulations, so it’s good to get ahead of the curve and start thinking about how you can better protect customer data today.
Great question! GDPR has a wide range of what’s considered personally identifiable information. Here’s their definition: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
That’s broad, and it includes things like a data subject’s hair color, so it’s probably safe to assume that any and all personal information you collect about your participant during the course of research falls under GDPR umbrella.
Since GDPR is a huge regulation with many different articles, we narrowed it down to the four things that matter most to user researchers, then outlined how those things affect each stage of the research process. We’ll start by going over each of those four things in spirit, then, in the next section, we’ll dive into how those things affect the research process in practice.
Informed consent is so important to GDPR that one of its 11 chapters is dedicated entirely to it. Chapter 2, Principles, covers how personal data should be processed, what that means for companies, and the conditions necessary to gain informed consent from data subjects. We broke this down into two main pieces, data processing, and opt-ins. We also cover informed consent in more detail later in this guide, so you won’t miss a thing.
Think data processing only matters for data you collect when the study is all said and done? Think again. Data processing happens before you even talk to a participant. Here’s how GDPR defines both personal data and processing—
'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Basically, personal data is any data about a person that you could use to identify them, and processing is any activity that involves something or someone looking at that data. So combing through potential participants before choosing the ones you’d like to speak to for a study is data processing. So is putting all that data in an Excel sheet, sharing it with one of your colleagues, or inviting a participant to a study.
This means it’s important to keep the GDPR in mind for every step of your research process. If you’re using User Interviews, all of your participant data for participants you recruit through our platform will remain securely within User Interviews throughout the research process.
If you’re recruiting on your own, you’ll need to consider each step of your research process and how it complies with GDPR. Your company’s data protection officer can help you understand how your company’s practices comply with GDPR, and what can be improved.
For researchers, this typically manifests in a consent form that is sent along with the recruitment screener. The consent form walks users through what data the researcher wants to collect, and how, where, and why that data will be used. The participant must read the consent form, manually check the “I agree” boxes themselves, and provide a signature to confirm that they have consented to data processing. If you’re managing your research panel through User Interviews, you can add in your own consent form for any participants that opt-in to your panel.
Since personal information is so heavily protected by GDPR, and certain areas of information are even more heavily protected, chat with your team about what information you really need, and what information you’re collecting just because.
Article 5 of GDPR stipulates that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)." Basically, this means companies should only collect what they need to know, and minimize the collection of unnecessary information.
Under GDPR, your business is responsible not only for data it collects and maintains, but also for passing that data to a third party. GDPR separates these two into “controllers” and “processors.” Here are the definitions from Article 4:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Basically, if you’re Tiles R Us, and you collect personal information about your customers when they complete orders with you, you’re a controller. If you then send out a tile-themed newsletter through EmailMonkey, EmailMonkey is a processor of the data you collected.
Under GDPR, EmailMonkey processes data on the behalf of Tiles R Us. Therefore, Tiles R Us is still responsible for ensuring that EmailMonkey’s processes are GDPR compliant.
Understanding your company’s role in the processing of personal data is important, and vetting third parties you work with is vital to maintaining GDPR compliance. GDPR requires companies to think critically about which data needs to be passed to third parties, when it needs to be transferred, and how that personal data is being used. Be cognizant of which third-party tools you need to be using, their data privacy policies, and which tools you could do without.
One of GDPR’s main goals is to give people more control over how, where, and why their data is used. To ensure that people have rights over their data, GDPR laid out 8 rights of the data subject. Here they are, paraphrased and written in plain language by Adam Geitgey:
These rights mean that many companies have to change the way they think about using personal data from customers. For example, under GDPR, companies must ask for explicit consent to add someone to a direct marketing email list. Companies also have to be up front about what data they are collecting and why, and how long they plan on storing and using personal data. They must also respond swiftly to requests to stop using or delete personal data.
For user researchers, the rights may have the biggest impact on the way researchers gain consent for research sessions. Under GDPR, data subjects must give informed consent in order for a company to use their data. They can also withdraw their information at any time, even if it’s during a research session. We’ll dive into informed consent more later in this article.
By the way, if you’re a User Interviews customer, you can gain consent for your research right when users sign up for your research panel. Just add a data consent notice to your opt-in form in My Team > Consent Settings.
Some of these rights have been covered by other sections, but we feel it’s important to highlight the data subject’s right to request any information you have about them, to ask you to correct any of that data, to stop processing that data at any time, and to delete their data from your system.
Together, these rights ensure that companies keep their data organized well, have a good way to access it in a timely manner, and can effectively edit and delete data in a timely manner. Though that sounds easy enough, in practice it can be messy. Say you keep all your participant data in a protected Excel sheet, but for each study you create a separate sheet to keep track of who you’ve invited to the study and who has participated. If a participant requests that you delete or correct their data, you must do it across all the Excel sheets. Similarly, if a participant requests that you share the data you’ve collected about them, you’ll need to search through all your sheets and share everything.
Moral of the story? The more you can consolidate the amount of places your participant data lives, the easier it will be to control and maintain that data in compliance with GDPR.
Since this guide is about how GDPR affects user researchers and their work, we’ll go through each step of the research process, and talk about how GDPR influences those steps. We’ll cover how the 4 most important principles about user research apply to your real life research.
The first step in the research process majorly affected by GDPR is participant recruitment. During recruitment, you’ll need potential participants to provide informed consent, which means they have been informed of exactly how their data will be used and have freely given their consent.
To give you a little preview, here’s a flowchart of what you’ll need to be on the lookout for at each stage of the research process.
Informed consent is a big one for GDPR. It means that the person whose data you’re collecting knows exactly why you need the data, what you’ll use it for, and who will have access to it. Here’s an excerpt from Gov.UK’s User Research Service Manual on what informed consent is:
For consent to be informed, participants must understand:
You must also let participants know:
You must also tell participants how you’ll handle their personal data, including:
This may seem like a lot of information to tell participants before they even agree to take part in your study, but in practice, it doesn’t have to be that complicated. Here’s an example from Dr. David Travis at UserFocus of what an informed consent form could look like:
This form hits all the points that Gov.UK outlined, without being unwieldy, long, and difficult to understand. It’s easy for the participant to read quickly, choose what consent they want to give, and move on with what they’re doing.
Consent must be “freely given” by the participant. This means they agree to participate without pressure, with full understanding of how their data will be used and the option to withhold consent for certain activities while granting it for others. From GDPR Recital 32:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
If you have a User Interviews account, you can add your own consent form and your own opt-in, so you can gain consent from participants who opt-in to your research panel on our platform. The opt-in happens when you invite participants to join your panel on User Interviews. We recommend writing 1-2 sentences that tells people how their data will be used. This way, you’ve gained proper consent before their data becomes a part of your panel on User Interviews.
GDPR has specific requirements for informed consent for vulnerable populations, like children. Per GDPR, if you’re offering services directly to children, you can obtain their consent directly, as long as they’re above the age of consent. Though GDPR lays out the age of consent as 16, different countries within the EU have different rules about the age of consent. These ages range from 13 to 16, and must be followed for each country.
Certain information is deemed especially sensitive by GDPR, and needs extra care in terms of collecting and processing. This means you have to obtain specific consent to talk about and store data on these topics, and/or have a legitimate reason to need this information. Here’s the topics GDPR deems sensitive:
Though some of these topics may seem like a part of a fairly simple demographic profile of a person, they can be grossly misused in the wrong hands. That’s why GDPR seeks to protect these sets of data, requiring specific consent from the person you are collecting data from for each sensitive topic. There are exceptions, like when doctors need access to health information, or historians are conducting archival research. You can read the full list of exceptions in Article 9 of GDPR.
As with any information you collect during the course of research, ask yourself and your team why you need sensitive information from your participants. If you’re just collecting data to collect data, it becomes much harder to keep track of everything, ensure it’s properly stored, and erase it if/when a participant asks.
NDAs are not included in informed consent or GDPR, but since they’re a pretty common part of many user researcher’s stack o’ forms, we thought we’d mention them. NDA stands for Non-Disclosure Agreement, and they basically stipulate that a participant can’t talk about private information disclosed during the session, though they can be written many different ways.
It may be tempting to combine your consent forms, your NDAs, and whatever other forms you usually use into one giant mega-form to make things easier on you and the participant. Don’t confuse your NDA or any other form you use with a consent form! Consent forms, per GDPR, must use plain language and gain consent freely from your participants. They require language that’s much simpler than the legalese your NDA likely uses, and presenting them separately helps to ensure you’re properly gaining informed consent.
Now that you’ve recruited your participants and gained their informed consent, it’s time to actually do your research!
Per Article 21 of GDPR, all data subjects have the right to object to data processing. This means that at any point during the research process, a subject can object to having their data used, withdraw from the study, and demand that their data is erased from your records.
In the most extreme case, this means that a participant can object in the middle of a research session. If you broach grounds they are uncomfortable with, or even if they simply don’t want to participate any more, they can withdraw from the study and ask you to delete all of their data then and there. Now, the likelihood of this happening is pretty low, but it’s a situation you should know about and be prepared for.
As a part of informed consent, you need to tell your participants if their session will be recorded, who will watch it, and if anyone will observe in real time. Not only does this help the participant prepare for the session properly, it helps you set up your expectations for research from the moment you recruit participants.
This is where most of the hard GDPR work is done. Much of GDPR covers how information is stored, what you can do with it, and how to allow data subjects to access and delete their data from your database. GDPR even has an entire section devoted to the rights of the data subject, which is most of what we talk about in this section.
This is so important that GDPR has two Articles about it. One is Article 17, which is the right of erasure, the other is Article 21, which is the right to object. These articles say that data subjects have the right to object to the processing of their data and demand that it is erased “without undue delay.” There are, of course, some stipulations and special circumstances, which are outlined in Article 17, but for the most part, researchers and their teams should be prepared to delete participant data if they request it.
Article 15 of GDPR allows data subjects the right of access, which means that a participant has the right to access any data you have stored about them and ask questions about how that data is being used. This includes how long you plan on storing the data, which third parties have access to their data, and what you plan on doing with their data.
This particular part of GDPR is highly beneficial for both data subjects and data controllers. In Article 16 of GDPR, a data subject is granted the right to rectification. This means that if you have the wrong information about a data subject, they can tell you, and you have to correct it. Win win, right?
GDPR has several sections on the topic of data security, e.g. Art. 25 “Data Protection by design and by default," Art 32 “Security of processing," and Art 46 “Transfers subject to appropriate safeguards.” To paraphrase: Use precautions and safeguards that are appropriate relative to the sensitivity of the personal data that you’re processing.
So… those Excel spreadsheets on your desktop with the names, email addresses, job titles, and credit scores of all your research participants? You can probably do better. If you’re unsure whether your research data is being stored securely, consider consulting a data protection expert, who can help you get on track. We also offer participant management on User Interviews that keeps all your participant data in one place!
First off, we are not lawyers, we are a remote startup team who cares very much about your success. So everything we talked about in this guide is just that, a guide. If you want to ensure GDPR compliance—a spectrum, not a binary thing by the way—you’ll need to set aside some time with your lawyers and/or a data protection expert.
In short, GDPR encourages companies to think more critically about what personal data they collect, how they use it, why they need it, and how they store and maintain it. It also gives people more control over how companies use their personal data, and offers them the ability to hold companies accountable for processing data correctly.
For user researchers, this means gathering informed consent for any and all data processing, only collecting and storing the information you need, ensuring that all data is being processed securely, and giving users control over their data.
If this all sounds like a whole lot to process, that’s because it is! We’ve made our piece of the process easier and more secure, here’s what we’ve done to get right with GDPR. If you’d like to hand off a little bit of the GDPR headache, here’s three free participants for your first project with us! Or, if you’d like to chat with a real, live human about privacy and data security at User Interviews, book a time to chat with us below. 👇
Here’s some sources that helped us build this article, and can help you learn more about GDPR and how it affects your workflow.
UserFocus’ “Anatomy of a Consent Form" by Dr. David Travis
Understand GDPR in 10 minutes by Adam Geitgey
Carrie Boyd is a Content Creator at User Interviews. She loves writing, traveling, and learning new things. You can typically find her hunched over her computer with a cup of coffee the size of her face.