Alarming headlines about the implications of the General Data Protection Regulation (GDPR) changes are worrying for landlords. Can you still share data to enable third-party research organisations – like Acuity – to undertake surveys?
Clearly, this is an issue we take very seriously, especially when we read reports like the one from W8 Data, which suggests that only a quarter of existing customer data meets GDPR requirements and that the remainder will be unusable.
Many have wondered whether it is allowable to send customer data to external research companies after the 25 May deadline. Where does that leave landlords which want to undertake independent, robust customer satisfaction surveys or insight?
We’ve been doing a lot of work behind the scenes on this and can reassure all our clients that, yes, this data can be shared so that independent customer research can continue.
What do the experts say?
We asked Julie Corney, Standards and Compliance Manager at the Market Research Society (the UK’s professional body for research, insights and analytics) about whether clients could send us files containing data such as residents’ names, addresses, telephone numbers, email addresses and personal data (such as ethnicity, age/DOB) without having obtained “permission” from each individual. By this, we mean permission to pass on data to third parties/subcontractors, or to include them in satisfaction surveys without having asked them to opt in.
She confirmed that this is still allowed, saying: “Yes, they are still able to forward this information for research purposes.”
ESOMAR, the global voice of the data, research and insights profession, says there are three specific grounds within GDPR under which researchers can process personal data:
- consent of the data subject/ research participant for the research purpose(s)
- legitimate interests of the data controller (or a third party)
- performance of a public interest task or exercise of official authority.
Acuity will be working under the second option when acting as the data processor for our clients who are the data controllers. But how will it be decided what constitutes a “legitimate interest”?
ESOMAR says the interests of the data controller must be balanced with any prejudice to the rights and freedoms or the interests of the data subject. In assessing whether the data controller has a legitimate interest, you must take into account the “reasonable expectations” of the data subject.
What is Acuity doing?
To comply with the regulations, we’ve undertaken staff training and made the following changes to our systems:
- Improved housekeeping functionality to delete personal data that is no longer required for projects.
- Using secure file transfer for transmission of data
- New functionality to identify & delete personal data in case of ‘Right to be forgotten’ request
- New standards, processes and procedures for project set-up, management, fieldwork, reporting, closure and housekeeping
- Updated contracts and project specifications to include GDPR data protection and agreed data retention periods
- Updated privacy and data protection policies
- Identified and deleted all data that is no longer required as part of an ongoing process
- Improved policies to prevent a data breach
Can we help you with GDPR?
As always, Acuity is keen to support its customers. We are currently running a one-day training course on Data Protection and GDPR, specifically targeted at the social housing sector.
We are also happy to talk through GDPR requirements in more detail to help clients planning tenant surveys and other insight work – please contact us.
Acuity will, therefore, continue to support landlords and tenants by providing rigorous, high-quality insight into the effectiveness of service delivery, giving robust feedback and helping to raise standards.