GDPR one year on

It’s almost exactly 12 months since the EU legislation came into effect, and much was written at the time about its potential implications for the marketing and data industries.

A year on, it’s a mixed picture for consumers: according to research by the DMA, two in five ( 41%) say they are more confident that brands are handling their data correctly as a result of GDPR. However, in another survey from technology firm Ogury, 59% of UK respondents said their understanding of the regulation was no better than before it came into effect.

From a greater focus on what personal data is collected for research, to formalised processes for the transfer and storage of participant data, Research Live spoke to market research agencies to find out how GDPR has changed the way they do business.

Dave Bostock, head of digital, Simpson Carpenter
I think it has made a major positive impact on how personal data is managed. Pre-GDPR we would sometimes receive data files with every data field in there whether it was needed to conduct the research or not; post-GDPR everyone is now forced to follow stringent processes that should have always been in place. In terms of data collection, there is now a focus on what personal data is collected, how it is collected and the actual need for it to be collected whereas in the past there was a tendency to collect everything ‘just in case’.

Yes, the legislation was complex and the language sometimes impenetrable but the shock has worn off and the reality is that GDPR is not ‘the end of research as we know it’. It has proven to be effective at what it sets out to do and has helped align an industry that was in danger of fragmentation when it came to the handling of PII.

Eulalia Pereira, data protection officer, Walnut Unlimited
GDPR has had an impact on all areas of our business. We’ve needed to instil new procedures and policies and embedding a culture of privacy takes time and effort. We’ve learnt a lot and our compliance programme continues to evolve. For our projects, ‘privacy by design’ requires increased due diligence and accountability so working in collaboration and finding bespoke solutions with our clients on this has been vital.

Over the year, we have looked at the opportunities that GDPR can bring to properly engage with data subjects: placing them at the heart of what we do. A recent nationally representative study we conducted with the Unlimited Group revealed high levels of awareness of GDPR ( 78%) in Britain – largely consistent across all demographics. Despite a patchy understanding of the finer details, there is evidence that the key elements of the regulation are important to individuals. This highlights to us not only the importance of compliance but also the need to have continuous discussions with clients around support with GDPR and customer engagement.

Hannah Schatte, director, legal counsel, System1
Adhering to the GDPR principle of data minimisation is no doubt a challenge when it comes to providing market research services. Although System1 isn’t operating its own panels, the impacts on our operational processes have been significant. We have redesigned our survey templates to allow for explicit consent to be collected where necessary, abolished any personalisation of surveys and have revised questions to minimise the possibility of collecting information that could be classified as personally identifiable within a survey – for example, discouraging the use of demographic segmentation and eliminating free text fields for screening questions.

Deborah Mattinson, founding partner, Britain Thinks
Although compliance with GDPR felt burdensome at first, it’s brought about clear and positive changes in the way we work. Processes relating to the transfer and storage of participant data and participant consent have become formalised, which, in turn, has created greater consistency in the participant experience. GDPR has forced us to look again at these processes through the eyes of the participant. A year on, we’ve found that improved participant experience at this level leads to greater engagement with our research – which ultimately leads to better insights for our clients.

Ben Page, chief executive, Ipsos Mori
Personal data processing is fundamental to our business as a market research organisation and so the protection of personal data has always been at the forefront of our work. GDPR’s biggest impact has been embracing and implementing ‘privacy by default and design’. Data protection is now even more at the heart of every single step of our research process – producing data flows and assessing respondent risk; ensuring appropriate agreements are in place with suppliers and clients; considering our legal bases where consent may not be appropriate; and managing respondents’ requests where they exercise their rights.

Adele Gritten, managing director, Future Thinking
GDPR was perhaps billed to be a much bigger and more prolific watershed moment for our industry than it really has been. The volume of research participants contacting us with questions about why and how we are collecting their data and for what purpose has not changed a year or so in. However, it has undoubtedly forced us to think more on a daily basis (case by case project) about how we explain and frame our research to participants. It has also resulted in a wider review of all internal procedures, including IT and operational infrastructure mode broadly.  

Joe Staton, client strategy director, GfK
As a generally well-run industry that is used to self-regulation, GDPR held no terrors for most market research companies. For me, the biggest impact has been a better understanding and appreciation of the data-chain: the challenge of where the data ‘lives’ at any one time. For consumers, it has brought new levels of confidence that their data is safe, correctly handled and won’t get into the ‘wrong’ hands. For consultancies, it has brought clearer contractual arrangements for collecting and collating data. And, for clients, the re-assurance that they are compliant with all regulations, that they are robust, legal, honest and acting with integrity.