How do you ensure GDPR compliance for telephone interviews conducted for the purpose of market research? If you’re a market research company, or indeed conducting market research directly, you’ll be keen to ensure that data processing is in line with the EU’s General Data Protection Regulation.
Your first port of call is to determine which lawful basis for data processing you will rely on, and it’s important to choose wisely. This article looks at the three most appropriate options and concludes, with some recommendations, as to how you should approach GDPR compliance for verbal/telephone market research interviews.
GDPR Lawful Basis for Processing
GDPR is not all about consent. Presently, it does look like a lot of organizations are only concentrating on consent or are seeking consent on a “just in case” basis. This may well create problems, for some of them, at a later stage.
The 6 GDPR Lawful basis are:
- Compliance with a legal obligation: For example, employment records, accident reports for health & safety records.
- Contractual performance: An example of this is the processing of credit card details to perform a payment. In cases where a contract is not yet existent, such as when an individual requests information from a service provider about a particular service via email or social network, the processing of that individual’s personal data is permitted for the purposes of responding to the inquiry.
- Vital interests usually apply only to life-or-death situations. Such situations can include emergency services receiving a list of residents’ names and ages upon responding to an emergency call.
- Public interest or acting under official public authority e.g. political parties might be allowed to access a copy of the electoral register.
- Legitimate interests apply only in situations when the interests, rights or freedoms of the affected data subjects do not override the controller’s interests. Data controllers must conduct a so-called “balancing test”.
- Data subjects’ consent: Finally, for scenarios not fitting into any of the above categories, data controllers are left with consent
IMPORTANT: You cannot use more than one Lawful Basis for each personal data process. So, you can’t opt for consent, but use the contract if you somehow fail to get consent or vice versa. Don’t ask for consent if you have not made the decision that you are going to use it for a particular process.
So which Lawful Basis is the most appropriate for call recording and verbal interview?
The Lawful Basis of Vital Interest and Public Interest are really for very specific organizations or circumstances, and legal basis would not typically stretch to cover market research interviews. In this instance you have the option for Contractual Performance, Legitimate Interest or Consent. So, let’s look at these options.
Contractual Performance as a GDPR Lawful Basis
Contractual Performance may be the most suitable. If your company has entered into some form of agreement with these individuals, it seems reasonable that there is a requirement to obtain, store and process market research information to enable the performance of the contract that you have agreed with the participants.
Legitimate Interest as A GDPR Lawful Basis
However, if your company is not rewarding the participants for their involvement and no “written” version of the contract exists, you may want to argue that “legitimate interest” applies. As a market research company, it’s reasonable, if not essential, for you to be able to interact with participants and obtain and process personal data for the purpose of the research.
Be advised, however, that you will need to ensure that the participants have the option to unsubscribe etc., and that you have executed the so called “balancing test”. You will need to do this for each process i.e. each research exercise.
To do this you must balance your company’s (or your clients, when acting on their behalf) interests against the individuals. The success or failure of this process will relate very much to the nature of the data being secured and processed as a result of the interview. Therefore, the test needs to be conducted and documented for every survey.
Consent as a GDPR Lawful Basis
The third appropriate option for call recording and verbal market research interviews is consent. This needs to be carefully managed. Some companies choose to record responses to GDPR consent questions at the beginning of an interview, but there are some concerns as to how the Data Protection Commissioner (DPC) will view this.
These are as follows:
1. Does consent need to be written?
- Article 7 of GDPR is quite specific that where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. It doesn’t state it specifically in GDPR, but it would seem that some form of “written declaration” is expected. Such a written declaration must be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this regulation shall not be binding.” The concern is that the DPC could decide an oral declaration is not sufficient. This is more likely to be the case if the data to be recorded is considered “sensitive”.
2. Is it “easy” to withdraw consent?
- Under GDPR, “the data subject shall have the right to withdraw his or her consent at any time”.
3. Does this process make consent necessary for the performance of the research?
- Under the GDPR consent must be “freely given”. The GDPR also states that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” The concern in this case is that the DPC might consider that seeking the consent of the participant at the start of the interview might place undue pressure on them to give it, as it is difficult to see how the process could feasibly continue should they not do so. Once again, this is likely to be more prevalent if the data to be recorded is considered “sensitive”.
4. Is consent the appropriate lawful basis for Market Research Interviews?
- Consent under the GDPR seems to indicate that if the Data Controller and Data Processor cannot give the data subject a genuine choice on how their data is to be used, then perhaps consent is not the appropriate basis for processing. Market research would seem to be just such a case. Either the data subject is in agreement with how their data is going to be used or they are not, and therefore should not take part in the process.
From examining these three options, it appears that using “Contractual Performance” as the GDPR Lawful Basis is preferable. That is, that the capture, storage and processing of the information is essential to carrying out the research. Even if you are not rewarding the participant, there is some form of “contract” between both parties.
You would need to prepare a document to send to the participant before the interview, maintain a record of it and ensure that they have received it (probably orally) before commencing the process.
The document will need to outline much of what is in the “GDPR Statement for phone interviews” below, but would be specific to each market research exercise. It should be stated as fact;
- Explain that the conversation/interview will be recorded. Outline that this is solely for the purpose of being able to listen back during the analysis phase. This recording will be protected by you through encryption, password and physical security procedures and only your project team will have access to the file.
- Explain that your company will hold the data collected during the interview and contact details for the duration of the project and that it will be deleted when the project is complete and signed off by the client.
- Explain that the participant has the rights in relation to the data collected from them, at any stage:
- Right to request access
- Right to request erasure
And if they wish to exercise these rights they can contact your company by email to a specific contact e.g. GDPR@yourcompany.com.
At this stage, you must not ask for consent, but may want the confirm that the participant is content to proceed with the interview, or perhaps they could have the option to withdraw from the interview at that stage.
However, you will then need to confirm that they have read the document and are happy to proceed, at the beginning of the interview. This could be done verbally and recorded.
The benefits are:
- You are not relying on Consent as Legal Basis for processing the participants data.
- The participant has been advised on the specific purpose of the process, the planned use of their data and the protection measures in place.
- The participant was provided with the opportunity to withdraw from the process.
Such a document would constitute an agreement and as such the template should be reviewed by your legal team.