OPINION8 November 2018

Towards a GDPR code of conduct for the research sector

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

Europe Features GDPR Impact Legal UK

GDPR means codes of conduct with wide applications will be essential for businesses and research associations are working towards that now, explains Dr Michelle Goddard.


Codes of conduct are set to be a game-changer under the General Data Protection Regulation (GDPR) and research associations across the EU – including the Market Research Society – have embarked on an initiative to develop a comprehensive, practical and accessible GDPR code for the research and analytics sector. 

Realising the benefits of a code, especially one of wide application, will be pivotal for all types of businesses, especially micro, small and medium-sized organisations.

Roadmap for uncertain times

A GDPR research code will help the sector to maximise the opportunities of GDPR and more effectively apply the legislation in collecting and processing research participant data. Controllers and processors, who adhere to a code, will be able to use it to:

  • Follow sector-specific tailored guidance on GDPR compliance requirements 
  • Address and identify their risky processing activities and understand the suitable mitigation measures 
  • Help them with cross-border data transfers outside the EU as the code can serve as an approved legal mechanism (together with binding legal commitments)
  • Mitigate against enforcement action by a data protection authority, such as when they assess the amount of an administrative fine
  • Signal to data subjects and regulators that their business is GDPR compliant
  • Develop a competitive advantage over other suppliers with a quality mark for data controllers choosing suppliers.

Tailored content 

Article 40 of GDPR encourages the drawing up of codes of conduct to help data controllers and processors demonstrate compliance. It envisages a wide, but tightly controlled, system based on co-regulation between data protection authorities and industry bodies. 

Building on the EU Directive approach that encouraged establishing sector-specific data protection codes, it provides significantly more detail about what must be included and the routes for approval.

In line with this new approach, there is a long and diverse list of areas that can be dealt with in a code, such as:

  • Fair and transparent processing 
  • Legitimate interests pursued by controllers in specific contexts
  • Collection of personal data
  • Pseudonyms for personal data
  • Information provided to the public and to data subjects
  • Exercise of the rights of data subjects
  • Information provided to, and the protection of, children and the manner for parental consent
  • Technical and organisational measures, including privacy by design and measures to ensure security of processing 
  • Notification of personal data breaches to supervisory authorities and communication of breaches to data subjects 
  • Data transfers outside the EU 
  • Procedures for resolving disputes between controllers and data subjects.

A harmonised approach will be particularly valuable for international research. The current hot topics engaging the minds of data protection officers and privacy champions working in the research sector are likely to be addressed in a code.

For example, what should be in privacy notices for participants, and what layering is appropriate? How do you determine if the research organisation is a controller or processor? What are the appropriate roles and responsibilities of parties in the research supply chain and how do you pseudonymise research datasets?

But above all, EU legislators and policy-makers have made it clear that the detail in the code must add value. 

Regulators are not looking for a mere re-interpretation of GDPR but evidence that the sector promoting the code is giving added value for data protection compliance and data subjects. The code does not necessarily have to increase the legal requirements but certainly must not dilute or minimise them. In a sector historically based on a bedrock of ethics and best practice, this should be easily demonstrable.

Extensive process for formal approval 

Codes impacting on several member states are submitted to a lead data protection authority who, under the consistency mechanism, then submits the code to the European Data Protection Board (EDPB). 

Once the code is considered to have appropriate safeguards, the EDPB will submit its opinion to the European Commission, which can validate and publicise it. Transparency is ensured by a code register – created and maintained by EDPB – involving monitoring by accredited bodies. Timely review and formal adoption will require commitment from all of the parties involved in the process. 

Developing and participating in a GDPR code is not a soft option for the sector. Across the EU, self-regulation regimes are of mixed maturity and efficiency.  

The code will require dedicated resources, comprehensive monitoring and may need significant capacity building by some associations and organisations. It is also likely to involve a lengthy process with extensive drafting exercises and encompassing wide consultation.  

An open consultation process is critical to ensure that all relevant stakeholders, including not only research practitioners but also data subjects and privacy organisations, are meaningfully involved in discussions on the appropriate content and reach of the code.

Adhering to a code can work for your business 

The code will help explain how GDPR applies in practice, and better enshrine and standardise research best practice across EU member states and beyond. 

Adherence to the code will allow a research organisation to be more fully trusted by clients and help with cross-border transfers – all within a rigorously monitored framework. 

So, keep in touch as MRS works with other research associations to adopt a robust, but tailored, GDPR code for the research sector.

This article was first published in Issue 23 of Impact.