For us and the consumers we represent, the GDPR is bringing about some important and welcome changes. Here’s what we’re doing to keep you compliant.
Designed to improve the rights of individuals in relation to their data, it means every company needs to be clear and transparent about how they collect, process and store the personal data of EU citizens.
At GlobalWebIndex, we’ve always put this level of respect and transparency at the center of our consumer research. In fact, it’s mentioned explicitly in our company values:
“As a business, we respect the consumer. We are transparent and honest about how we collect and use data, preferring to offer more, rather than less, control to the people that we’re profiling for the benefit of our clients.”
While some have looked at the GDPR with uncertainty, for us the directive has been a welcome confirmation that the principles we live by are the right ones.
As a company that surveys hundreds of thousands of people globally each year – and one that maintains a wider panel of more than 22 million people – we know our clients care deeply about how we undertake our research and how we ensure compliance with the GDPR.
We also know our panelists share these sentiments; our research shows concern is widespread about how personal data is being used by companies, transcending regions and permeating all age groups.
To demonstrate how we comply, and live up to our values of transparency and respect, we outline here some of our policies and processes.
Yes. These rules apply to all our respondents around the world, not just those who are EU citizens.
If we re-contact an individual to ask some follow-up questions, we ask them to re-confirm their consent, even if we’ve already obtained it previously.
All of our data is stored in Google Cloud Platform (GCP) or Amazon Web Services (AWS) and is stored almost exclusively in Europe. Both GCP and AWS maintain the highest standards with regard to data security and compliance to regulations.
We work with a range of panels worldwide, including Research Now SSI, Toluna, GMI Lightspeed, DataSpring, Ampersand and OnDevice. All of these are GDPR-compliant.
GWIQ, our analytics solution, is used to profile the audiences interacting with our clients’ digital platforms.
This involves placing a ‘tag’ on their websites and campaigns to better understand who interacts with the content using cookies and advertising IDs. This data is linked to our opted-in panelists to provide rich profiles of these audiences, and to quantify the impact of their marketing. We have taken great care to ensure this data is handled appropriately. Here’s how:
We never use the analytics or survey data we collect on an individual to send them marketing communications, other than to invite opted-in panelists to take new surveys.
We work with a range of industry-leading panels to source our respondents, all of whom are GDPR-compliant.
Every time we go to field for our research, we work with these panels to ensure we get representative samples in each country. Individuals who choose to accept this invitation then come through to the GlobalWebIndex survey, hosted by us. Once completed, they’re redirected back to the panel provider.
It’s these panel providers who have the direct relationship with the panelists, and who hold what was traditionally classified as Personally Identifiable Information (PII).
We never ask for, or receive, this information.
We do, however, collect details including IP address, and ask for permission to drop and read cookies on an individual’s browser.
This information allows us to synchronize survey responses with browsing behaviors on our clients’ website pages and accurately measure exposure to their advertising campaigns.
We also attach a unique identifier (in the form of a generic string of alphanumeric characters) to each panelist’s survey responses.
Additionally, we’ve always given real-world, easy-to-understand examples of how these cookies might be used to ensure panelists comprehend (and are comfortable with) this.
Under the GDPR, cookies, unique identifiers and IP addresses are now definitively (and correctly) counted as personal data, so we’ve worked extensively with our GDPR-specialist lawyers to ensure all of our processes are compliant.
Long ago, we made the decision to feature a cookie consent notice at the beginning of our survey, along with clear, digestible cookie and privacy notices, accessible via hyperlinks.
Across all these documents, we used normal-sized font and everyday language. We gave people the ability to opt-out, and we translated these notices into all of the 30+ languages our surveys are available in.
We did this to outline very clearly to consumers not only our request to drop cookies, but what we wanted to do with the information we collected from them, and how their survey responses or other technical information collected might be used.
Crucially, we have always asked people for their consent and agreement before allowing them to enter the survey itself. We didn’t feel relying on assumed consent, or consent by proxy, was a very transparent, respectful or ethical approach.
Our GDPR lawyers have termed our consent notices as 'remarkably transparent', and noted that our cookie and privacy notices are commendably consumer-friendly.
As such, we only needed to make minor tweaks to our consent screen to ensure it’s fully compliant with the GDPR. This revised version now appears at the start of every survey we run.
Under the GDPR, our respondents are classified as ‘data subjects’, while GlobalWebIndex is termed as both a ‘data processor’ and a ‘data controller’.
One of the best things about the GDPR is its clear definition of the relationship between subjects, processors and controllers. For the data subject, one of these rights is to know the lawful basis by which their data is being collected/processed.
In response to this, we’ve outlined very clearly our basis for collecting/using different types of information (survey responses, cookies, unique identifiers) and what they’re used for.
Most commonly, we process personal data because it's necessary for our legitimate interests (for example, to enable us to provide services to our customers, or for statistical purposes).
Where we rely on legitimate interests as our lawful basis for processing, we always check our interests are not overridden by the rights of the data subjects in question.
As the GDPR sets out clear guidelines about what counts as personal data, we’ve specified the different types of data we collect: Survey data, Technical data, Cookies, Identity data (i.e. unique identifiers).
Anything including ‘Identity data’ is treated by us as ‘personal data’. The data we collect from a respondent will comprise direct interactions (i.e. responses to questions asked) as well as automated technologies and interactions (i.e. information collected via cookies or similar technologies).
In the GlobalWebIndex platform, we’ve ensured the aggregated data be fully anonymized. By this, we mean the responses we collect and then publish in-platform are not connected to any form of personal data – whether a unique identifier, cookie or IP address.
Although this aggregated survey data was originally derived from personal data, in the form it is published it cannot directly or indirectly reveal someone’s identity, and hence it is not considered personal data.
Outside of the platform, personal data such as cookies, unique identifiers and IP address are retained only for as long as they are necessary for legitimate business interests.
For example, in our Core research we interview unique individuals each year – meaning the same person cannot take our survey more than once within a 12-month period.
That means we need the ability to identify individuals for up to a year after they take the survey, hence unique identifiers will be required during this period.
Within our survey, some questions cover areas which the GDPR deems to be a ‘special category’ when it comes to personal data.
We don’t ask all of these questions in all of our markets, but they relate to personal health, ethnicity/nationality, political views and sexual orientation.
To collect and process such personal data, we cite statistical purposes (i.e. inclusion of such results in our aggregated dataset) as our lawful basis.
We ensure all panels make their panelists aware that they may be asked about these categories of data when they sign up to a panel.
We also always give the respondent a ‘Prefer Not To Say’ option within such questions.
This is information pertaining to the collection, use and processing of our consumer research only. For details on how we comply with the GDPR through our marketing, visit our Privacy Page.