Posted on 07/17/19 by Danielle Marbellagas
The GDPR was implemented to give EU citizens more control over how their data is collected, used, and protected. Although the GDPR is an EU legislation, it still affects organizations based in non-EU countries. One of the primary objectives of the GDPR is to protect the personal data of all EU citizens and residents. Therefore, organizations that process and handle the personal data of data subjects who are EU citizens or residents must comply with GDPR.
But first, what is GDPR?
The General Data Protection Regulation or GDPR is designed to protect the personal data of individuals residing in Europe. Organizations that are not GDPR compliant may face fines up to 4% of their annual turnover or €20 million, whichever is greater.
More than a year has passed since the legislation was implemented and we’ve gradually seen how it has been enforced. In just one year, the sum of GDPR fines has amounted to approximately €56,000,000 as stated by the International Association of Privacy Professionals or IAPP, with Google receiving the largest on January 21, 2019. The French data protection authority (CNIL) fined Google with a €50 million for violating the GDPR. Another instance would be EE Limited, a British internet service provider, who was fined £100,000 for sending over 2.5 million direct marketing messages to its customers, without consent.
A more recent case is the British Airways which is set to be fined £183.4 million for a data breach that affected around 500,000 customers. To date, it is the largest ever fine for a data breach and the first to be issued in the UK under the GDPR.
Does the GDPR affect market researchers outside of the EU?
Article 3 of the GDPR describes the legislation’s scope of law. It states that the regulation will apply as long as the personal data of a Data Subject is being processed. This applies whether the processing takes place in the EU or not.
The section also mentions that there are two cases where non-EU organizations can be affected by the GDPR: the offering of goods or services and the monitoring of behavior.
Offering goods and services
Organizations from around the globe rely on market researchers when gathering important data from prospects or customers. Therefore, it’s highly likely for a multinational company to conduct market research in the EU. Do note that as long as they offer their services to companies or individuals in the EU, they fall under the scope of GDPR. This includes recruiting participants from the EU.
Monitoring their behavior
The market research data gathering process makes use of surveys, interviews, focus group discussions, and the like, and can be conducted online or offline. Gathering as much data as necessary is essential to better and more accurate insights, and may require tracking, monitoring, and analytic tools for a closer look into consumer behavior. This includes shop-alongs or simply cookie tracking on a platform or website. If the research involves participants from EU countries, then there is a requirement to be GDPR compliant.
Since market researchers generally handle various participant data and information, it’s essential to know where and how GDPR is applied in international origins. Seek advice from data protection experts who can help to ensure the company remains GDPR compliant.