NIPO is proud to announce the opening of our new Mumbai office. In recent years we have seen a strong growth of our business in the Asia Pacific region, something that also was the result of our Nfield China deployment we launched 2 years ago. This major step is now followed by the opening of our new office in Mumbai, that has been in business as of 1 November 2021.

The NIPO Mumbai office will be dedicated to supporting our customers in the Asia Pacific region, with backup from the NIPO Helpdesk in Amsterdam. 

NIPO offers remote support to all Nfield users by email (no telephone at the moment, due to all staff working at home for reasons related to Covid), hosts Nfield introduction sessions and on-site training sessions on topics ranging from survey creation to fieldwork management.

We are delighted to announce the opening of this new office and look forward to supporting you from Mumbai!

Having achieved gold status for the Application Integration competency for the Microsoft Partner Network at the end of last year, we are proud to share the news of NIPO’s success in achieving an additional Silver status for the much desired Security competency.

The competencies Microsoft awards are a strong confirmation that these partners have demonstrated the highest, most consistent capability and commitment to the adoption and implementation of the latest Microsoft technology. Securing a competency is highly dependent on successful certification of technical staff, which implies a deep and continuous investment from both the organization and the individual software developers.

Our Nfield users can benefit directly from NIPOs status within the Microsoft Partner Network. Next to our annual ISO 27001-2013 (Information Security) certification, this is another proof of leading external recognition for the NIPO team and our Nfield platform. This information can be used in client pitches for those projects where Nfield, as Kantar’s destination platform, is used and where the customer would like to understand how, for example, security is addressed.

Securing the Silver status for the Security competency was one of our goals for 2021. Now the NIPO team will continue her efforts to upgrade the Security competency to Gold status.

The Nfield CAPI app, used by interviewers to conduct surveys, has recently undergone an extensive makeover to make it more intuitive and, with that, faster to work with. This has resulted in a new version (2.11) which users are now invited to switch to.

To switch to version 2.11, go to the diagnostics tab in the Nfield CAPI app’s settings. For now, these settings allow you to switch between the old and new versions as you prefer. Over time, the old version will be phased out.

What’s changed

Instantly identified by its teal coloring (instead of blue), the new version Nfield CAPI app has been completely redesigned in terms of navigation and how the various screens look and work. From the very start, you’ll see how all the high-level information is shown together on one screen, with the ability to expand any section in one tap. Users thereby have instant access to latest status details without going to a different screen, so can quickly switch between various functional elements.

This simplified navigation provides the shortest path to starting an interview. Throughout the course of a day’s work, interviewers spend less time navigating around the app and enjoy faster access to what they need to know and do. With fewer distractions, work is easier to focus on.

The thinking behind the update

The person behind our new version Nfield CAPI app is our UX (user experience) designer, Deniz. Having worked at NIPO for more than 12 years, including time on our helpdesk, Deniz has a deep understanding of what Nfield CAPI users need. In his UX work, he uses various tools and techniques to generate insights into user behaviors. Putting these two things together, combined with the fact that user interaction technology has evolved a long way since Nfield was first launched in 2013, Deniz realized it was high time to give the Nfield CAPI app a major overhaul. The result is our customers and their interviewers all get to benefit from a more streamlined way of working.

Standardized familiarity

The Nfield CAPI app’s new look is based on the Material (https://material.io/) interface guideline that standardizes how elements in a screen should be designed for intuitive interaction. This determines the look and behavior of navigation bars and how cards are used.

Following standardized principles is advantageous because users more quickly feel comfortable with using an app that’s new to them, due to already being familiar with the process via other apps. In psychology, this is known as the Mere-Exposure Effect. So we have a very solid reasoning for adopting design standardization!

Below are the components used in building the new Nfield CAPI app. All of which should be familiar to everyone used to using apps.

No time to waste

Market research interviewers often only work part-time or for short-term periods. The ability to quickly get up-to-speed on how to do the job is very important. Preconditioned familiarity for how to use their tools, in this case the Nfield CAPI app, is therefore very valuable. We believe it only takes two or three uses of the new Nfield CAPI app to feel fully comfortable with it. And, of course, because the new navigation is more streamlined, work can be done more quickly too.

What do you think?

The new version Nfield CAPI app is all about making interviewers’ work easier and faster. Deniz will continue to update it as necessary to improve the user experience even more. The more feedback he gets from you, the better he can make it!

We therefore invite you to tell us what you think about the new version Nfield CAPI app. What do you like about it and what do you feel should be done differently? What new functionality would you like to have?

Contact us at [email protected].

Nfield surpassed a significant milestone on 20 May 2021, smashing through the 100K completed interviews per 24 hours barrier. More importantly, the Nfield platform handled the 104,758 successful completes without showing the slightest level of stress.

The record completion rate was comprised of 86,949 Online surveys and 17,809 CAPI surveys. Of these, 49K were performed on the APAC server, an incredibly high figure which was driven by a single survey in Japan which produced 37,226 completes.

Assisted by isolation

This Japanese survey is, itself, significant for the fact that it ran as an isolated survey using dedicated Azure resources (containers). Using this solution means that the load it generated did not have any impact on other domains and/or surveys. The ability to run isolated interviewing is facilitated via Nfield’s Function app, which has been made possible following intensive collaboration between our team and Microsoft architects. The Function app itself was hit more than 2 million times in 24 hours in relation to this Japanese survey.

But not an isolated event

Having confirmed Nfield’s ability to comfortably handle this level of traffic, we are looking forward to it becoming a daily norm. It’s good to know that isolation can be a very positive thing! 😊

At the very end of 2020, NIPO further enhanced its status within the Microsoft Partner Network by adding a third Gold Competency. Complementing already-held Gold competencies for Application Development and Cloud Platform, the addition of Gold status for Application Integration means NIPO’s team has now received the highest possible recognition from Microsoft for its proficiency in three separate areas.

This achievement underscores NIPO’s ability to provide its customers with a cutting-edge SaaS Azure Cloud based platform, leveraging the latest Microsoft technologies and fully meeting Microsoft’s standards. NIPO has earned its Gold competencies by demonstrating “best-in-class” ability and commitment to meeting Microsoft customers’ evolving needs in today’s mobile-first, cloud-first world.

Jeroen Noordman, Managing Director of NIPO: “The Application Integration competency is highly relevant to NIPO. Our Nfield platform is open by nature, so we have been very eager to demonstrate our comprehensive understanding of all the opportunities and challenges this topic presents. Attaining this third Gold Competency is also proof of our ongoing commitment to continuous investment in keeping our NIPO team members’ knowledge fully up-to-date. This recognition from the Microsoft Partner Network ecosystem benefits both NIPO and our customers. We are very proud to announce this latest achievement and look forward to having more exciting news to share relating to our MPN involvement during 2021”.

Gavriella Schuster, corporate vice president at One Commercial Partner (OCP) at Microsoft Corp.: “Achieving Gold Competency confirms that partners have demonstrated the highest, most consistent capability and commitment to the latest Microsoft technology. These partners have deep expertise that positions them at the top of our partner ecosystem, with a proficiency which can help customers drive innovative solutions”.

With the spread of coronavirus (COVID-19) disrupting daily life all over the world, we’ve noticed the changes in human activity being reflected in Nfield surveys. As regions have gone into lockdown and people have been discouraged, or even ordered, to avoid contact with others, CAPI interviewing has become all-but impossible in some places. Where this has been the case, there has been a significant increase in Online surveys to compensate. To illustrate, we’re sharing usage patterns for Nfield CAPI and Online in our China, South Korea, Spain and Vietnam deployments, so you can see how survey execution has changed along the coronavirus timeline.

While we are, naturally, as concerned about the situation as everybody else, we are pleased to see that our customers have been switching between Nfield CAPI and Online without any problems. This is because we developed these two survey channels with the same scripting language and result format. Switching can therefore be done in just a few minutes, with minimal support needed from our helpdesk.

China

Nfield CAPI vs Online in China
At the time of writing, China remains the country most heavily impacted by coronavirus (COVID-19). This is reflected in a uniquely dramatic shift in survey channel usage. In normal times, CAPI very much dominates China’s survey activity. But with public spaces mostly deserted, and people being reluctant to interact with researchers, face-to-face interviews have almost completely ceased. Meanwhile, Online surveys have increased significantly to fill some, although not all, of the gap.

The correlation between Nfield usage in China and events on the coronavirus timeline clearly confirms how these are linked. A decrease in survey activity before long holidays such as Chinese New Year, which began on 25 January 2020, is common. Our graph shows an expected reduction in CAPI fieldwork leading up to this. Survey activity remained extremely low while the Chinese New Year holiday was extended to 2 February, due to the disease. As people gradually started returning to work in Beijing/Tianjin/Hubei/Sichuan, albeit from home, survey activity resumed on a very small scale. After the first ten days this increased to some extent, but almost exclusively via Online.

South Korea

Nfield CAPI vs Online South Korea
As of 5 February, there were fewer than 20 confirmed cases of coronavirus in South Korea, although the gradual increase in neighboring China was starting to cause alarm in other countries. By 7 February we were seeing a drastic decrease in CAPI face-to-face interviewing, while use of Nfield Online grew to twice its normal amount. As widespread infection took hold in South Korea, Online survey usage tailed off again to normal levels. Meanwhile, CAPI diminished greatly, but not completely.

Spain

Nfield CAPI vs Online in Spain
Spain’s Nfield usage pattern is very similar to that seen in South Korea, although the early February switch from CAPI to Online happened sooner and more drastically than in South Korea. In Spain, a 3-day Online spike suddenly dropped off again on 13 February, after which there was a reduction in both CAPI and Online. CAPI continued to play a diminished role in Spain’s survey landscape until the last two days of the month.

By 5 March (a week after CAPI all-but disappeared from use), the Spanish government advised companies to send workers home to reduce contact. On 6 March, Spain ranked 7th in the world for the number of confirmed cases. We expect to see the impact of these measures in March volume reports.

Vietnam

Nfield CAPI vs Online in Vietnam
Thanks to prompt and decisive governmental action, Vietnam did a very good job of containing the spread of coronavirus and preventing it from getting out of control. Like China, Vietnam had a relatively long new year holiday. However, the Vietnam government declared coronavirus to be an epidemic at a very early stage, on 1 February, when the number of confirmed cases stood at 6. As a result, Vietnam only had 16 reported cases, with the last one declared on 13 February. Usage patterns for both Nfield CAPI and Nfield Online very quickly returned to normal when new cases stopped being reported.

A WHO official, called Park, told Al Jazeera¹: “The country has activated its response system at the early stage of the outbreak, by intensifying surveillance, enhancing laboratory testing, ensuring infection prevention and control and case management in healthcare facilities, clear risk communication message, and multi-sectoral collaboration.”

¹ _{https://www.aljazeera.com/news/2020/02/infected-patients-vietnam-cured-coronavirus-miracle-200228035007608.html}

We proudly present our Nfield Top 15 Customers! We would like to take this chance to give them a round of applause and to recognize their project success with Nfield. Conducting projects in Nfield means they have also put security and data compliance to their top priority as we do. 

These top 15 customers are selected based on their usage in 2019. And the winners are (in alphabetical order):

Amárach Research	AmPuls Market Research	Awe Research
CTR Market Research	Elka Consulting	Hendal Market Research
Kantar (global)	Kantar BBSS SEE	Kantar Hoffmann
Kantar Info Research Austria	Kantar Worldpanel	Media Research Consultants
MERCAPLAN	TNS Ilres	Vital Research

NIPO is delighted to announce that its Nfield Online and CAPI software solutions have earned the 7th position in Capterra’s newly released Top 20 Most Popular Survey Software report.

Capterra

Capterra evaluates software based on product data, validated user reviews and independent research and testing. It also analyses online search activity to generate a list of market leaders who offer the most popular solutions. The resulting assessments therefore represent a solid all-round appraisal. 

Nfield’s inclusion in the 2018-19 Top 20 is testimony to years of hard work developing solutions which truly satisfy user needs. This has been achieved through working closely with the Market Research industry to establish these needs, complemented with dedication to formulating the most robust, user-friendly and cost-effective solutions.    

See the full Capterra Top 20 Survey Software report

About NIPO

NIPO develops Online, CAPI and CATI survey solutions specifically to serve the needs of professional market researchers. For over 20 years, we have been working closely alongside market research organizations to continually deepen and freshen our insights into their challenges, in order to create truly purposeful solutions.

This unique bond means we have robust practical knowledge of how to efficiently organize survey distribution of any scale. Which enables us to serve our customers with exceptionally well-thought-through products, particularly when it comes to tackling large scale national and global projects. Our unrivalled combination of deep industry understanding and high-level IT expertise means our customers benefit from survey software which is genuinely designed with their success in mind.

With more than 200,000 users around the world, NIPO supports many thousands market research projects every year.

2019 spring hackathon at NIPO! 11 teams in Amsterdam and Madrid working on projects like office climate control, geo localization, face recognition, pixel art, and much more. See the video to get an impression of the day.

With GDPR coming into effect in May 2018, which protects and expands the privacy rights of EU citizens, it’s clear, that now more than ever, all market research professionals have to pay close attention to the protection of both their own personal and business customer data. With that in mind, we have revised all our privacy and terms of use policies, which are now readily available on our website. If you are a user of our systems or you are thinking about becoming one, surely don’t miss reading these documents.

Are you a customer or a visitor?

In our effort to make these policies as transparent and simple as possible for you, we have divided them into various groups:

(1) If you are our customer, we encourage you to read these documents:
Customer privacy policy

When employing Nfield:
Nfield acceptable use
Nfield terms of use and conditions

When visiting our website:
Website privacy policy
Nipo.com cookie disclosure

(2) If you are a visitor to our website, but not a customer, please pay attention to these documents:
Website privacy policy
Nipo.com cookie disclosure

Customers and visitors: remember your data privacy rights

We believe that it’s important for you to know your privacy rights, so here they are:

Under various data protection laws, you have the right to access and rectify your personal information. You also have the right to delete your personal information from our systems, unless we have a legitimate reason for holding it.

Especially, if you find yourself in one of the following situations:

• you do not want your personal data to be used in a manner described in our “Customer privacy policy” or “Website privacy policy”;
• you want to see the personal data we hold about you;
• you want to withdraw your consent for the use of your data;
• you want to change or delete inaccurate, incomplete, or irrelevant data;
• you want to contact our Data Protection Officer,

then please notify us by email to [email protected]. We request objections to be clear and specific and to provide us with detailed information on how we should handle and alter your data.

You are welcome to contact our team at the same email address [email protected] with any questions and concerns regarding our policies and terms of use. If you are a customer, you can also contact your NIPO representative directly.

Customers: learn more about the security of our survey solutions

Market researchers all around the world utilize our Online, CAPI and CATI survey software solutions to gain valuable insights into the minds of consumers. This places our software solutions right at the heart of the market research business, and nobody –  whether it’s us, a survey software provider, or you, a market research professional, can afford to let that be compromised.

We have always aimed to build survey software solutions that are secure by design. Which is why we have been the world’s first survey software provider certified to ISO 27001-2013 standards since 2015. Our data security systems are outlined in the “NIPO’s data security” article. We encourage you to learn more about them as you play a crucial part in maintaining the bulletproof security of our survey software solutions.

Data privacy and protection have always been paramount to us. We hope you will support us on this journey.

On 3 October 2018 Microsoft and NIPO organized a Cyber Security War Game at NIPO offices in Amsterdam. A very interesting day that helped us understand a lot on the techniques used by hackers and made us gain insights in the power of cloud platforms in helping you defend against both internal and external threats.

The event

So, on Wednesday 3 October NIPO staff was up for this battle. Manas Bhardwaj and Rob van Abeelen from Microsoft came over to lead the game. NIPO staff was divided in a red and blue team. One team was attacking, the other defending an application.

The aim of the cyber war game was to:

• Understand some of the techniques used by attackers to steal data.
• Understand the range of cyber security theft risks for custom developed software.
• Understand the Open Web Application Security Project (OWASP) 10 most critical web application security risks) and available mitigations.
• Understand the importance of a robust cyber security incident response plan.
• Work more cohesively as a team in the event of a cyber security incident.
• Gain insights into the power of cloud platforms in helping you defend against both internal and external threat actors.

Feedback gathered after the game

Playing the game was a very fun and sometimes (intentional) stressful exercise. Our NIPO colleagues looked back on the event as a good exercise to make you more aware of security, as it brought many security aspects to the forefront. It was a good learning environment, to see how systems can be vulnerable. It was fun and a very close to a real event.

Learnings from the Cyber Security War Game

Apart from a solid confirmation that our efforts to collectively maintain security standards at the highest levels is nothing less than a necessity for a cloud Saas provider, we found these valuable learnings:

• The attackers’ progress had several milestones, and the main breakthrough every time came from having a user account/password. We know how important it is to be careful with your credentials, but being confronted with how big a difference having access to one’s user account is, was impressive.
• We gained insight in (and access to) the tools that hackers use. It is shocking to see how easy it is to use them and the information that you can get if a website has a security issue.
• We learned we cannot only rely on tools (like Veracode) to catch all security issues when developing.
• Events like these clearly show the things you must think when looking at vulnerabilities in code and the competencies of the teams.
• Run exercises like these more often on our own system with a wide group of people. You cannot rely on a few colleagues when dealing with security threats. If they are sick/out, that can be a problem.

In conclusion, it was a very useful experience with positive feedback from our colleagues. We aim to repeat this session at our Madrid office soon.

This series of Academy sessions is on how Nfield can support you in your GDPR compliance.

We asked market research professionals if their organizations are ready for the rapidly approaching validation of GDPR, and what their thoughts are about this topic. This article, which presents the most interesting questions from the survey, is certainly worth your attention because the answers provide an interesting insight into the GDPR readiness of market research organizations. Where does your organization stand? How would you respond?

Question 1: How familiar are you with GDPR?

Response: 75% of market researchers is aware of GDPR.

NOTE! Nobody chose the “This is the first time I hear about GDPR” option, which shows how seriously market researchers take the new data security legislation.

Question 2: How well prepared is your organization for GDPR compliance?

Response: Some of you are GDPR-ready, but many still have enough to do.

NIPO! Our ISO 27001:2013 certification and strong data security measures show how seriously we take it. We’ve always made sure that everything in our organization and survey software solutions has been built from the start following the highest security standards. This has already placed NIPO at the top of the GDPR compliance scale as our systems have been proven to be GDPR-ready even before this new legislation began to worry the whole market research industry. Our team is currently working on strengthening instruments that will help our customers comply with GDPR without troubling their survey projects operations. We will inform our customers in detail about these developments soon.

Question 3: What challenges prevent your organization from accomplishing GDPR compliance?

Response: Understanding is the most difficult part.

NOTE!  GDPR was approved by the EU Parliament in April 2016, giving organizations a two-year transition period for making changes within their activities and processes to become compliant before the new standards come into effect in May 2018. We surmise that the robustness of the legislation, the risk of wrong interpretation, and the higher costs related to the changes deterred many organizations from starting the adoption on time.

Question 4: How strongly do you agree with the following GDPR benefits?

Response: GDPR benefit: a stronger company reputation.

Question 5: Do you think that GDPR will affect the number of people giving the consent for your market research activities?

Response: Problems with the acquisition of consent are expected.

TIP! Now more than ever it’s important to have an up-to-date contact database and establish an honest, mutually-rewarding relationship with respondents. Clean your contact list with https://www.datavalidation.com/ or any other tool, and be honest with you respondents, telling them why their opinions matter.

Question 6: Do you have any concerns about the security of data within your organization?

Response: Researchers are confident about the security of data within own organization.

NOTE! What’s interesting about this result is that the respondents are equally confident about the security of on-premise solutions as well as cloud solutions. In the past many organizations did not always trust cloud solutions. The investments in security and compliance of cloud providers seem to have changed organizations’ views.

Question 7: Thinking of the current platform you use to collect data from respondents, do you think that the platform is GDPR compliant?

Response: Trust in the compliance of the survey platform in use is higher than the factual knowledge about it.

Why all this matters?

GDPR, which refers to the General Data Protection Regulation, aims to protect and strengthen the privacy rights of EU citizens, that have been clearly affected by the intrusive developments of the digital age. It comes into effect on May 25, 2018, and non-compliant organizations risk hefty fines up to 4% of global turnover or €20 million, and huge damage to their business reputation.

Among other things, it says that market researchers are required to have consent of every EU citizen to collect, use and share his/her personal data. Each consent has to define what personal data, for which purpose, and for how long the market research organization is allowed to hold it. Learn more about the important aspects of GDPR in our articles:

• GDPR – what you need to know
• GDPR – the legal grounds for the collection of personal data
• GDPR – the techniques to protect personal data

Do you have more thoughts about GDPR? Suggestions? Or questions? Contact our team at [email protected], we would be happy to hear from you.

Thank you for participating in our survey.

Disclaimer: This blog is made available by NIPO for the purposes of providing general information and a general understanding of GDPR, and should not be considered or used as a substitute for legal advice. NIPO does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.

Welcome to the third post in our GDPR blog series. In the first post, we gave you an overall high-level look at GDPR. In the second post, we focused on the legal basis on which market researchers can process personal data. In this post, we will focus on pseudonymization and anonymization, specifically how these measures can help you protect individual’s personal data and comply with the GDPR.

Although similar, pseudonymization and anonymization are two distinct techniques that allow data controllers and processors to use data. The difference between the two techniques hinges on whether the individual data subject can be re-identified.

What is pseudonymization?

The concept of pseudonymization is one of the favoured techniques under the GDPR to minimize the amount of personal data that is held.

The GDPR defines pseudonymization as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. It further provides that in order for the data to be pseudonymized, the data must be kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. This means that the personal identifiers are removed from the data and stored in a separate database, and linkage to a specific individual will not be possible without the additional information that is held separately.

Although this technique detaches the link between the data and the data subject, pseudonymous data is still considered personal data under the GDPR because the detachment can be reversed and therefore, falls within the scope of the GDPR.

The application of pseudonymization to personal data can reduce the risks to data subjects concerned and help controllers and processors to meet their data protection obligations. The benefits of pseudonymization of personal data for controllers under the GDPR include:

• It is used as a safeguard for processing personal data for scientific, historical and statistical purposes.
• It is an important data protection by design feature used to implement the data protection principles such as data minimization.
• Controllers can use pseudonymization to help meet the GDPR’s data security requirements.

What is anonymization?

Anonymization of data means that it irreversibly destroys any way of identifying a data subject.

Data can only be considered anonymous if re-identification is impossible by the entity holding the data. Using anonymization, the resulting data should not be capable of singling any specific individual out, of being linked to other data about an individual, nor of being used to deduce an individual’s identity.

As long as the data is anonymized, it is outside the scope of the GDPR because anonymous data doesn’t include any personal data. Anonymization reduces any risks to data subjects, for example, where there is a data breach because the data cannot be linked to any specific individual.

In principle, organizations can use anonymized data for purposes beyond those for which it was originally collected and it could be used indefinitely as the data is no longer classed as personal data. In addition, once the data has been anonymized, then controllers do not have to respond to data subjects’ requests because they can no longer identify a data subject.

Conclusion

Pseudonymization techniques are different from anonymization techniques, however, they are both measures used to protect personal data and reduces any risks to the data subject. Both pseudonymization and anonymization are encouraged in the GDPR and enable GDPR compliance.

Disclaimer: This blog is made available by NIPO for the purposes of providing general information and a general understanding of GDPR, and should not be considered or used as a substitute for legal advice. NIPO does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.

This is the second post in our GDPR blog series. In the first post, we gave you an overall, high-level look at GDPR. In this second post, we will focus on the legal basis on which personal data can be processed, more specifically on the legal bases that market researchers can rely on to process respondents’ personal data.

The GDPR provides several legal grounds on which the collection and processing of personal data can be based. In order to lawfully process personal data, at least one of these grounds must apply.  

The collection and processing of personal data are fundamental to the work of many market researchers. Therefore, it is imperative to know and understand what lawful basis can be used to process respondents’ personal data. For market researchers,the two most common lawful basesto process personal data are:

• Consent of the data subject (respondent)
• Legitimate interest of the data controller (market research company or its client) or a third party (client).

The approach to deciding what lawful basis researchers should use for processing personal data may vary by member states, as domestic markets may have different characteristics. Researchers need to assess what legal basis are most used within their individual jurisdiction, and comply with any national research code of conduct, in addition to the GDPR requirements.

Consent

Consent of respondents will often be used as the lawful basis for carrying out research in many EU member states. The GDPR retains the concept of consent contained in the 1995 directive, but raises the bar for considering it valid, by setting out additional requirements.

Under GDPR consent shall be:

• Freely given: It must reflect the respondent’s genuine and free choice, and he/she must be able to refuse or withdraw consent without detriment. There should be no element of coercion, if the consent was not freely given, then that consent will not be valid.
• Specific: Consent must be intelligible (easy to understand) and distinguishable from other matters like terms & conditions (no bundled consent). It must relate to specific processing operations. Blanket consent that does not specify the exact purposes of the processing is not valid consent.
• Informed: Respondents must be able to understand the extent to which they are consenting and be aware at least of the identity of the controller and the purposes of the processing.
• Unambiguous: It should not be open to more than one interpretation.
• Clear affirmative action: The respondents must do something to manifestly indicate that they agree to the processing of their personal data, such as by a written statement, including electronic means, or an oral statement. An example of a clear affirmative action is the ticking of a box. Silence, pre-ticked boxes or inactivity does not constitute valid consent under GDPR.

Where data processing has multiple purposes, consent should be given for all of them, unless such purposes are considered compatible. This essentially means that the data controller (market research company or its client) can further process personal data, where the purpose of the processing is compatible with the purpose for which the personal data was initially collected.  

EXAMPLE

If a company that produces chocolate wants to know, through a survey, how many adults (ages 18-40) eat their chocolates, it needs to obtain consent for the processing of the respondents’ personal data and specify to the individuals the purpose for which they will be using such data, which is to know how many adults in that age range eat their chocolates. After completing the survey, the chocolate company compiled a list of the people that eat their chocolate often, this list is then used for direct marketing (they send emails and posts to the individuals about their new products). This will be considered incompatible with the purpose for which the respondents’ personal data was collected because the chocolate company never informed the respondents that they would use the information collected from the survey for profiling or direct marketing, and the respondents did not give their consent for the use of their data for this additional purpose.

If the legal basis used is consent, researchers must understand what GDPR consent means and the fact that respondents will generally have stronger rights (right to erasure, right to data portability) where consent has been given.

Explicit consent needed for sensitive personal data

There is a higher threshold for consent when the processing involves sensitive personal data. The GDPR provides that the respondent must have given his/her ‘explicit’ consent, but it does not specify what ‘explicit’ consent entails. Therefore, existing interpretations and guidance from legal advisers and/or supervisory authorities should be consulted.

The Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State), in its guidelines on consent, provided that the term ‘explicit’ is the way consent is expressed by the data subject. This means that the data subject must give an express statement of consent. It further stated that, in order to make sure consent is explicit, the data subject must have given consent in a written statement (e.g. signed statement) or an oral statement.

EXAMPLE

Going back to the survey in the earlier example, let’s suppose the chocolate company also asked about health information (i.e. how many are diabetic) of the respondents, the purpose is to enable them to improve their products so their diabetic customers can continue to consume, but with reduced health implications. All health information is considered sensitive personal data under GDPR, and so before the data can be collected and processed, the individuals must have given their explicit consent for this use of the data (granularity will allow respondents to consent for each processing activity).

Children’s personal data is further protected under GDPR. If the research project involves respondents (children) that are below the age of 16 (age limit can change based on the jurisdiction), GDPR states that parental consent must be obtained in order for the processing to be lawful, if you intend to rely on consent.

Consent needs to be re-validated

The GDPR makes clear that consent is not a one-off compliance box to tick and file away, it is an ongoing actively managed choice. It is important to keep records of consent (i.e. how it was obtained, for what purposes and what was consented to).

Data subjects’ consent needs to be regularly reviewed to ensure that the consent is still valid. The GDPR does not give a timeframe for consent to be reviewed, this has to be determined by the controller (market research company or its client), taking into account its needs as well as the rights of individuals, and preferably included in its internal procedures.

Legitimate interests

The term “legitimate interest” refers to the reasonable business purpose that the market research company processing the personal data may have to process data. This may include a benefit inherent in the processing of the company itself or society at large.

The GDPR provides that the legitimate interests of the controller (or third parties) must be necessary for these purposes, except where such interests are overridden by the rights and freedoms of the data subject which require protection of personal data. This means that researchers need to determine whose legitimate interests (market research company or a third party) and understand what exactly the legitimate interests are.

Researchers using legitimate interests as a lawful basis, need to, first of all, do an assessment before processing any personal data of respondents. This assessment is referred to as a balancing test. The balancing test is weighing between what the controller considers a legitimate interest on the one hand, and what the rights of the data subjects are on the other hand.

The balancing test must always be conducted fairly, there are several factors that need to be considered, these include:

1. The nature of the interests of the controller and the reasonable expectations of the data subject (respondent). Is there already an existing relationship between the market research company and the respondent?
2. The impact of the processing on the respondents’ rights and freedoms and the severity of that impact; for this purpose, it is useful to consider the particular status of the respondent (i.e. a child, an employee, a customer etc.)
3. Safeguards which are in place or could be put in place: the market research company needs to ensure that there are appropriate technical and organizational measures in place that will protect the respondent, and mitigate any risks or potential negative impacts of the processing.

EXAMPLE

An example of legitimate interest is in a situation in which a market research company recalls respondents for quality control purposes, although the respondents have not consented to such recall. In this case, the legitimate interest of the market research company is to perform a quality control, while on the other hand, there are the rights of the respondents.

In order to ensure that the rights of respondents are not infringed, the balancing test needs to be applied: after identifying what the legitimate interest is (quality control), the market research company needs to look at what type of data is involved, and to put in place appropriate safeguards (among others encryption or pseudonymization) to protect the personal data of respondents. Only at this point, will it be possible to assess the existence of a balance and the consequent validity of the legitimate interest.

Conclusion

The GDPR provides several legal grounds on which personal data can be processed, however, when it comes to market research, not all the lawful basis can be used. Researchers need to identify which of the lawful grounds for processing can be used for the particular research project before processing any personal data of respondents. As explained above, in most cases, obtaining consent from respondents is the best option, while in other cases, using legitimate interests as a lawful ground may also be appropriate.

If legitimate interest is the legal basis chosen by the market research company for the processing of respondent’s personal data, then it must ensure that it has carried out a fair balancing test. If the balancing test shows that the controller’s interests do not outweigh the rights of the data subject, then legitimate interest cannot be relied upon and the market research company will have to use another lawful basis (e.g. consent) in order to process this personal data.