The General Data Protection Regulation (GDPR) comes with strong implications for all kinds of industries, and the market research industry is no exception.  Since personal data collection is an essential part of many research projects, professional researchers and their survey software providers need to get prepared for the significant changes that are about to come. NIPO is convinced of the importance of GDPR compliance. Accordingly, we want to make sure that the NIPO organization and the Nfield platform are GDPR compliant.  This is an important benefit for our customers, however, on their part, they will also have to make sure their organization and services are compliant. In order to help customers with this, NIPO will share information about GDPR and provide advice. We will also keep our customers updated on how we are working to be GDPR compliant.  The GDPR becomes enforceable from 25 May 2018 after a two-year transition period, so get ready and read the most important GDPR information we selected especially for you. More Blogs will follow in the near future.

GDPR protects EU citizens privacy

GDPR is a new piece of regulation which will become law across the EU in May 2018. It replaces the 1995 EU Data Protection Directive. The aim of GDPR is to protect the fundamental rights and freedoms of all EU citizens, in particular, their right to the protection of personal data. It is a response to the public outcry over privacy and a common practice when some companies swap access to personal data for use of their services.

As a result, GDPR has been designed to give people more control over how their personal data is used and introduces tougher fines for non-compliance and breaches. It also makes data protection rules more or less identical throughout the EU.

Territorial and business scope

GDPR applies to any company that collects data from EU citizens regardless of the company’s location and country of origin. Typically, you can then think about four business scenarios:

1. The company resides/ is located in the EU and collects data from EU citizens – GDPR applies.
2. The company resides/ is located outside the EU (Asia, Americas, Australia, Africa) and collects data from EU citizens – GDPR applies.
3. The company resides/ is located in the EU and doesn’t collect data from EU citizens – GDPR doesn’t apply.
4. The company resides/ is located outside the EU (Asia, Americas, Australia, Africa) and doesn’t collect data from EU citizens – GDPR doesn’t apply.

Who is who in data collection

GDPR defines two roles: controllers and processors.

A data controller determines the purpose (why) and means (how) of the processing, while a processor is responsible for doing the actual processing of the data on behalf of the controller. So the controller could be any organization, from a profit-seeking company to a charity or government. A processor could be for example an IT firm doing the actual data processing.

Both controllers and processors have a responsibility to abide by the rules provided in GDPR. What’s new is that GDPR places direct compliance obligations on data processors for the first time at EU-wide level. So, now data processors are subject to liability if they fail to comply with their contractual obligations (e.g. failure to report a data breach) to their controllers.

Personal data definition

Before GDPR, the directive defined personal data as any information relating to an identified or identifiable natural person.

GDPR specifies and broadens the definition of personal data to include online identifiers (cookies, IP addresses etc.), genetic data (an individual’s gene sequence), biometric data (fingerprints, retinal scans etc.), location data (GPS etc.).

Other data, like economic, cultural or mental health information, are also considered personally identifiable information. Genetic and Biometric data are considered as Sensitive personal data under GDPR.

Stricter rules for consent

GDPR significantly toughens consent rules. Under GDPR, consent must be an active, specific, informed and unambiguous action taken by the EU citizen. This also means that the passive acceptance methods, such as pre-ticked boxes and opt-outs, are not allowed anymore. Also, controllers must keep a record of how and when an individual gave consent so that they can demonstrate exactly what and when someone agreed to.

New rights for EU citizens

Ultimately, GDPR puts the control of personal data back into the hands of EU citizens by introducing a number of new rights that bolster their position. The new rights especially affect how controllers can process and keep people’s data.

• The right to data access – EU citizens have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Companies must be ready to provide such an information within one month since the EU citizen’s request is submitted.
• The right to be forgotten – EU citizens have the right to demand that their data be deleted if it is no longer necessary for the purpose for which it was collected. They can also demand that their data be erased if they have withdrawn their consent for their data to be processed. The controller is responsible for telling other companies who the data has been shared with, to delete any links to copies of that data, as well as the copies themselves.
• The right to prevent profiling – means that it is not allowed to process and connect data from different sources with the intention to create the profile of an EU citizen and use such a composed information.
• The right to rectify – EU citizens can ask that inaccurate data be rectified or incomplete data be updated.
• The right for data portability – allows EU citizens to obtain their data from the controller it was provided to, and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily to another controller in a safe and secure way, without hindrance to usability.

Rising fines

It is the responsibility of the controller to inform the local data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of the company becoming aware of it. Those who fail to meet the 72-hour deadline could face a penalty of up to €10 million or 2% of their global annual turnover, whichever is higher.

For violations related to the lawfulness of processing (consent, legitimate interest etc.), data subject rights, and cross-border transfers, the data protection authority could issue a penalty of up to €20 million or 4% of their global annual turnover, whichever is higher.

Questions you need to ask and why they are important

There are several questions companies need to ask and answer in order to begin the process of compliance with GDPR, below you will find some questions that need to be considered:

1. What is the relationship between my company and NIPO, are we controllers or processors?
In the relationship between your company and NIPO, your company is the controller and NIPO is the processor. This means your company determines what data needs to be collected, and the purpose of collecting the data, and then NIPO processes the data collected on the Nfield platform.

2. Does my company process personal data? 
The first thing any company needs to know is whether or not it processes personal data. This is relevant in order for the company to identify what type of personal data it has, does it include sensitive data? where is the personal data stored? who has access to this data? is this data shared with third parties? do you transfer the data outside the EU? Knowing the answers to these questions will improve efficiency, and enable you to access the data and act on it quickly and reliably.

3. Which lawful basis for processing is used by my company?
GDPR provides several lawful bases (consent, legitimate interests etc.) for the processing of personal data. The company needs to identify which one it uses to process personal data. It is important to identify the lawful basis you use for processing because it has an effect on individual rights. For instance, if you rely on someone’s consent to process their data, they will generally have stronger rights (e.g. request to have their data deleted).

4. Does my company have any procedures in place to handle data subjects’ requests?
Is there a software already in place that allows data subject’s exercise their rights (e.g. right to be forgotten), is there a timesale to respond to data subject’s request (e.g. right of access)? Knowing if you already have procedures, will enable you to quickly respond to data subject’s requests, and if there aren’t any procedures in place, then you can begin to work on having new procedures.
 
5. Is my company prepared for a data breach?
In cases where there is a data breach, do you have mechanisms in place that detect data breaches? are there any processes in place to address data breaches? This is important because if you have mechanisms to detect data breaches, it allows you to address the breaches quickly and mitigate its possible adverse effects, where appropriate effectively.

Disclaimer: This blog is made available by NIPO for the purposes of providing general information and a general understanding of GDPR, and should not be considered or used as a substitute for legal advice. NIPO does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.

Cyber attacks are continuing to increase globally in both number and scale, impacting all kinds of organizations in all kinds of industries. Every company is a potential target. Which means market researchers need to be as aware as anyone about the possible threats and take the necessary preventative action. This calls for being armed with the relevant knowledge and having a system which robustly protects survey data and, with that, company reputation.

A single “NotPetya” ransomware attack in June 2017 led to Nurofen maker Reckitt Benckiser taking an estimated EUR 110 million hit in revenue*. 

*source: the Guardian 6 July 2017

Just think about what would happen if your company falls victim to malware which compromises your entire fieldwork operation, causing irretrievable loss of your fieldwork and respondent data. Not to mention the damage done to your client relationships.

We did, which is why NIPO’s Nfield survey systems are designed to keep cyber attackers out. But optimal cyber security also depends on good human awareness of the threats, so people themselves do not become the vulnerable weak link. We therefore held a webinar about cyber security to educate our customers and help them protect their interests.

In this, NIPO explains why IT security in market research matters to you, provides guidance on what you can do to keep cyber attackers out and answers questions such as: 

• What are the probable external and internal cyber threats, and how could they damage your market research business?
• What is the correlation between the different types of infrastructure (on premise, hosted or cloud) and data security vulnerability?
• What is ISO 27001-2013 certification, and why is it so important and indispensable for your research business?
• Is there such thing as a “checklist” to run business securely?

Find out more
For more details on how NIPO ensures cyber security in its solutions and business, see the Nfield security factsheet. 

So what’s next?
If you would talk about whether your current solution meets the required security standards, then let us know. You can contact us at sales@nipo.com.

Sending interviewers to targeted locations requires specific distribution options within the software itself, all of which can be found within Nfield CAPI. Have you already heard about sampling points?

​Sampling points help you organize the fieldwork

In face to face interviewing, we refer to sampling points when talking about survey distribution. So what are sampling points?

From a technical perspective, sampling points are a way of categorizing interviews into certain groups (points). Categories could literally be anything: streets, areas, cities, or even experienced interviewers in one sampling point and less experienced interviewers in another.

In practice, sampling points are commonly used for a geographical distribution of interviews. The usage of sampling points helps you

• assure a geographical representativeness of the survey
• simplify the quota frame
• control the fieldwork and targets better.

Thanks to sampling points it’s easy to assign interviewers to interviews and control your fieldwork!

The geographical categorization helps to divide and manage the fieldwork and survey targets because interviewers may live in different areas or because you need to find respondents across a number of areas. 

For example, when working on an international project involving many countries (offices worldwide), one sampling point could be one country (one office) with many interviewers.

Or in another case, when working on a local project, the town could be divided into parts with each one assigned to a different interviewer as a sampling point.

Nfield CAPI offers various scenarios

The following examples are theoretical and meant to explain you the main differences.

1. Surveys without sampling points and without quota
Non-geographical distribution is defined and your interviewers can ask anybody and anywhere.

Typical situation: polls

Example 1 without quota and sampling points actually means no table at all.

2. Surveys without sampling points and with quota
Non-geographical distribution is defined by sampling points, but please note that a quota frame can still be used for geographical distinction. The fieldwork is controlled through the total target that is placed in the software.

Typical situation: the interviewers who live in different cities interview people who are randomly passing by

Example 2 with quota, but no sampling points

3. Surveys with sampling points and quota
Geographical locations with the targets as the sampling points (Amsterdam East, Amsterdam West, Amsterdam South) need to be uploaded first, and then a quota frame with sample characteristics (female, male) should be set up. The fieldwork should be controlled through sampling points, not the total target. The sum of the sampling points targets is your total target, but having the total in the software does not help you control the fieldwork better.

Typical situation:  a complex set-up used for international or national projects when a detailed distribution is needed

Example 3.1. with sampling points and quota, less items

Example 3.2. with sampling points and quota, more items

Computer-assisted-telephone interviewing (CATI) guides the interviewer step-by-step through the questionnaire, dials telephone numbers according to a certain criteria set and analyzes processes in the background to enhance your cost and operations efficiency. Did you know that…

..CATI has been around for more than 40 years?

Until the 1970s telephone data collection relied on the use of paper questionnaires, which were administered by interviewers over the telephone. The data from the paper questionnaires then had to be manually edited, keyed, and processed before results could be distributed.
 
As computers advanced, becoming smaller and more powerful, the concept of utilizing them to conduct surveys was pursued. From simple solutions with basic options, CATI soon evolved into complex engines, and NIPO is proud to own one of the most proven and renowned CATI solutions on the market today.

​Choose a solution that suits you best

When selecting a software solution, there are two options for conducting your telephone research: on premise or cloud CATI solutions. NIPO offers both options so you can choose the one that suits you best.

• On premise (NFS CATI solution): physical servers, CATI software and your survey data are stored and maintained within your own organization’s IT infrastructure, therefore you need to establish your requirements internally. Most CATI features are located within the CATI software, not the dialer itself, so you can connect a dialer of your choice to the software.

• Cloud (Nfield CATI solution – under development): your survey data is stored in the cloud infrastructure at Microsoft’s data center. Microsoft and NIPO are responsible for all maintenance, system upgrades, cooling equipment and power delivery tools. Most CATI features are located in the dialer, therefore it is not possible to connect a dialer of your choice to the CATI software. This solution is under development. For more information, contact us at info@nipo.com.

​CATI features

Our CATI solutions power the largest telephone surveys in the world. Amongst market researchers, it’s wildly accepted as a reliable and robust telephone data collection platform. Our Sales Team are keen to work with you to understand your needs and assess what solution would work best for you.

The key features of our CATI are:

• CATI operations can be scaled up from six to thousands of interviewers
• It enables interviewers to work from anywhere (called virtual call centers)
• Questionnaires can be designed with easy-to-follow instructions and cues
• Respondents have the option to start a survey on the phone and complete it online later
• An open architecture allows features to be customized to meet different standards – for example, to control how many times a telephone number should be called, or the call-again delay for busy calls
• Listen and coach your interviewers live
• Quota targets can be viewed and managed in real time
• Changes can be made in real time without bringing operations to a halt to modify interview scripts or dialing parameters
• Progress and performance can be monitored in detail, regardless of the location of the interviewers

Even more, our CATI solutions offer advanced capabilities such as auto, progressive and predictive dialing to help you drive productivity.

• Predictive – the dialer determines that a percentage of calls will be unsuccessful and therefore makes a large number of calls in parallel and then routes the live call answers to the next available interviewer.
• Preview – the dialer makes sequential dials from a contact list and allows the interviewer to preview the contact record prior to the call and decide if they wish to proceed with a call or move to the next contact on the list.
• Power – the dialers connect interviewers to respondents more efficiently by allowing the interviewers to focus on live connections. When an interviewer becomes available, the system automatically dials the next contact.

Face-to-face interviewing is a complex process comprising interviewers, mobile devices and software. A multitude of elements within this process can make a project prone to mistakes, leading to a delay in the delivery or even data loss. Outlined below are our essential tips for some of the most common problems associated with face-to-face interviewing to help you ensure a smooth execution of all CAPI projects.

1. Select the right device

The Nfield CAPI app runs on all Android tablets and smartphones, though not every device will serve you accordingly. We recommend that you run through a checklist mapping the factors that come into play when selecting the right CAPI device.

2. Embrace the issue of security

Security of your data is an absolute priority to us. Rest assured that we do our utmost to keep your data safe, however you also have a crucial role to play in data security by following a few simple rules:

• Ensure that you can wipe a device remotely in the event that it gets stolen. If this is not a feature on the device itself, please consider acquiring such a service. Mobile Device Management (MDM) software will help you configure, manage and secure mobile devices. Never heard before? Please see http://www.air-watch.com.
• Create logins per interviewer; never set up logins per device. Nfield CAPI enables you to track activities taken by the interviewers through their unique user ID.
• Set strong password requirements in Nfield CAPI, and ask your interviewers to keep their logins confidential or even to change the password regularly. The downside is that the more complex password, the bigger chance the interviewers will eventually jot it down on a piece of paper.
• Apply a user role configuration that defines a scale of activities the user is allowed to perform in Nfield CAPI. When somebody leaves the company, don’t forget to remove them from Nfield CAPI immediately.
• Once the quota of interviews for your project is reached and the fieldwork concludes, press the STOP button on the Nfield CAPI interface to automatically remove the survey from all devices the next time interviewers sync.
• Un-assign interviewers who no longer work on the project.

3. Prevent possible trouble in your fieldwork…

… by informing your interviewers thoroughly about how to use the Nfield app. 

• Always log out of the app at the end of the day – never remain signed in the Nfield CAPI app.
• Sync regularly so that you work with the latest version of the survey and its information. Please bear in mind that transferring large volumes of data after various days of work may take you plenty of time.
• Ensure your internet connection is stable when you start syncing the data, and do not change your network connection as this can disrupt the data transfer.

• Activate the GPS on your mobile device if you receive a notification through the Nfield CAPI app.
• If you are assigned to a project which includes addresses and you share the device with more interviewers, don’t leave unfinished interviews in the Nfield CAPI app. When the next interviewer logs in and syncs his data on the device, your unfinished interviews will be removed.
• Use the device’s energy source wisely as you will be using it throughout the day to complete all interviews. Please see the recommendations how to prolong battery life.

4. Monitor updates

There are two types of software updates that you need to be aware of:

1. Nfield CAPI app updates
2. Android operating system updates

Nfield CAPI app updates (NIPO)

The Nfield CAPI app is managed by NIPO, and any updates are designed solely to augment the features of the app. Every release automatically updates the backend of Nfield CAPI but requires the manual intervention of the interviewer to take effect on the device.

Android operating system updates (Google)
All Android operating system updates are managed by a third party – Google. These updates impact the software that the whole device runs on; they are not primarily calibrated to Nfield CAPI functionality.

The Android operating system update usually starts by a window which automatically opens on the screen asking for permission to update the operating system.  The interviewer will need to consent to this before any updates can take place. In other words, the update doesn’t happen automatically.

Whilst we thoroughly test all major updates of the Android operating system to examine whether Nfield CAPI features have not been affected, due to the diversity of mobile devices available and the number of versions of the Android operating being used at any one time, it makes in-depth testing on a large scale impossible.

5. Consider training options

Experienced researchers and fieldwork executives dive into Nfield CAPI without any hurdles. The same applies to scripters who are already familiar with the ODIN language. For those users who require full scale onboarding, we offer introductory and tailored training.

Quality control is a process when fieldwork executives look into various source files to evaluate whether the interviews have been conducted with honesty and accuracy. It is in the researchers’ best interests to ensure that the data delivered to customers comply with the highest quality standards.

Nfield CAPI for smart quality control

In Nfield CAPI you can use location tracking and silent recording with ease to verify data and the credibility of your interviewers.

Silent recording enables you to record either the whole interview or parts of it without the interviewer’s knowledge. It is set up via scripting by inserting a simple command.

Location tracking means collecting unbiased information about the locations where your interviews have been conducted. To allocate an interviewer, the device has to be equipped with:

• the GPS receiver which is the most popular and more accurate option and/or
• Wi-Fi and mobile network – GSM, 3G or 4G which, on average, provides less accuracy than the GPS.

Things to remember about GPS

• The interviewer can activate both the GPS and Wi-Fi and mobile network options in device settings, and let the system decide which one will capture the location best given the current conditions. It is very convenient, though activating both options consumes battery life very quickly.
• How accurately the GPS is able to capture a location depends on various factors: number of satellites in view, mountains and ionospheric disturbances, signal interference caused by buildings and number of channels on the receiver. Specifications for most GPS receivers indicate their accuracy will be within 5-15 meters, 95% of the time. This assumes the receiver has a clear view of the sky and has finished acquiring more than three satellites. If the conditions are not ideal then the accuracy declines rapidly.
• Nfield CAPI automatically attempts to capture the current location of an interviewer when the survey is started. This process happens discreetly in the background and without interviewer intervention. If the required accuracy is not achieved, the interviewer will need to confirm the best available location match manually after completing the interview. The location is saved in paradata and only persons with assigned rights are permitted to download this to view the locations of the interviews.

More options: measure twice, cut just once

In addition to the aforementioned methods, you can utilize Nfield CAPI for:

• Speeding – measure the average time needed to take the survey and check if some interviews have been completed way faster than is realistically possible. You can download the interview duration easily.
• Straightening – analyze the data to see if the same answer category for a series of questions appears too frequently.
• Pictures – look into the data and view the pictures snapped during the interviews.
• Call back – use the gathered contact information of respondents to conduct random calls to verify the data.

You can reject interviews that do not meet the quality standards in Nfield CAPI which will then  eliminate them from the complete target counts and exclude their data from the overall survey data.

Care about the best quality for your customers

False or insincere interviews provide useless data that cannot be delivered to customers, nor do they support the researchers’ objectives. The situation can even tarnish your reputation if the wrong data is used for expensive, important analyses that influence customers’ business decisions. Whilst the majority of interviewers respect their job and the nature of their work, there will always be a small percentage who will try and find shortcuts.
 
A lack of quality control usually results in more cases of false interviews. Pen and Paper researchers struggle with quality the most. Based on our experience, a few dishonest interviewers are revealed at the start when switching from Pen and Paper to CAPI, and as soon as the interviewers realize that the quality of their work is being thoroughly checked, the number of unfortunate incidents decline. Further features of the quality control system then prevents a come-back of dishonest practices.