Staying on top of privacy issues is not an easy task for any organization. Financial institutions must comply with the GLBA Safeguards Rule, health care organizations have HIPAA, companies operating in or selling to consumers in Europe need to follow GDBR, and nine states (Iowa being one) now have comprehensive consumer data privacy laws. These laws not only apply to retention of data and marketing practices, but to any market research activities you undertake as well.
Because we conduct market research, our team works hard to stay current with data privacy laws. In this article, I will share some practices we have put in place that you, too, might consider when executing market research.
A is for ‘Approval’
A pillar of many privacy laws is that you need permission to collect a consumer’s information. If you intend to send a customer a post-purchase satisfaction survey, ask for approval with a checkbox during checkout. Consumers also have the “right to be forgotten”; it’s important to offer an unsubscribe option with every invitation. Ensure that your systems can remove someone’s personal information if they request it. You do, however, have the right to keep information that is necessary for your operations. As an example, VRG keeps the contact information of research participants who received incentives, just in case there is an issue or dispute regarding that incentive.
B is for ‘Beware’
If you use a sample provider for your surveys, inspect their privacy guide or obtain assurances they are adhering to privacy laws. If you purchase a list, ask if the individuals on the list provided permission to be contacted. Many list providers simply scrape the web for contact information; this is vastly different than an opt-in list. Using scraped information can not only hurt your data — it may also hurt your company’s reputation. If you maintain your own lists, make sure you are reaching out annually (at a minimum) to provide participants an opportunity to unsubscribe or update their information.
C is for ‘Clear’
When collecting data in a survey or other tool, be radically transparent. As possible, share why you are requesting information and exactly what you will do with it. Not only is this good practice, but it often boosts participation rates. If your customers know you will be using their feedback to make specific improvements or develop new products, they are more likely to offer their opinions. If the research is masked (you cannot reveal your company name), at least share the research topics that will be discussed and how the feedback will be used.
D is for ‘Defend’
Any personal information — not just Social Security and financial account numbers — has value to criminals, so it needs to be secure. Whether you are in the cloud or operating on your own servers, check that all reasonable privacy tactics are enabled (encryption, two-factor authentication, etc.). Never collect information in research that you do not need or will not use. Consider cybersecurity insurance. Although VRG is a smaller firm, we consider this a worthwhile investment; we know if we have a problem, we can access the insurer’s expertise.
The most important thing to keep in mind about data privacy is to react quickly to any issues or inquiries with a positive attitude and accommodate any requests that the law requires. There are many organizations that provide information on data privacy laws and evolving software tools on the market that automate compliance for larger organizations and/or those operating in multiple countries.
Linda Kuster is president at Vernon Research Group, based in Cedar Rapids.
