This document summarizes a master class on GDPR and transparent research projects. The objectives of the class are to develop awareness of data protection legal frameworks, identify key actions for research organizations to embed transparency in GDPR, and share best practices. The agenda covers an overview of building data protection into research projects, choices of legal processing grounds like consent and legitimate interests, transparent privacy notices, and conducting impact assessments for risky processing.

1. MRS GDPR Master Class:
Transparent Research Projects
April 2018

2. Objectives for
Today
To help participants:
Develop awareness of the legal framework and context for
data protection and build confidence around responsibilities
Identify key actions for research organisations to embed the
transparency requirements of the GDPR
Share best legal and ethical practice in the market research
sector

3. Agenda Topics
10:00 – 10:10 Introductions and welcome
10:10 – 10:45 Overview: Building Data Protection
Principles into Research Projects
10:45– 11:15 Choice of legal processing ground
(Consent, Contract)
11:15 – 11:30 Coffee and Networking Break
11:30 – 12:00 Choice of legal processing ground
(Legitimate interests, Public interest,
Research exemption)
12:00 – 12:20 Transparent Privacy Notices
12:20– 12:50 Risky processing and impact
assessments
(Analytics & further processing, DPIA’s)
12:50 – 13:00 Closing questions/Discussion

4. Overview: Building
data protection
principles into the
research cycle

5. Session Topics
Some context behind GDPR
Key changes
Transparency
Accountability
Privacy by design and default

6. GDPR: Some
context
GDPR applies from 25th May 2018
Data Protection Act 2018 will be introduced in the UK to bring
GDPR into law
Evolutionary not revolutionary:
Fairness, transparency, accuracy, security, minimisation and
respect for individuals all remain from current legislation, plus:
Strengthened individual rights
Increased business accountability
Embedded privacy-centric focus

7. GDPR: Key Changes
Wider scope Stronger
individual rights
Greater
accountability
on all businesses
Higher fines
and sanctions

8. Privacy principles:
Bedrock of GDPR
Privacy by
Design and
Default

9. GDPR: Privacy by
Design and Default
Organisational
measures
Technical
safeguards
Privacy Impact
Assessment (PIA)

10. GDPR: Increased
organisational
accountability
Detailed written internal records
Mandatory breach notification
Data Protection Officer

11. GDPR: Obligations on
Controllers and
Processors
Controller means the natural or legal person, public authority, agency of
any other body which alone or jointly with others determines the
purposes and means of the processing of personal data
Processor means a natural or legal person, public authority, agency or
any other body which processes personal data on behalf of the controller
If you are a processor: the GDPR places specific legal obligations on you,
including requirement to maintain records of personal data and
processing activities. You also have legal liability for any breaches
If you are a controller: you are not relived of your obligations where
processors ae involved – the legislation places further obligations on
your to ensure your contracts with processors comply with the GDPR

12. GDPR: Greater
expectations for
transparency
Appropriate choice of legal grounds for processing
Effective communication and clearer information to
individuals to aid understanding
Establishment of procedures for exercise of all
rights
More information on logic, consequences and
significance of algorithms

13. GDPR: Embed principles
across the research
cycle
Scoping &
Setting-up
Data Collection
Data Analysis
Reporting &
Publication
Retention and
Disposal

14. Check your GDPR
Knowledge: Question
Agency commissioned by brand to conduct online
customer satisfaction survey. Survey designed by client,
run on agency platform with hyperlink for data collection.
Agency to analyse data and provide aggregated data set to
client. Who is the data controller?
a. Agency
b. Client
c. Both
d. Don’t know

15. Choice of legal
processing ground

16. Session Topics
Choice of processing grounds
Consent
Contract

17. GDPR: What options for
processing research
data?
The main options available for research processing:
Consent - specific, informed and freely given consent through clear
affirmative action
Contract – necessary to fulfil contractual obligations or prior to contract
Research specific - where impossible to conduct research otherwise
but subject to adoption of technical and organisational measures to limit
collection to the minimum and use of methods that de-identify
Legitimate interest - based on reasonable expectations and provided
does not override the rights of individuals (scientific research is a
compatible purpose)
Other grounds apply but less likely to be used in research such as
compliance with legal obligation; vital interests of data subject; public
interests

18. GDPR: What are the
conditions for consent?
Free/Freely given Specific Informed
Unambiguous Demonstrable Easy to withdraw
Modified provisions
for children, explicit
consent & scientific
research

19. Consent: Minimum
Information
Requirements
Data controller(s) identity and contact details
Purpose of each processing activity that consent is being
sought for
Type of data to be collected and used
Existence of the right to withdraw consent
Information about the use of the data for decisions based
solely on automated processing, including profiling;
Possible risks of data transfers to third countries in
absence of adequacy decision or appropriate safeguards

20. GDPR: Higher
standard for
explicit consent
Likely situations:
• Processing special categories of data such as details about individuals’
trade union membership, political beliefs, sex life or sexual
orientation, genetic data and biometric data
• Ad hoc transfers to third countries or international organisations (in
the absence of adequate safeguards)
• Automated individual decision-making, including profiling
Additional conditions:
• Affirmative statement not action
• Examples include signed written statement; filling in an electronic
form; sending an email; uploading scanned signature documents;
demonstrable oral statement or two-stage verification of consent (e.g.
email followed by verification link or code)

21. Consent tools in
practice
Consent Form
Short statement
to get consent for
activity
Opt-in to indicate
agreement/No
pre-ticked boxes
Research
Information
Sheet
Details about the
research project
Can be stand
alone document or
part of consent
form or privacy
notice
Privacy
Information
Notice
Data controller
requirement
Unique to each
controller

22. GDPR: Digital
Consents
Affirmative Action
Click here to begin the survey
By clicking the button you agree to participate in the survey.
Affirmative Statement (as part of electronic form)
I agree to participate in the survey and provide data about my gender and ethnicity for research
purposes.
By clicking the checkbox you consent to provide this information.

23. GDPR: Telephone
Consent
Some points to consider:
 Clear script for interviewers, moderators and anyone else who may be
seeking participant consent
 Get any consents for recording prior to recording interview and
confirm by statement
 Use layered approach to information delivery by directing to website;
telephone contact number; providing some information at the
beginning and some at the end of the case

24. GDPR: Panel
Consents
Some points to consider:
 Ensure right legal grounds (consent and/or contract)
 Put processes in place to refresh panel members consent at appropriate
intervals, including parental/guardian consent for children
 Provide panellists with access to privacy dashboards or other preference
management tools
 Provide clear terms and conditions including the conditions for collection of
points or other incentives
 Use appropriate recruitment processes for panellists with a separate opt-in
for individual research projects

25. GDPR: Recording
Consent
Keep a record to demonstrate when and how you got consent from research
participants including:
 Who consented (name of individual, or other identifier (e.g. online user name, session ID)
 When they consented (copy of dated document; online record with timestamp; note of
time and date which was made at time of conversation)
 What they were told (master copy of document or data capture form containing consent
statement used at time; record of scripts used in getting oral consent)
 How they consented (relevant document or data capture form; for online consent data
submitted as well as timestamp to link to relevant version of data capture form; note of
oral conversation but not necessarily a full record of conversation; audio recording of
confirmation of the consent)
 If they have withdrawn consent and if so when

26. GDPR: Scientific
research
National
flexibility:
UK DPA
2018
Scientific research can be carried out by researchers in
both public and private sectors
Processing ground is still consent basis but research
exemption provides ability to seek broader consent for
scientific research purposes if all purposes not known at
outset
Sound methodological techniques, recognised ethical
safeguards and robust technical and organisational
measures are all critical

27. GDPR: Contractual
necessity
Some points to consider:
 Limited use applicable to administration and management of research
panels
 Not appropriate for research projects more generally
 Document legal ground clearly in records
 Inform panelists of legal ground in terms and conditions
 Right to port data will apply to data obtained by contract

28. Check your GDPR
Knowledge: Question
Records of consent from an online survey in a
spreadsheet with ‘consent provided’ ticked
against the participant’s name:
Is this GDPR compliant?
a. Yes
b. No
c. Don’t know

29. Coffee Break

30. Choice of legal
processing ground
(Part 2)

31. Session Topics
Legitimate interest
Public interest
Research exemption & Special Category Data

32. GDPR: Reminder several
processing grounds

33. GDPR: Legitimate
Interest
Legitimate interest - the most
• Considered the most flexible type of
processing
• Only appropriate when using people’s
data in ways they would expect
• If used have an additional
responsibility for considering and
protecting peoples’ rights and
interests. and interests
Three-part test:
1. Identify legitimate interest
2. Show the processing is necessary to
achieve the legitimate interest
3. Balance the processing against the
individual’s interests, rights and
freedoms

34. Three Part Legitimate
Interests Test
• Do the
individuals rights
override the LI of
the organisation?
• Nature of
relationship?
• Sensitivity of
data?
• Expectations?
• Intrusiveness?
• Impact?
• Vulnerability or
children?
• Safeguards?
3. Balancing
• Is the processing
necessary?
• Does processing
help further
interest?
• Is this
reasonable?
• Is there a less
intrusive way
2. Necessity
• Is the
organisation
pursuing a LI?
• Why?
• Wo benefits?
• Any wider
benefits?
• Importance?
• Impact if don’t go
ahead?
• Ethical?
1. Purpose

35. Balancing Test in
Practice – Supply of
client list to agency
LI of data
controller
Individual’s
rights and
freedoms

36. Balancing Test in
Practice – Case
Study for Discussion
LI of data
controller
Individual’s
rights and
freedoms

37. Limitations of LI
Use responsibly
Must not be used as a processing ground:
 by public authorities (unless the processing is outside the scope
of tasks as a public authority)
 for automated decisions based on profiling activities
 for processing of special category data
Use with caution as a processing ground for children’s personal
data

38. Legitimate
Interests Checklist
 Ensure legitimate interests processing ground set out in
privacy policy
 Identify relevant legitimate interests
 Check processing is necessary and there is no less intrusive
way available for same result
 Ensure individual’s interest do not override LI
 Conduct and document outcome of LIA
 Conduct DPIA if significant risks identified in LIA
 Keep LIA under review

39. GDPR/UK DPA 2018:
Public Interest
Why is this important?
 Processing of personal data in public interest “public task”
 Processing of special category data under the research exemption
What does public interest mean?
 Dependent on sector and purpose
 Balancing act required assessing the public interest in light of
individual rights and freedoms
 Ethical safeguards critical

40. GDPR/UK DPA 2018:
Research exemption
Scientific research in the public interest
• Scientific research broadly defined
• Exemption provides limited flexibilities on some aspects
• Processing ground for special category data if scientific purposes in
public interest
• In determining public interest conduct balancing test that considers
rights of individuals and the public interest
• Sound methodological techniques, recognised ethical safeguards
and robust technical and organisational measures are all critical

41. Check your GDPR
Knowledge: Question
Research conducted on behalf of a charity on
dementia and their carers.
Is this research likely to meet public interest test
for research exemption:
a. Yes
b. No
c. Don’t know

42. Transparent Privacy
Notices

43. Session Topics
Rights of data subjects
Purpose of privacy notices
Drafting privacy notices
Using innovative approaches

44. Right to be informed &
strengthened individual
rights
New
• Right to data portability
• Right to erasure/”be forgotten”
• Right to restrict processing
Strengthened
• Right to be informed
• Right of access
• Right to rectification
• Right to withdraw consent
• Right to object and/or withdraw consent
• Right not to be evaluated by automated
processing
Need to promote all these rights to individuals

45. GDPR: Privacy
Information Notice

46. What to include in
the notice?
Starting point is:
 who you are
 what you are going to do with participant information
 who it will be shared with
Also consider including:
 what you are doing to ensure the security of personal
information
 information about participants right of access to their data and
their right to withdraw consent
 what you will not do with their data (such as use it for marketing
purposes)
Privacy information notices will be required regardless of the
legal ground being used.

47. How to deliver
the information
effectively?
Transparent user-centric notices
Tailored
Layered
Blended

48. Layering – Actively
provide some information
Actively provide:
 name of research organisation collecting the data and any client organisation
 general subject
 purpose
 any sensitive data collection
 whether the data collection will be recorded and/or observed
 guarantee of participant anonymity and/or confidentiality
 right to access data
 right to withdraw consent
 right to object to processing
 description of any reasonably foreseeable risks (including physical or emotional harm and
discomfort or embarrassment) particularly in qualitative research projects
 details of any international data transfer to third countries in the absence of an adequacy
decision and appropriate safeguards
 length in minutes of data collection
 re-contact details including when re-contact will occur; the purpose and by who
 costs likely to be incurred by the participant (if appropriate)
 assurance that the activity is being collected in accordance with the MRS Code of Conduct

49. Layering - Make other
information accessible
Make accessible:
 who will administer incentives, what it will be; when it will be received; any conditions
attached
 generic contact details for data protection officer (if applicable)
 details of any international data transfer to third countries considered adequate by the EU
 retention period for data or criteria for retention
 right to lodge a complaint with the supervisory authority in the Member State of residence,
place of work or alleged breach of GDPR. In the UK this is the ICO
 right to port data (if automated data collection)
 right to erasure of any personal data made public
 right to restrict processing
 right to rectify data held

50. Blending – Use a
mix of techniques
VideosCartoons
FAQ’s
Help
centres
Info
graphics
Digital

51. Tailoring – Adapt to
target audience and
channel
Information in notices must be:
• Written or conveyed in clear language and in an accessible manner
• Tailored to the audience that is being targeted and written in an age-
appropriate manner
• Adapted to the type of channel (e.g. mobile, online, telephone) that
the information is being conveyed on

52. “Risky processing”
and Data Protection
Impact
Assessments

53. Session Topics
Further processing
Data Protection Impact
Assessments

54. GDPR: Key Questions
for analytics/further
processing
Is it fair?
Is it lawful?
Does processing comply with purpose
limitation and data minimisation
principles?

55. GDPR: Analytics
Case Study
Retailer using customer datasets and combining this with
“segmentation” data and/or other publicly accessible data (such
as information “scraped” from social media platforms Facebook,
Twitter, Pinterest, LinkedIn) to:
• understand customers (i.e. research) or
• instruct interaction with particular individuals (e.g. targeted
advertising)
Are either of these acceptable under GDPR?

56. Further processing: Is
it fair?
Effects of processing
Expectations of data subjects
Transparency of processing

57. Further processing: Is it
lawful?
Consent
Legitimate Interest
Compatibility of secondary processing
Use of the research exemption

58. Does it meet purpose
limitation & data
minimisation principles?
Specified purposes
Collection of data
Retention of data

59. Data Protection
Impact
Assessments

60. DPIA: Tool for risk-
based demonstrable
compliance
Organisations must fully consider the risks that processing poses to the
fundamental rights and freedoms of individuals
What does this mean?
 Identify risky processing activities
 Consider implications of the risk level
 Mitigate any risks
DPIAs particularly relevant when a new data processing process, system or
technology is being introduced
Failure to conduct when required is Tier 2 Breach

61. When is a DPIA
required?
Processing “likely to result in a high risk to the rights and freedoms of
natural persons”:
 Systematic and extensive profiling, with significant effects
(GDPR)
 Large scale processing on a large scale of special categories of
data or criminal convictions data (GDPR)
 Systematic monitoring of a publicly accessible area on a large
scale (GDPR)
 New technologies (ICO)
 Large scale profiling or profiling of children (ICO)
 Matching datasets or combining datasets from different sources
(ICO)
 Invisible processing (ICO)
 Tracking location or behaviour (ICO)

62. Examples of projects
likely to need a DPIA
Archiving of
pseudonymised
personal sensitive
data from research
projects or clinical
trials
Hospital processing its
patients’ genetic and
health data on its
information system
Gathering of public
social media data for
generating profiles

63. Check your GDPR
Knowledge: Question
Research study collecting data from 300 patients
using online survey.
Is this likely to involve…?
a. High risk data processing
b. Low risk data processing
c. Don’t know

64. Who should be
involved?
 Data controller – is it the client or agency or both?
 People with appropriate expertise and knowledge of the project
(internal and/or external)
 Designated data protection officer (DPO)

65. GDPR: Case Study
Range of techniques in mapping digital journey to understand
how people gather information about sensitive skin care and
products online
• Passive digital monitoring on internet enabled devices
• Eye-tracking website views
• Mobile diary app
• Survey
Some possible preliminary questions
• Suitability of mix of techniques?
• App design and privacy settings?
• Protocols for stripping out unnecessary data?
• Approach to illegal/disturbing content identified in data?

66. How to conduct a DPIA?
1. Identify need
for DPIA (likely
for Big Data
Analytics)
2. Describe the
processing
3. Consider
consultation
4. Assess
necessity and
proportionality
5. Identify and
assess risks
(likelihood and
severity)
6. Identify
measures to
and mitigate
risk
7. Sign off and
record
outcomes
8. Integrate PIA
outcomes back
into the project
plan
9. Keep under
review
ICO (2018) Draft DPIA Consultation

67. DPIA Checklist
 Have staff been trained to consider DPIA at early point
and on how to carry it out?
 Is DPIA included in policies, processes and procedures?
 Do you understand the type of processing that requires
DPIA?
 Have you created and documented DPIA process
(including approach where no DPIA required)?
 Do you ensure mitigation measures implemented?
 Are you aware when the ICO needs to be consulted?

68. And the last word …..
Just because you can doesn’t
mean you should …….

69. What’s coming
next?

70. MRS guidance &
awareness
Guidance
• MRS EFAMRO ESOMAR Guidance Note on Research Sector – Legal Bases (June 2017)
• GDPR In Brief – 7 GDPR topics covered to date
• Data Protection & Market Research: Guidance for MRS members (April 2018)
• Fair Data, Impact, MRS Blogs and Articles
Live and Recorded Webinars
• GDPR Countdown (May 2017)
• MRS AURA Client Side Research (November 2017)
• RAS GDPR (April 2018)
• Off the Starting Blocks (March 2018)
• GDPR & Analytics (June 2018)
Training and Events
• MRS Roadshow (Leeds, Bristol, Edinburgh, Brighton, Birmingham, London March to July 2018)
• Association events e.g. EphMra; Cvent
• MRS GDPR and Data Privacy in Research Training (May 2018)
• GDPR Master Class – Transparent Research Projects (April 2018)
• Company Partner Briefings (Ongoing)

71. Thank you
Any questions?