https://pds.blog.parliament.uk/2018/04/13/gdpr-user-researchers-wont-break-the-law/

Back in the GDPR: user researchers won't break the law

The General Data Protection Regulation (GDPR) is a new EU regulation which strengthens people’s rights to understand and control how information about them is used.

The regulation is particularly important to our user researchers, and the team has been busy preparing for it to avoid the multi-million pound fines that threaten organisations who aren’t ready.

For us to help our teams understand users, we need to handle a lot of personal data to plan and run our sessions. While we follow the best practice guidelines for ethical research, it still means some changes in our processes and how we work.

The data we hold

As our researchers work directly with members of the public who represent users of Parliament’s website and other digital products, we have a lot of information on people. This includes:

  • the name, contact details, and occupations of people invited to participate in research
  • video and audio recordings of what happens in our research sessions
  • written notes about what people say and do in these sessions
  • a list of professionals who’ve volunteered to be contacted about research in the future

How we’ve prepared

For each of these, we need to make sure we have rigorous processes for dealing with each type of data, and can show how we’re prepared to deal with requests.

So to get ready for GDPR, we documented each kind of personal data we hold, why we hold it, and how it’s retrieved. We’ve also written down our processes so that we’re confident we can retrieve, edit, or delete the data as required when someone asks us to.

We’ll also be providing guidance to the other members of our product teams. As they’re not researchers, they’ll need help making sure they don’t accidentally break the law when participating in research.

Consent has always been very important for researchers. Everyone who takes part in research should understand what they are participating in, what data is being captured from that session, and their rights for that data.

We’ve updated our consent form to help achieve this by including:

  • the context of the study (why we are running this specific round of research)
  • what data is being captured from that session
  • what we'll do with the data afterwards
  • how long the data is kept for
  • how people can request their data from us

All of this helps make sure that we’re treating users’ data ethically and safely, as well as being able to comply with our legal requirements.

GDPR is coming!

GDPR is a big deal for teams across Parliament as almost every team holds some degree of personal data. However our research team hopes to lead the way in demonstrating how to be prepared for it.

If you’re interested in learning more about GDPR, and how research teams should prepare, take a look at the resources below:

We also recently took part in a workshop with the Government Digital Service (GDS) capturing how different research teams are preparing for GDPR. The output from this is being published in their service manual soon so look out for it.

Read other posts about the work of the user research team

*featured image by Paul Downey using Creative Commons License 2.0.

1 comment

  1. Steve Bromley

    For research teams interested in making sure they are GDPR compliant, this blog post has come out recently and is a comprehensive guide to what you should be thinking about... https://medium.com/design-research-matters/general-data-protection-regulation-gdpr-and-user-research-e00a5b29338e

    Link to this comment Reply

Leave a comment