The Increased Shift to Online Research: Data Privacy Considerations and Implications

No sector or corner of the world has been left untouched by the impact of COVID-19, and the insights and analytics sector is no different. As much of the sector’s workforce was suddenly faced with the challenges of working from home, researchers have had to seriously adapt to meet ongoing requests for insights into rapidly changing consumer behaviors and opinions.

 

What is the state of play?

At ESOMAR, we too have seen a huge increase in the community’s need to discuss how to best make the shift from offline to online research to continue to generate data at this crucial time.

F2F research and fieldwork suffered in particular, as confinement measures meant groups of people could no longer meet in person. As such, many agencies who planned their F2F projects or fieldwork for 2020 suddenly had to pivot, meaning many of the privacy and data protection policies that were written in 2019 or early 2020 were also suddenly out of date.

Whilst making these key methodological changes was top-of-mind for many agencies to ensure survival, privacy policies may not have made the cut off as part of the priority list. However, in this sensitive time, key data protection laws are still very much in force and monitoring whether agencies around the world are paying attention. The good news is that it is not too late to reflect any changes to your ways of working firmly in your policies.

 

 

What are the data protection and privacy implications?

 

Privacy Policies

As many of you already know, laws such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require companies to have up-to-date, accurate, transparent, and informative privacy policies. These must not only be accurate, but they must also be accessible to any individuals participating in online research.

 

Data Flows and Processing Registers

If your processing register is not up-to-date, and your organization is not clear on the new methodologies and ways of working, this can have repercussions further down the line that may end up costing you more. For example, if you receive a data subject access request, the first document you rely on is often the data processing register that will point you to the right place. If this is not up to date, you will face delays and further costs, as well as potentially not being able to meet the legal time limits to respond to such a request.

In a similar way, should a data breach occur, if the policies and procedures are not updated, you may face expensive and time-consuming delays which, in the current crisis, many companies cannot afford.

 

Contracts

As new methodologies and ways of working are introduced, processing activities also change. As a result, these changes will affect the contracts and Data Processing Agreements you have in place with third parties and partners – in some cases, contracts may have to be amended or may no longer be relevant. In other cases, as shifts to online research often involve working with new platforms or solution providers, new contracts and Data Processing Agreements will have to be concluded. Don’t forget that these are also legal requirements that are now expected both in Europe and the U.S.

 

What you can do in 3 easy steps:

1. Identify and outline your new processing activities

Just as any new project becomes a new processing activity within your organization, a change in methodology and means of processing personal data does too. It is important that these are reflected in your Data Processing Register, a centralized document that helps you determine your organization’s data flows. It is also just as important to remove processing activities you no longer engage in.

 

2. Review any new partners or service providers

Your Data Processing Register will also include the information of new service providers you have engaged with as a result of your organization’s shift. If personal data is being shared with these new providers or third parties, a Data Processing Agreement must also be concluded with them. This document helps to determine each party’s responsibilities with regards to data processing and in the case of a data subject access request or data breach.

 

3. Reflect the above changes in your Privacy Policy

Individuals whose data is being processed have the right to know who else has access to their personal data, and which countries it is traveling to. Any changes in ways of processing personal data, and changes to third parties, must be reflected in your Privacy Policy. Don’t forget that this has to be done in a way that is easy to understand and accessible to individuals.

The three steps above outline the very beginning of what you can do as of today to make sure data protection and privacy practices do not hinder your business. If the changes you have had to make in your organization as a result of the COVID-19 pandemic are significant, they must be reflected in your policies, processes, and procedures not only in data protection but across the board. Doing so in a timely manner will help you avoid greater costs further down the road.