What is GDPR and why is it important:

GDPR is the General Data Protection Regulation that governs the processing of personal data and sets privacy, data-protection, and security standards. While GDPR was not specifically created to regulate user research data they have become increasingly intertwined which is why it’s essential for researchers to understand how it effects their work.  

Personal data is defined as data from which someone can be identified – for example a name, address, date of birth, IP address etc. Researchers have to manage user data and details they collect to make sure they are protecting participant privacy and complying with GDPR. Participant personal data can be found in your interview recordings, notes, forms etc.  

Things to look out for:

There are a few main things that need to be taken into consideration when looking at how GDPR intersects with user research. While it is not a law that was created specifically for research, it does affect the way data is handled within the research space.  

Firstly, the definition of ‘personal data’ used in GDPR is quite broad. This means it could impact more than you would originally think. It’s definitely worth keeping an eye on what data you are collecting and how easy it is to identify the participant from that data.  

Secondly, GDPR has very strict rules about informed consent. Just in-case consent wasn’t already stressful enough!  

Last, but definitely not least, GDPR has created stronger requirements for documentations and auditing. Make sure you’re talking to your legal teams about how you can insure you’re documenting every step of the way to the best of your ability.  

How to stay compliant:

Staying GDPR compliant is one of the most important things you can do as a researcher. Here are our top 5 tips on how to do that:  

1. Expectations – When talking to your participants be clear about what data you’ll be collecting, how it will be used and how it will be securely stored. This will help prevent confusion later on in the research process. We suggest doing this in the initial recruitment process via a project information handout.  

2. Storing participant data - Holding on to any data can be tricky. By storing any data collected in a safe and secure environment you can reduce the chance of any GDPR breaches. Make sure the data is only accessible by the necessary parties and they’ve also been made aware of the importance of compliance.  

3. Informed consent – Informed consent is needed for all and any data you collect and use. Make sure to keep track of when consent was given and to agree on a retention time (the recommended time is usually 2 years!). Any data that isn’t necessary to keep hold of can be safely deleted.  

4. Participant access – Yes, we did just write this whole blog post about the importance of anonymity and safekeeping of data but it’s also important for you to be able to tell whose data is whose! Participants have the legal right to access their data at anytime or ask to have it deleted, if it’s not correctly labelled you could end up sharing the wrong data with the wrong person.

5. Talk to the experts! – Your company’s legal and compliance teams are the best people to talk to, to make sure you are doing everything you can to stay GDPR compliant.

Here are some resources that might be helpful if you want to learn more about GDPR and its impact on user research:

What is GDPR, the EU’s new data protection law?

Managing user research data and participant privacy

What is personal data?

GDPR and research – an overview for researchers

‍

Get onboarded with Ayda

Book a 20 minute call with a member of our team to supercharge your user-research