As part of the upcoming GRIT 2018 Q1-Q2 Report, we asked respondents a few questions about the GDPR regulations that will go into effect in May. We suspected that many researchers outside of the EU were not ready, and boy, we were right.
(On that note… have you opted-in to yet to keep receiving GreenBook content? Click here to confirm your consent).
Among AdTech, MarTech and the general world of marketing, this is one of the single biggest topics, and we have much to learn from how those sectors are responding to it.
This sneak peek is only looking at high-level results; an in-depth analysis looking at other differences (i.e. client vs. supplier, region, role, tenure, etc.) will be in the upcoming GRIT report. We wanted to talk about this important topic, for the market research industry to start the conversation about GDPR sooner rather than later.
Not only are about half of all GRIT respondents globally unfamiliar with GDPR, but of those who are aware, only 24% consider themselves already fully compliant. A whole 7% don’t even think the policy applies to them, which must be akin to an ostrich having their heads in the sand. Bear in mind, those numbers are only half of the sample, so it’s safe to assume that the real numbers will be far more alarming.
Just as a refresher, here are a few snippets from the EU GDPR website that are important for us to understand:
- Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. (emphasis added)
- What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
- What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
- What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Referring to just those basic points (and there is a lot more detail), there is virtually no way that GDPR will not impact the market research industry. If you touch consumer data in any way and through any source (including from panels), unless you know it does not include EU citizens, researchers must be GDPR compliant. The GRIT data is concerning from that perspective, as we are less than 30 days from these regulations going into effect. If the GRIT responses are indeed representative of the industry as a whole (and I believe it is), then there are many companies that may fall afoul to the significant penalties associated with this regulation. Ouch.
As I am writing this, I am listening to the ARF & GreenBook Town Hall Industry Code of Conduct on data privacy standards for the industry, and GDPR is a central part of the conversation. The following slide was shared as a summary of some of the key requirements of GDPR. Take a look and ask yourself, how could this impact my organization?
(And just another reminder to opt-in if you haven’t already to keep receiving great articles like this one post-GDPR.)
Adherence to association standards or guidelines, such as the ones set forth by ESOMAR, Insights Association, or MRS, is no guarantee that you are in compliance with GDPR. Although these codes are useful and aid in ensuring some compliance, they are insufficient, especially related to the way respondents are recruited for research participation, the use of social media data, loyalty data, and 3rd party data in research or the minutiae of what is considered PII and consumer rights on its use and management under GDPR.
There are many, many resources online for GDPR education and compliance, and if you are a part of the very large group of companies that is not yet prepared, I suggest you immediately get up to speed and begin working right now to ensure your business is ready. If you don’t, all it takes is one complaint from an EU citizen to trigger potential consequences for your organization.
One final note: the consensus view is that regulation akin to Europe’s GDPR will eventually be enacted globally, specifically in the United States. As a result, models such as blockchain (which can allow for data to be erased contrary to what many are saying) may also emerge quickly and disrupt many business models, especially in the world of insights and analytics. Data privacy is no longer an abstract or political consideration. It is real, it is here, and it has far-ranging implications for market research and other industries.
Being an ostrich is no longer an option; we must all engage with open eyes and be prepared for what comes next. Based on these data, we have a long way to go ion a very short period of time.