GDPR is the most important change in data privacy regulation in over 20 years, yet a recent Kantar TNS study shows that most people remain unaware of the changes affecting their personal data with the implementation of General Data Protection Regulation (GDPR) on 25th of May 2018.

Given that all businesses are using some sort of software to handle client data it is critical that both, software provider and user of the software work hand in hand to be and stay compliant with the upcoming GDPR regulations.

Even more so within the Market Research and Consumer Feedback industry as per design the players in these industries are collecting, storing and handling vast amount of sensitive data.

Although data protection and privacy regulations are not new and most players in our industry have always been taking this very seriously, there are some new aspects with GDPR we should all be aware of. As the appointed GDPR officer at QuenchTec I have been working rigorously to make sure our clients can easily be GDPR compliant using our solutions.

Here some key aspects: Our clients are Data Controllers, and QuenchTec are Data Processors.

Data Controllers, (our clients) are responsible for GDPR compliance, which mostly consists of operational procedures and documentation.

More specifically, our clients are responsible for:

  • End-user notification, consent, and withdrawal of consent
  • Deciding what data they expose to Data Processors
  • Deciding what connections (where end user data and passwords reside) to use
  • Signing up and, if necessary, creating new users
  • Ensuring their users meet the age requirements and obtaining the appropriate consent if necessary (such as parental consent for children)
  • Implementing the mechanisms necessary for their end users to retrieve, review, correct, or remove personal data
  • Deleting user data after receiving right-to-be-forgotten requests
  • Providing data in standardized formats
  • Responding to their end users’ privacy-related requests (DSAR)
  • Responding to communications from the European Union Data Privacy Authorities
  • Data breach notifications sent to supervisory authorities and end users
  • Selecting an EU tenant when setting up their Data Processor tenants

As a Data Processor QuenchTec are responsible for:

  • Following the Data Processor‘s instructions as explicated in a Data Processing Addendum/Agreement
  • Notifying the client if we receive requests from the client’s end users exercising their GDPR rights as subjects for data access, erasure, and so on
  • Notifying the client if we receive requests from EU Data Privacy Authorities (unless prohibited by law enforcement)
  • Notifying the client if we become aware of a confirmed security breach
  • Notifying the client if any of our sub-processors notify us about a confirmed data breach that impacts our clients data (unless prohibited by law enforcement)
  • Providing a privacy policy, terms of service, security statement, data protection agreement, and so on, to provide info on our policies and practices
  • Providing information about our data processing, so that clients has info it needs to process data lawfully
  • Defining or services and features, how data is processed, and the rights and obligations of clients
  • Providing the means to enable clients to retrieve, review, correct, or delete customer data via our solution interfaces and API’s
  • Providing a mechanism for clients to sign up customers (panelists with consent terms and a consent agreements)

This is not a complete list for GDPR compliance but highlights the key shared responsibilities for Data Collectors and Data Processors.

Equally important is to carefully review the set up with hosting infrastructure providers. Ask your infrastructure provider to what extent they have all fundamental mechanisms for handling your client’s data in a complaint way. Most importantly:

  • Databases are encrypted
  • Data can be stored in any data center allowing UK clients to store data in the UK, other EU countries, (or in US, Asia etc.)
  • Backups and file storage is also GDPR compliant

As we can see GDPR requires all stakeholder to work together. It is more than simply do the necessary part to be compliant with the new regulations. The review process between Data Collectors, Data Processors and Infrastructure Providers provides also a great opportunity to strengthen the relationship, find smarter ways of working together to provide great insights for our joint clients and make sure that the all important privacy of each individual is guaranteed.