Compliance beyond GDPR

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

By now, you have probably received a variety of ‘choose me’ emails, as organisations carry out re-permissioning exercises to ensure they can continue to market and communicate with you legally after 25 May. 

This is the date when the General Data Protection Regulation (GDPR) will be enforced by all supervisory authorities across the EU, including the Information Commissioner’s Office (ICO) in the UK. Indeed, the imminent enforcement of the GDPR is significantly influencing the manner in which businesses of all sizes, across all sectors, manage their approach to the collection and use of personal data. 

Granting people effective controls and real choice over the use of their data will be key to businesses that wish to thrive in this new and changing environment. MRS has always stressed the importance of the social contact between research participants and researchers – and reflecting user needs and expectations in the design and management of research projects continues this. 

In addition to GDPR, however, MRS has engaged with a range of regulatory and policy initiatives, to ensure any impacts on commercial research are considered in regulatory and policy approaches. Here I briefly highlight the other areas researchers should pay attention to – particularly in the changing environment for telephone and digital research.

Wider controls on unsolicited calls 

MRS works with a range of stakeholders to ensure measures have been put in place to minimise adverse impacts from call-blocking initiatives. These include:

• Research with BT before the launch of the telecom provider’s Call Protect service, which allows customers to opt in and divert unwanted or nuisance calls to a ‘junk’ voicemail
• Engagement with the Direct Marketing Association (DMA) on the TPS Protect app, to ensure accredited MRS company caller IDs are assigned trusted status 
• Ongoing efforts with technology and systems used by other operators to facilitate mobile and landline telephone research.

Compliance by members with the updated MRS Regulations on Predictive Dialling – which is based on the revised Ofcom Statement of Policy on Persistent Misuse – will minimise the chances of enforcement action. It is important that research organisations display a valid returnable caller line identification. This must be capable of receiving a return call that connects to either an agent or an automated information message, and organisations must aggressively and effectively manage automated dialling systems to minimise the risks of making silent or abandoned calls. 

Ongoing participation in Operation Linden – a broad-based multi-agency group, chaired by the ICO, that coordinates activities to maximise enforcement opportunities against individuals and organisations in this area – will ensure that ethical, legitimate telephone research is safeguarded.

Pending digital reforms under e-Privacy

The proposed EU e-Privacy Regulation will replace the provisions in the Privacy and Electronic Marketing Communications Regulations (PECR) governing marketing and unsolicited calls. It will make this regime more consistent with the GDPR, especially in terms of a stricter test for consent and the higher level of sanctions that can be applied for breaches of the regulation. 

Although the e-Privacy Regulation will doubtless also change the way cookies or similar tracking technology through websites, mobile apps and messaging services are used, the exact requirements are still unclear, and the interaction between this and the GDPR does not fit well currently. Reforms to e-privacy will also probably include some additional requirements for direct marketing. 

MRS is directly engaged in these discussions at national and EU level, and businesses should hold a watching brief as these proposals are discussed and negotiated in the EU trilogue process, between Council, Parliament and the Commission.

Looking past GDPR 

GDPR compliance is a pivotal activity for researchers and MRS has published extensive guidance notes aimed at encouraging accountability of research organisations and transparency, plus privacy by design and default at the core of research projects. We are also working to ensure that the research exemption and the public interest approach, set out in the UK Data Protection Act 2018, is flexible enough to cover the wide economic and societal benefits from research done by commercial, non-profit, academic and public sector researchers. 

As GDPR enforcement approaches, however, it is critical to remember the wider regulatory framework that impacts on commercial research. From 2017 into 2018, there is a mix of data initiatives targeted at building the digital economy. 

MRS will continue striving to give timely guidance and help navigate the changing regulatory reality. We will also seek to have input in policy discussions and regulatory interventions to shape key initiatives and ensure there is a proportionate, balanced environment for the promotion and protection of research. 

Dr Michelle Goddard is director of policy and standards at MRS