Getting GDPR compliant

How an American user researcher met GDPR.

I’m originally from America. All obvious jokes ignorant American jokes aside, I never really understood the whole concept around data privacy and GDPR. My entire user research career was based in the United States, and, through my limited scope of knowledge in the topic, it didn’t really affect me. I had my lean, but informative consent forms, knew to ask permission to record sessions and anonymized participants. I was fine.

Until I moved to Europe, specifically Germany. There I was, in this new role in a new country, excited to get started with user research. I was armed with my American consent form and recruitment tactics. Since the role was Senior Researcher, and it was a start-up, I was ready to just move forward on my own with everything I had learned up until that moment.

I knew GDPR was important in the EU, but I didn’t take the time to really familiarize myself with how it might impact my day-to-day role. I played the role of ignorant American pretty well. But, really, I promise it was well-intentioned.

Why did I start caring about GDPR

Other than moving to Germany, where GDPR is much more apparent, one particular event occurred to knock me over the head with how important it is understand these concepts:

I made a mistake when recruiting from a list of our participants. Instead of BCC’ing a group of customers, I CC’d them. Luckily, it was a small list of people, to which I immediately apologized. We then contacted our data privacy officer to understand what the next steps were. For those few days, I was terrified I would lose my job and be shamed by the GDPR gods, but am happy to share the experience with others. Don’t mass email customers, even if you have no other tool and are excited to get research underway (duh).

Fortunately, the whole thing was considered extremely minor, and was reported to the necessary people, and it all blew over in a few days. But, that event taught me a lot: to take GDPR and data privacy more seriously than I had in my previous roles.

Maybe you all aren’t like me, and actually took the time to read more about GDPR, but, even those articles are lengthy and, for me, didn’t break GDPR down into actions I had to take, which is why I am writing this article. I am not going to cover everything regarding GDPR, but, instead, some actions I put into practice recently, even if, retrospectively, they seem like common sense.

How I have handled GDPR & data privacy moving forward

Once I realized how important GDPR would be for me to conduct user research in the EU, I decided to take action in better understanding and adhering to GDPR. It isn’t like it’s going anywhere, might as well become friends.

Talk to your legal team

I immediately contacted our legal team to get more advice. I sent them an updated consent form, as well as my recruiting screener to review. Note: this takes a very long time, and I wish I had done it right when I started at the company, but, lesson learned. Since then, we have been going back and forth on how to “GDPR-ize” the user research process.

Recruiting

Not going to lie, GDPR has definitely killed my fun recruiting vibes. I quickly learned I couldn’t simply recruit anyone who hadn’t explicitly signed up for our newsletter (already given consent to receiving communication with us), which limited the scope of participants I could choose from. I also realized some of the data from the recruitment survey was not recommended, and the approach of, let’s get as much as we can and use what we need, would not fly here. This is what I have done:

1. Trimmed my recruitment survey down to the bare bones of what I need to contact the participants, with very few questions on demographics. This survey also provides participants the option to skip or not answer any question (even required ones), and links to our data privacy policy
2. Agreed to delete the recruitment data after one week to ensure the utter anonymity of our participants, and that their research sessions could not be linked to any personal data
3. I have only been recruiting from our newsletter subscription list, as I know that is the “safe route.” I am hoping to open up recruiting through different means, such as a HotJar integration. If anyone else has any GDPR-compliant ways of recruiting, I would love to hear. I know we have to be careful with incentivizing!

Consent Forms

With consent forms, I often thought less was more, albeit that being very un-American. I was wrong. My one-pager, double signature consent form was simply not sufficient. I went back-and-forth with legal on how to make our consent form GDPR-compliant. There are a lot of examples out there, but not one that necessarily took the cake.

I created a template for you all, including a consent form (double signature) and a data privacy agreement. It is pretty standard, but I figure, sharing is caring.

Data Processing Agreements

Whew, I had no idea what a DPA was before I started exploring this wonderful land of GDPR. We use Typeform as a recruitment tool because, well, Typeform is beautiful and easy to use. Little did I know, we couldn’t simply use Typeform, although they are GDPR compliant. We had to actually enter a data processing agreement with them. We are in the process of doing this…note: it takes time on legal’s side. However, Typeform made this extremely easy:

In addition to Typeform, we use Google Drive to store research sessions. Now, Google doesn’t do it in the same way as Typeform. Instead, you have to ‘opt-in’ to Google’s terms.

Now we are exploring what all of this means with legal, in order to make sure we are covered.

Storing research

This is actually my biggest pain point, even more so than recruitment. In terms of storing research, such as recordings, GDPR and data privacy guidelines ask that you store it only for the amount of time it is necessary. Now, in my opinion, the amount of time a company may find research sessions necessary and helpful could be…well, forever. In terms of usability tests, sure, I could see deleting those after a few months, or when the changes have been made, but, generative research. *Sigh*. I just can’t see a world in which research gets erased, so I am still struggling with this.

My biggest takeaways

1. Take this seriously, and don’t try to get away with not dealing with these annoying rules
2. Understand, at least, the basics of GDPR and how to implement GDPR-compliant research practices
3. Talk to legal as soon as possible to start these conversations, as it can take a lot of time to get everything together. Right now, I am still blocked
4. Accept the fact that you might not have taken the time to understand something so important :)

How have you incorporated GDPR into your research practice? I would love to hear more.