ESOMAR introduced an updated version of their Questions to Help Online Sample Buyers (formerly known as the ESOMAR 28). Over the last couple of weeks, we have been exploring the changes to this document and what it means for researchers. In Part 5 of our series, we will be continuing our deep dive into the changes; this time looking at the Policies and Compliance section.
The rise in recent years of privacy legislation has had a major impact on many different industries, market research included. With how much current (CCPA, GDPR, etc.) and upcoming privacy legislation impacts what information can be stored, asked for, or even provided back to a respondent, it is best that a sample buyer understand the policies and measures a sample provider has in place to stay compliant. Sample providers that execute global fieldwork should address specific privacy legislation to help buyers of sample understand potential limitations in other markets.
Also included in this section are the policies and measures regarding information security and what specific sample providers are doing to keep it secure.
How do you comply with key data protection laws and regulations that apply in the various jurisdictions in which you operate? How do you address requirements regarding consent or other legal bases for the processing of personal data? How do you address requirements for data breach response, cross-border transfer, and data retention? Have you appointed a data protection officer?
Since privacy laws impact both sample buyers and sample providers, buyers need to understand the methods a provider is using to stay compliant and what processes are in place to ensure both parties are covered. With so many various global legislations, sample companies can provide help to buyers to understand what laws exist in the markets they want to conduct research.
How can participants provide, manage, and revise consent for the processing of their personal data? What support channels do you provide for participants?
While consent for collecting and processing data collected as part of market research has long been required, it is now explicitly required with many of the data protection and privacy laws. Ensuring that there are processes in place for respondents to manage access to their data is a key part of the compliance. Additionally, the definition of personal data may differ by country.
How do you track and comply with other applicable laws and regulations, such as those that might impact the incentives paid to participants?
Similar to the previous questions, sample buyers need to understand how a sample provider implements this to ensure they remain compliant with specific laws and regulations.
Do you implement “data protection by design” (sometimes referred to as “privacy by design”) in your systems and processes? If so, please describe how.
This question discusses the approach of considering privacy and data protection issues at the design phase of systems, services, products, or processes. Sample buyers should use this to understand if items were designed with data privacy in mind, or if it was bolted on afterwards.
What are the key elements of your information security compliance program? Please specify the framework(s) or auditing procedure(s) you comply with or certify to. Does your program include an asset-based risk assessment and internal audit process?
Where the previous questions dealt with data privacy and regulations, this question really focuses on information security and what a sample provider has in place to protect its systems.
Check back with us next week for the next blog where we will be looking at the final section, Metrics, and the changes that have taken place.
Missed any other parts of this series? Check out the list below for all the other entries in this series: