Skip to main content

Focus groups: Unlocking insights, but are you unlocking GDPR compliance? Key tips inside!

 Focus groups: It's all about getting valuable insights and building trust with participants. But in today's data-driven world, there's another crucial element to consider: privacy.

Let's see the privacy considerations that should be kept in mind while conducting interviews with focus groups.

Consent:

  • Obtain explicit, informed consent from participants before any data collection.
  • Clearly explain: Purpose of data collection and processing, types of data collected, how data will be used and shared and participant rights (access, rectification, erasure, withdrawal)
  • Obtain consent for specific processing activities (e.g., recording, transcription).
  • Provide a clear and easy opt-out mechanism for participants to withdraw consent at any time.It is pertinent to note that legitimate interest may also be used as a legal basis (given that no sensitive personal data is being processed) where the data is processed in a manner that individuals/data subjects would reasonably expect and does not have a substantial impact on their privacy, however, use of consent as a legal basis would be preferable.

Data Minimization:

  • Collect only the minimum personal data necessary to achieve the research objectives.
  • Avoid collecting sensitive data (e.g., health, ethnicity, political opinions) unless essential and with appropriate safeguards. The data subjects should be advised in advance to not share any sensitive data during the interaction/interview process.

Security Measures:

  • Implement robust technical and organizational measures (TOMs):a) Encrypt personal data at rest and in transit. b) Store data securely using password protection and access controls. c) Regularly conduct security audits and vulnerability assessments. d) Train staff on data security practices.

Anonymization and Pseudonymization:

  • Consider anonymizing or pseudonymizing data, where possible, to reduce identifiability.
  • If anonymization is not feasible, implement strong safeguards for identifiable data.

Fair Processing Notice:

  • Provide a clear, concise, and transparent fair processing notice to participants, including: Identity of the data controller and processor, purposes of processing, legal basis for processing, recipients of the data (if any), participant rights, data retention period, contact details for any data protection queries. It would be important to consider the source of data before drafting the fair processing notice as the GDPR provides different disclosure requirements for data collected directly and data received indirectly. (Article 13 and 14 of the GDPR)

Data Subject Rights:

  • Respect the rights of data subjects and provide them options to exercise their data subject rights.

Additional Considerations:

  • Data Retention: Delete personal data once it's no longer needed for the research purpose.
  • Sub-processors: Ensure any sub-processors (e.g., transcription services) comply with GDPR and have a Data Processing Agreement in place.
  • Data Transfers: If transferring data outside the EU/EEA, implement appropriate safeguards (e.g., Standard Contractual Clauses).

Remember: GDPR compliance is an ongoing process. Stay updated with guidance and best practices, and regularly review your procedures to ensure they align with evolving regulations.

Labels:

Comments

Post a Comment

Popular posts from this blog

Procedure for change of name of a Company as per the provisions of Companies Act, 2013

Many a time management of the Company may decide to change the name of the Company which may be due to various reasons like change of the objects of the Company, re-branding, conversion from Private to Public Limited or otherwise.   Given below is the procedure to change the name of a Company: 1)     Call a meeting of the Board of Directors of the Company by giving a notice of not less than 7 Days or a shorter notice may also be given as per the provisions of the Companies Act, 2013; Note: The resolution for considering the change of name may be approved through circulation. 2)    Hold the Board Meeting and get the resolution for change of name approved by the Board of the Company;   3)     Apply for the new name of the Company through RUN Service of MCA along with the following attachments: a)     Copy of the Board resolution as approved by the Board for change of name; b)     NOC from the trademark holder ...
Post a Comment
Read more

Payment of Stamp Duty on Share Certificates in Gurgaon, Haryana.

  Procedure for payment of Stamp Duty in Haryana: 1. Preparation of relevant documents: As a first step, the Company should prepare the following documents for submission to the authority:  Application along with INR 10 Court Fee Stamp; Copy of Share Certificates; Certified copy of Board Resolution; Certified Copy of PAN Card of the Company; Copy of Memorandum and Articles of Association of the Company; Copy of Form PAS-3, as filed with Registrar of Companies; List of Directors of the Company; List of Share Certificate Holders of the Company; Authority Letter in favour of Company Secretary/ Chartered Accountant for submission of documents to the authority. Note: It should further be noted that Every page of above documents should be signed by a Director of the Company and should also be stamped with the Company Stamp. 2. Submission of documents to the “Revenue Department”, Haryana. All the above documents shall thereafter be submitted to the Revenue...
Post a Comment
Read more

Legal Entity Identifier l LEI l Change in authorized official/authorized signatory on LEI Portal l Letter of Authority for Legal Entity Identifier l

Ever wondered how can you change the authorized signatory/authorized official on the website of the Legal Entity Identifier India Limited.  It is a general practice to authorize the employees of the company to undertake various statutory registrations and compliances. However, companies often feel stuck when their authorized employees leave the organization.  In today's blog, we will help you with the procedure to change the authorized signatory/authorized official of the company on the LEI Portal.  1) Board's Authorization The first and foremost step for changing the authorized signatory is to get the approval of the board for revoking the authorization granted to the existing employee (who is leaving the organization) and to authorize another official in this regard. This can be done in a duly convened board meeting or by way of a circular resolution. 2) Execution of Letter of Authority Once the board has authorized another official of the company, a "Letter of Authorit...
1 comment
Read more