Five Things Market Researchers Must Avoid to be GDPR Compliant


Although the General Data Protection Regulation or GDPR has been enforced for well over a year, numerous market researchers are still unable to fully understand its effects and consequences. This can be highly disadvantageous since companies that violate this regulation will be subject to heavy sanctions.

The Information Commissioner’s Office (ICO) responsible for enforcing the data protection legislation in the UK has already reported multiple major non-compliant companies in the previous year. These companies include Facebook and Equifax, both fined £500,000 for failing to protect its users’ personal information; Uber, fined £385,000 for failing to inform its users who were victims of a data breach; and Google who went under investigation over GDPR violation claims.

But why wait until you've breached privacy and security regulations? As a market researcher, whether you're working in-house or independently, you have to stay on top of essential things required of you by GDPR. We've compiled a list of things to avoid to maintain GDPR compliance:


Mistakes to Avoid to be GDPR Compliant


  • Not Designating a Data Protection Officer.

If an organization collects data from EU citizens, it’s important they assign a Data Protection officer who has the essential skills and knowledge in data protection. This makes it easier to protect user personal information as they’re responsible for representing the organization when it comes to data and privacy issues.


  • Having an Unclear Data Retention Policy.

According to the GDPR survey data regulation, companies must make sure that respondents are aware of how long their data will be stored in a company’s database. It’s advisable for companies to have their own data retention policy that both satisfies the respondents’ preference while ensuring that the company still meets their goal.


  • Refusal to Let Subjects View and Download Collected Survey Data.

Among the individual rights in GDPR include the right of access and the right to data portability. This allows the data subject to access as well as copy, move, and transfer their personal data. Failure to do so violates GDPR compliance.


  • Not Notifying a Supervisory Authority and Involved Individuals After Data Breaches.

It states in Article 33 of GDPR, data breaches must be reported within 72 hours to their supervisory authority. If the client resides in a state different from the company, they may choose to use their own local supervisory authority. There are cases in the past where companies who failed to do this were sanctioned heavily (eg. Uber fined £385,000).


  • Refusal to Delete Data Subject Data When Requested by Said Individual.

The right to erasure / be forgotten is another individual right within GDPR. This means data subjects have the right to have their data erased when it’s no longer necessary for the purpose it was collected, they withdraw their consent, and data was unlawfully processed. You must also notify third parties whom the personal information was disclosed to.


GDPR non-compliance can lead to multiple fines and penalties so its important to make sure you fully understand what you must and must not do to remain GDPR compliant. It may seem complicated at first but just remember to always ask for a contact's consent first and foremosr. Don’t contact someone without their permission, don’t send non-essential information that wasn’t requested, and don’t use their personal information for other things other than the purpose it was collected for.