Guides
October 18, 2020

5 Steps to GDPR Compliant Research Interviews

5 Steps to GDPR Compliant Research Interviews

If you are a student, researcher or work within education, this is for you.

GDPR is one of the least appealing topics to understand and it doesn’t make it any easier that the report published by the European Union spans 200 pages.

However, it really boils down to 4 key areas to understand:

  1. Data minimisation
  2. Data anonymisation
  3. Data storage
  4. Data deletion

Understand them and you’ll be fine.

As an interviewee, you want to be able to tell your story without having to worry about your data being sold, exposed, used or end up in the wrong hands. The question you should be asking yourself is:

“What measures can I put in place to prevent that?”

Step 1: Get consent

Making sure individuals that are participating in your research has been informed properly. Having consent to collect information is the first step you should take care of. In short, they should know what information is being collected and why you are collecting it.

Getting consent comes with various benefits:

  1. You will establish a shared understanding of the research goal
  2. You will establish trust between you and the interviewee
  3. You will strengthen your ethics and method section
  4. You will comply with the regulations 😉

What do you include in the consent form? Below are a few things to consider:

  • How will the data be handled?
  • Who will have access to it?
  • Where will it be shared?
  • What PII will be included?

Spending time on developing a consent form forces you to think in terms of data protection and privacy. It forces you to think about data minimisation, PII, storage methods and in the end that is what GDPR is all about; introducing measures to protect data.

Important concept! PII is any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records.

Step 2: Record the interview

You now have a shared understanding of the information that will be collected and have a signed consent form. Now you start interviewing. Here are a few suggestions to consider:

  • Ask the PII questions before you hit the record button: Instead of using real names you can use IDs or acronyms in the audio and resulting transcript.
  • Consider what device you are using: iPhones are actually great recording devices because of the encryption and password protection. However, make sure that this data is transferred to a GDPR compliant storage location and deleted off the phone immediately.*
  • Think about your location: If you are recording interviews at your local Starbucks chances are that someone can pick up on the conversation and connect it to the person you are interviewing. Choose a more private setting if possible.
  • Anonymise immediately: Ensure notebooks, transcripts, video/audio recordings, etc. are kept anonymous by removing all references to participants.

In terms of recording great audio, ensure the room is quiet and position the recording device close to the interviewee. Do a test run, playback the audio and adjust accordingly. You will need to spend some time up front to do this since it requires preparation. However, spending the time up front will save you plenty of time later in the process.

Important concept! Data minimisation means that we must limit personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.

* iPhones are excellent devices for encryption and data security. However, having interviews stored on an iPhone makes it harder to keep track of copies, it’s easily forgotten and hence not easy to delete if requested.

Step 3: Store the data safely

You have now finished your first interview. Now you want to consider your storing options. Make sure you take the following into account.

  • Avoid storing multiple copies: When transferring from your phone, to your laptop, to the cloud, make sure that all traces and copies are deleted immediately. It’s easier to do it now compared to later when it’s forgotten.
  • Check up on your cloud provider: If using a cloud-based service, ensure their policy meets the GDPR guidelines. You should be able to find that on their website. Box, Dropbox and OneDrive are usually safe to use and a popular choice for many universities.
  • Access management: Be strict regarding who can access the data. Make sure you update the permissions to access the data if something changes.
  • Paper should be locked away: If you have notebooks or any other paper with PII you should make sure this is stored away safely and not accessible by anyone else than the people that should have.

Another important aspect you should be considering at this point is deletion of data. Will you be able to delete the data permanently with the method of storage you choose? If not, then rethink the provider.

Step 4: Anonymise the transcripts

When you get to the stage of your research where you have to start analysing the data it becomes important to transcribe the audio that you collected. Make sure you have a plan in place on how to approach that. Here is what we suggest.

  • Use acronyms or IDs: When transcribing your work there is no reason to include names and other PII. Choose to use acronyms or IDs when referring to the transcripts.
  • Automated services like Konch: If you are using an automatic transcription service you should make sure that there is a data processing agreement between your university and the provider or that the provider complies with the rules of GDPR.
  • Store the transcripts privately: Make sure the transcripts are securely locked away if paper based and/or stored in a secure cloud if digital. Additionally, make sure that all traces and copies are deleted.

Step 5: Delete the data

You have now finalised your research, released groundbreaking new knowledge, and your job is done, right? Not yet. You are still in possession of some sensitive data that should be deleted now or set to be deleted at a later stage. When we have no use for the data anymore, it should be deleted, permanently.

  • Right to be forgotten: If you are requested to delete data about an interviewee you should be able to do so immediately. Make sure you are able to do this. If you have several copies stored various places make sure you know where it is so it can be deleted.
  • Delete the data after a specified period: Set up a reminder for yourself to delete the research data once this can be done safely.

Set up custom deletion times: Some providers allow you to specify custom deletion times for your data. Use them.

Recent Articles