Today, the 25th May 2018, the General Data Protection Regulation (GDPR) finally comes into effect. This European regulation is exciting because it offers all kinds of protections and choices to ordinary citizens.
From now onwards, organizations must ask Europeans for explicit consent to collect and store their data, and they must explain exactly what data they're collecting, and what it will be used for.
Even better, Europeans gain the "right to be forgotten," which means they can ask organizations to delete their data permanently (unless they have valid legal reasons for holding on to it).
This is great for the people we study. But what does it mean for us researchers? How does the GDPR affect the ways we seek consent? How does it affect our data storage? What happens if people want to be forgotten?
GDPR in a nutshell
The GDPR applies to all personal data collected on EU residents by any organization, including those located outside the EU. It applies to data collecting, processing, storage, transfer, and usage. This means that if you are collecting data on EU citizens, you must abide by the GDPR.
A key aspect of GDPR is data minimization, which means that organizations should not collect, store, or use more data on a subject than is absolutely necessary.
Users must be able to give explicit consent. Users should know what information is being collected about them and what it is being used for. This should be explained in a straightforward way, avoiding legalese. All users should give explicit consent for the collection of any and all personal data. They must be told exactly what their data will be used for under normal circumstances.
Explicit consent also involves giving users choice. Organizations can no longer use pre-ticked boxes on consent forms, or state that consent is implied through use. They must do something to give consent, such as tick a box or sign a form.
All data should be stored as safely and securely as possible. It is recommended that researchers and institutions develop specific policies & procedures for storing & sharing data, including how it is stored and protected, who has access, and so on.
Researchers should share the absolute minimum amount of data necessary, and with the minimum number of people necessary. Data should not be generally available to everyone. Measures should be put into place to ensure data are protected, and that the minimum amount of data is shared. This holds for both internal use and external use. Organizations cannot assume that it is reasonable to share data with any employee. Similar guidelines hold for sharing information with people outside of the organization, and also outside the EU.
How to do qualitative research under GDPR
Most researchers I know are already pretty careful with gaining consent and storing data. Consent forms usually inform research participants that they can withdraw from the study at any time, which means their data will be deleted. Nevertheless, it's worth reviewing what you should do under the EU regulation.
During research design
- Build privacy considerations into your research design to cover all participants
- Identify whether you will collect personal data belonging to people residing in the EU. If so, they are protected under GDPR.
- Think about how much data you really need to collect to answer your research question. Are there ways you can avoid collecting data that you don't need?
- How might you use the data? Will you write journal articles, blog posts, give presentations? Will you use the material in teaching? The information you give to participants should cover all possible uses of the data.
- Will you share the data with anyone? If so, you will need to write this in the information sheet you give to participants too.
During data collection
- Be sure to give all participants the information they need and ask them to sign a consent form. Without this, you cannot use their data under EU law.
- Ethnographers: it should be OK to write up conversations and observations in field notes without getting explicit consent so long as you don't record personal data that can be used to identify someone (e.g. name, phone number, address, etc).
- Try to follow the principle of data minimization - not recording data that you really don't need.
- Anonymize data as soon as possible in the research process
After data collection
- Store data safely to prevent access by third parties. Keep all documents password protected. Avoid storing electronic personal data in the cloud - instead, keep it on your personal computer and back it up on an external drive.
- Data breaches (such as a lost hard drive) must be reported to the International Commissioner's Office and the participants within 72 hours.
- Keep hard copy data locked up in a filing cabinet or box (e.g. written notes, printouts of interview transcripts, consent forms, etc.
- Hang on to consent forms and other communications that show your participants understood the purpose of your study and gave their informed consent.
- If you are sharing data with colleagues, make sure all parties have a shared understanding of how the data should be managed, how it will be stored safely, and who has access to it.
- Have a clear plan of action for how you will erase a participant's data if they withdraw from your study. This isn't always as easy as it might seem. Often we keep copies of data in multiple places. How will you remember where these copies are stored? If data are anonymized, how will you know what data belongs to whom?
A little bit of forethought can save a lot of trouble down the track. Happy data protecting!
GDPR for researchers
- General Data Protection Regulation (GDPR) Guidance Note for the Research Sector: Appropriate use of different legal bases under the GDPR (ESOMAR)
- Ignorance will be no defense (GDPR for qualitative researchers) (AQR)
- How GDPR changes the rules for research (IAPP)
GDPR for web developers
- Watch the video of our presentation at SymfonyLive London 2018