OPINION8 November 2018
Towards a GDPR code of conduct for the research sector
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
OPINION8 November 2018
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
GDPR means codes of conduct with wide applications will be essential for businesses and research associations are working towards that now, explains Dr Michelle Goddard.
Codes of conduct are set to be a game-changer under the General Data Protection Regulation (GDPR) and research associations across the EU – including the Market Research Society – have embarked on an initiative to develop a comprehensive, practical and accessible GDPR code for the research and analytics sector.
Realising the benefits of a code, especially one of wide application, will be pivotal for all types of businesses, especially micro, small and medium-sized organisations.
A GDPR research code will help the sector to maximise the opportunities of GDPR and more effectively apply the legislation in collecting and processing research participant data. Controllers and processors, who adhere to a code, will be able to use it to:
Article 40 of GDPR encourages the drawing up of codes of conduct to help data controllers and processors demonstrate compliance. It envisages a wide, but tightly controlled, system based on co-regulation between data protection authorities and industry bodies.
Building on the EU Directive approach that encouraged establishing sector-specific data protection codes, it provides significantly more detail about what must be included and the routes for approval.
In line with this new approach, there is a long and diverse list of areas that can be dealt with in a code, such as:
A harmonised approach will be particularly valuable for international research. The current hot topics engaging the minds of data protection officers and privacy champions working in the research sector are likely to be addressed in a code.
For example, what should be in privacy notices for participants, and what layering is appropriate? How do you determine if the research organisation is a controller or processor? What are the appropriate roles and responsibilities of parties in the research supply chain and how do you pseudonymise research datasets?
But above all, EU legislators and policy-makers have made it clear that the detail in the code must add value.
Regulators are not looking for a mere re-interpretation of GDPR but evidence that the sector promoting the code is giving added value for data protection compliance and data subjects. The code does not necessarily have to increase the legal requirements but certainly must not dilute or minimise them. In a sector historically based on a bedrock of ethics and best practice, this should be easily demonstrable.
Codes impacting on several member states are submitted to a lead data protection authority who, under the consistency mechanism, then submits the code to the European Data Protection Board (EDPB).
Once the code is considered to have appropriate safeguards, the EDPB will submit its opinion to the European Commission, which can validate and publicise it. Transparency is ensured by a code register – created and maintained by EDPB – involving monitoring by accredited bodies. Timely review and formal adoption will require commitment from all of the parties involved in the process.
Developing and participating in a GDPR code is not a soft option for the sector. Across the EU, self-regulation regimes are of mixed maturity and efficiency.
The code will require dedicated resources, comprehensive monitoring and may need significant capacity building by some associations and organisations. It is also likely to involve a lengthy process with extensive drafting exercises and encompassing wide consultation.
An open consultation process is critical to ensure that all relevant stakeholders, including not only research practitioners but also data subjects and privacy organisations, are meaningfully involved in discussions on the appropriate content and reach of the code.
The code will help explain how GDPR applies in practice, and better enshrine and standardise research best practice across EU member states and beyond.
Adherence to the code will allow a research organisation to be more fully trusted by clients and help with cross-border transfers – all within a rigorously monitored framework.
So, keep in touch as MRS works with other research associations to adopt a robust, but tailored, GDPR code for the research sector.
This article was first published in Issue 23 of Impact.
0 Comments