Very soon, Europe's data protection rules will undergo their biggest changes in two decades. The European General Data Protection Regulation (GDPR), which will come into force on May 25, 2018, will impact how researchers collect and store personal data from European citizens.
If your organization is based in the European Union or you plan to collect data from EU citizens, it is essential that you become familiar with the GDPR. We've prepared a brief outline of GDPR requirements, its impact for Recollective customers and some recommendations.
Controller vs. Processor
Not everyone that handles the personal data of European individuals will be treated the same under the GDPR. The law clearly identifies two roles with varying responsibilities:
- Controller: A controller is an entity that decides the purpose and manner that personal data is used, or will be used
- Processor: A person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data
By this definition, Recollective will be deemed a "processor" and our customers will be deemed the "controllers".
The majority of obligations under the GDPR fall upon the controller but Recollective is responsible to assist our customers in maintaining their compliance, such as notifying our customers of potential data breaches.
Disclaimer: The following document contains some recommendations provided by Recollective. They are our simple suggestions based on our interpretation of the GDPR rules and must not be solely relied upon. You should seek your own professional, independent legal advice to ensure compliance. We accept no liability whatsoever if you are found to be non compliant after following these recommendations.
A key aspect of the GDPR is the attainment of consent that clearly outlines the collection and processing of personal data. This consent must be distinctly separate from consent to other agreements.
Note that in GDPR terminology, each study participant is a "data subject".
Article 4 provides a definition of personal data:
- Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Recital 32 defines consent:
- "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
Recollective already supports a "Panelist Agreement" feature (located in Site Administration > Site Setup > Account Settings). This feature allows customers to surface a customized opt-in agreement checkbox that will be required for every user accessing the Recollective site.
We recommend using this feature to create a declaration of consent with clear and plain language. For consent to be informed, panelists should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. We recommend including how long their personal data will be retained.
- What personal data will be collected (or might be collected via screening and profiling questions).
- How will that data be processed and how long will it be retained.
- How does one request information about personal data collected and its removal (opt-out).
- For organizations with over 250 employees, the GDPR requires that controllers identify a Data Protection Officer (DPO). The DPO's name and contact information should be included.
Recollective plans to expand the ability to define custom panelist agreements. The platform will allow multiple agreements to be defined including a cookie pop-up agreement that appears instantly. It will also allow filtering of panelists based on their consent to custom agreements.
Right to be Forgotten
The GDPR also introduces the 'right to be forgotten'. Under this new right, participants of a research study have the right to request erasure of their personal data 'without undue delay'.
Again, personal data broadly means a piece of information that can be used to identify a person. This can be a name, email address, physical address or IP address. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
Panelists have the right to request a copy of their personal data and can also request removal of that data at anytime (opt-out), even ahead of a study's conclusion.
Recollective has two options: a standard multi-tenant deployment and a dedicated site deployment. Both are compliant with the GDPR requirement to permanently delete data a set period after termination of a Recollective service agreement. You'll receive a notification as this process is scheduled to begin and of course, you also have the option to pay for an extended archive during which the data is retained.
The dedicated site deployment has an entirely separate database that stores personal data. The separate database and its backups can be completely wiped upon request (or automatically after closure of the site). Dedicated infrastructure sites are permanently deleted no later than 30 days after the termination of a Recollective service agreement. There are additional costs associated to choosing a dedicated site.
With regards to personal data located outside of Recollective, we recommend customers review the data they are exporting from Recollective, how it's protected and retained. Customers may wish to establish an internal process that systematically removes personal data that has been exported and/or purges data files at regular intervals.
Recollective already provides reporting and transcription options that anonymize the data being exported. We recommend using these functions to store study data offline for an extended period of time.
During the course of a study, in the event that an individual panelist requests their data be removed, simply edit their panelist record in the Site Administration area to remove any personal data. Contact Recollective to then request the removal of the user's IP address and email address from the system logs.
In the future, Recollective will provide tools for the automatic removal of personal data in shared-infrastructure configurations. This will allow customers with GDPR compliance concerns to avoid the extra cost of dedicated site deployments.
Notification of Data Breaches
When the GDPR comes into force, controllers will have to notify individuals 'without delay' that there has been a breach of their personal data. Where possible, this notification will need to be provided within 72 hours. The GDPR also includes a duty for data processing companies to report breaches to the organization that collected and controls the data they process.
Data exports from a Recollective study that contain personal data must be carefully protected. If there is a data breach of this data (i.e. from a lost laptop), customers must be ready to dispatch a timely notification that a data breach may have taken place.
Recollective actively monitors its infrastructure and will respond to any reports of potential data breaches. If a suspected breach has taken place, we will notify affected customers within 24-48 hours. Although the responsibility for a breach notification falls on the controller, Recollective will assist its customers in any way possible.
Data Protection in the UK
The GDPR provisions may not apply in the UK once it exits the European Union (depending on any transition period rules still being negotiated at time of writing). Personal data protection will instead be covered by a new Data Protection Bill. It appears the UK's data protection plans include everything within the GDPR, although there are some minor changes.
We take privacy seriously and have plans to continue improving the platform in this regard that will make it easier for Data Controllers to manage the data stored in Recollective in compliance with GDPR. If you have any questions or concerns, we’re here to help but strongly recommend you keep current with the laws and regulations of your own country and those in which you plan to conduct research to ensure you remain compliant.