Complying with the new GDPR rules means giving panelists more access to their data
When I was growing up, just about everything my family or someone watching us needed to know would be affixed to our refrigerator with tape or magnets. This included a calendar of events, important phone numbers, report cards, receipts, images, to-do lists and more. The fridge was the central repository for upcoming events for our family.
If you wanted to see what was going on in our lives, first you needed to be invited into our home (or have a key to gain access). Only trusted friends, relatives or service providers could get in and see the refrigerator to learn what we were up to.
Just as access to the family fridge was limited, the European Union General Data Protection Regulation (GDPR) has been designed to enhance an individual’s control over their data and restrict outside access. Now, allow us to read your rights! You have the right to be informed when your data is being processed, the right to access your data and confirm its lawful processing. You have the right to be forgotten, the right to data portability, rectification, objection to direct marketing, restriction of processing personal data, and safeguards against AI related decision making. One of the primary aims of GDPR is to give an individual total control of their data, and organizations with access must comply with the demands.
In ARCS we have something a lot like that family refrigerator. We call it the Panelist Portal. This is the individualized home page within ARCS for each member of your participant panel. The Portal gives users control over their core data (along with the ability to update this stored data). Users can also opt out, and all can be done within a single system, complying perfectly with GDPR.
Once someone is invited to join your participant database, they are given a unique “key” (ex: user name and configurable password which you will have the ability to control). This is the place where a panelist can make changes to their name and personalized password.
When my parents would go away, they would leave their itinerary and special instructions on the refrigerator. In the same way, you can post privacy policies, NDA agreements and other information that panel members might need to see.
Let’s say you have someone in your database who must “accept” your terms before being allowed to participate in your research studies. You can provide the documentation, instructions, and mechanisms for them to read and acknowledge. This could be for the original acceptance or a change in terms that requires database members to acknowledge and confirm agreement with the new language.
Within the Panelist Portal, your database members have access to many important pieces of information about themselves, their history, and their upcoming research study schedule. This information, referred to as participant data, is organized into two areas:
- Core data. This includes items such as name, age, birthdate, address, email address, phone number, preferred contact method, household makeup, and more.
- Attributes or custom data points. ARCS allows you to create, ask and track unlimited questions about particular panel members. You can then query on those custom attributes and data points. Some examples could be product usage, demographic information such as education, salary, marital status, and more.
The ability to view and update PII and sensitive data is critical to GDPR compliance. Using the Panelist Portal, your database members can access selected data fields and update these attributes themselves, as their product, brand and usage change over time. This will ensure that you have accurate and up to date information, which will help you invite and qualify the right panel members for your studies. This is also where your panel members can complete any necessary required paperwork (such as NDA forms). All of this information is date and time stamped as well as trackable.
All of the above capabilities are presented in one place, and just like the family fridge the Panelist Portal provides centralized visibility, auditing and tracking.
By giving database members more control and visibility into their data, you will be compliant with the applicable GDPR requirements, protecting yourself and protecting your most important asset, the participants. With greater access and control, they are likely to feel more comfortable with your organization. This can then lead to referrals of additional family members and friends.
Breaking up shouldn’t be hard to do
Lastly, GDPR compliance asserts the participant’s right to be forgotten. They may ask that their data be wiped, either completely or partially. Your participant engagement process needs to: (a) permit such a request, (b) quickly respond to the request and (c) identify the user and types of data to be eliminated.
What types of controls and tools does your participant engagement process have to handle these items? Do panel members constantly need to call your staff to update their information? Would you like to have the visibility and controls to meet the ever-changing data protection needs your participants deserve and meet new regulations like GDPR?