Governance, Risk Management, Compliance

GDPR: LAWFUL BASIS FOR DATA PROCESSING OF VERBAL MARKET RESEARCH INTERVIEWS

Posted by Rowan Fogarty on Sep 20, 2018 3:39:27 PM

How do you ensure GDPR compliance for telephone interviews conducted for the purpose of market research? If youre a market research company, or indeed conducting market research directly, youll be keen to ensure that data processing is in line with the EUs General Data Protection Regulation.


Your first port of call is to determine which lawful basis for data processing you will rely on, and its important to choose wisely. This article looks at the three most appropriate options and concludes, with some recommendations, as to how you should approach GDPR compliance for verbal/telephone market research interviews.

 

GDPR-telephone-market-research

 

GDPR Lawful Basis for Processing

GDPR is not all about consent. Presently, it does look like a lot of organizations are only concentrating on consent or are seeking consent on a just in casebasis. This may well create problems, for some of them, at a later stage.

The 6 GDPR Lawful basis are:

  • Compliance with a legal obligation:  For example, employment records, accident reports for health & safety records.
  • Contractual performance: An example of this is the processing of credit card details to perform a payment. In cases where a contract is not yet existent, such as when an individual requests information from a service provider about a particular service via email or social network, the processing of that individual’s personal data is permitted for the purposes of responding to the inquiry.
  • Vital interests usually apply only to life-or-death situations. Such situations can include emergency services receiving a list of residents’ names and ages upon responding to an emergency call.
  • Public interest or acting under official public authority e.g. political parties might be allowed to access a copy of the electoral register.
  • Legitimate interests apply only in situations when the interests, rights or freedoms of the affected data subjects do not override the controller’s interests. Data controllers must conduct a so-called “balancing test”.
  • Data subjects’ consent: Finally, for scenarios not fitting into any of the above categories, data controllers are left with consent

 

IMPORTANT: You cannot use more than one Lawful Basis for each personal data process. So, you cant opt for consent, but use the contract if you somehow fail to get consent or vice versa. Dont ask for consent if you have not made the decision that you are going to use it for a particular process.


So which Lawful Basis is the most appropriate for call recording and verbal interview?

The Lawful Basis of Vital Interest and Public Interest are really for very specific organizations or circumstances, and legal basis would not typically stretch to cover market research interviews. In this instance you have the option for Contractual Performance, Legitimate Interest or Consent. So, lets look at these options.

 

 

Contractual Performance as a GDPR Lawful Basis

Contractual Performance may be the most suitable. If your company has entered into some form of agreement with these individuals, it seems reasonable that there is a requirement to obtain, store and process market research information to enable the performance of the contract that you have agreed with the participants.

 

 

Legitimate Interest as A GDPR Lawful Basis


However, if your company is not rewarding the participants for their involvement and no writtenversion of the contract exists, you may want to argue that legitimate interestapplies.  As a market research company, its reasonable, if not essential, for you to be able to interact with participants and obtain and process personal data for the purpose of the research.


Be advised, however, that you will need to ensure that the participants have the option to unsubscribe etc., and that you have executed the so called balancing test.  You will need to do this for each process i.e. each research exercise.


To do this you must balance your companys (or your clients, when acting on their behalf) interests against the individuals. The success or failure of this process will relate very much to the nature of the data being secured and processed as a result of the interview. Therefore, the test needs to be conducted and documented for every survey.

 

 

Consent as a GDPR  Lawful Basis

The third appropriate option for call recording and verbal market research interviews is consent. This needs to be carefully managed. Some companies choose to record responses to GDPR consent questions at the beginning of an interview, but there are some concerns as to how the Data Protection Commissioner (DPC) will view this.

These are as follows:

 

1. Does consent need to be written?

  • Article 7 of GDPR is quite specific that where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. It doesn’t state it specifically in GDPR, but it would seem that some form of “written declaration” is expected. Such a written declaration must be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this regulation shall not be binding.”  The concern is that the DPC could decide an oral declaration is not sufficient. This is more likely to be the case if the data to be recorded is considered “sensitive”.

 

2. Is it “easy” to withdraw consent?

  • Under GDPR, “the data subject shall have the right to withdraw his or her consent at any time”. 

3. Does this process make consent necessary for the performance of the research?

  • Under the GDPR consent must be “freely given”. The GDPR also states that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” The concern in this case is that the DPC might consider that seeking the consent of the participant at the start of the interview might place undue pressure on them to give it, as it is difficult to see how the process could feasibly continue should they not do so. Once again, this is likely to be more prevalent if the data to be recorded is considered “sensitive”.

4. Is consent the appropriate lawful basis for Market Research Interviews?

  • Consent under the GDPR seems to indicate that if the Data Controller and Data Processor cannot give the data subject a genuine choice on how their data is to be used, then perhaps consent is not the appropriate basis for processing. Market research would seem to be just such a case. Either the data subject is in agreement with how their data is going to be used or they are not, and therefore should not take part in the process.


Recommendation


From examining these three options, it appears that using Contractual Performanceas the GDPR Lawful Basis is preferable. That is, that the capture, storage and processing of the information is essential to carrying out the research. Even if you are not rewarding the participant, there is some form of contractbetween both parties.


You would need to prepare a document to send to the participant before the interview, maintain a record of it and ensure that they have received it (probably orally) before commencing the process.


The document will need to outline much of what is in the GDPR Statement for phone interviewsbelow, but would be specific to each market research exercise. It should be stated as fact;

  • Explain that the conversation/interview will be recorded. Outline that this is solely for the purpose of being able to listen back during the analysis phase. This recording will be protected by you through encryption, password and physical security procedures and only your project team will have access to the file.
  • Explain that your company will hold the data collected during the interview and contact details for the duration of the project and that it will be deleted when the project is complete and signed off by the client.
  • Explain that the participant has the rights in relation to the data collected from them, at any stage:
  • Right to request access
  • Right to request erasure

And if they wish to exercise these rights they can contact your company by email to a specific contact e.g. GDPR@yourcompany.com.


At this stage, you must not ask for consent, but may want the confirm that the participant is content to proceed with the interview, or perhaps they could have the option to withdraw from the interview at that stage.


However, you will then need to confirm that they have read the document and are happy to proceed, at the beginning of the interview.  This could be done verbally and recorded.


The benefits are:

  • You are not relying on Consent as Legal Basis for processing the participants data.
  • The participant has been advised on the specific purpose of the process, the planned use of their data and the protection measures in place.
  • The participant was provided with the opportunity to withdraw from the process.

Such a document would constitute an agreement and as such the template should be reviewed by your legal team.

 

 

Get Your FREE 5 Pillars of Security Framework for GDPR

Topics: GDPR

VigiOne:

One GRC Solution, One Platform, Multiple Regulations & Standards 

Now you can get VigiTrust's award-winning products in one straightforward GRC suite. VigiOne helps you: 

  • Prepare
  • Validate
  • Comply

Across multiple regulations and standards, including:

  • PCI DSS
  • GDPR
  • HIPAA
  • ISO 27001

 

Subscribe to Email Updates

Recent Posts