The new regulation is set to replace the current patchwork of national rules with a unified framework for data protection across Europe. One of the key rules is that companies in breach of data protection rules could be fined as much as 4% of their annual turnover.

“These regulations aim to be a game-changer,” said Kim Leonard Smouter, government affairs manager of ESOMAR. “Companies will get the carrot of significant reductions in bureaucratic requirements, a single law that covers all operators in the 28 Member States.

“The regulations will impact companies of all sizes so regardless of whether you’re a Google or a one-person consultancy; your everyday data collection practice and your bottom line is likely to still be affected.” 

Dr Michelle Goddard, director of Policy & Standards at EFAMRO and the Market Research Society (MRS), said: “European citizens get a whole set of new rights that market, opinion, and social research agencies and research clients alike will need to cater for.  Ranging from a right to be forgotten, a right to object to profiling activities, a strengthened right to prior notification before data collection, a right to data portability, European citizens have more than ever a right to know before, during and after you collect their data. 

“Essentially, if you conduct research whilst respecting the rights of the participant and abiding by the existing Code then you are already complying with the spirit of the new rules.  If however you answer no to any of the questions on our checklist [see below] then you will need to take action – and fast.”

basic compliance checklist

• Do you have a data protection policy that adequately reflects activities across your business and is reviewed regularly?
• Are records of personal data kept only for as long as necessary? When and how are they destroyed?
• Do you really need the information that you hold on participants? Are both you and them clear about what you are going to use research data for?
• Are you sure the personal information that you hold is accurate and up to date?
• Is a senior officer responsible for data protection and do staff know who to report breaches to?