Protecting PII in Research Ops

Thereasa Roy
August 3, 2022
Protecting PII in Research Ops

As a research professional, you know how foundational a good participant panel is to your success. Getting a hold of customers, getting them to opt into research, managing their participation, and not over contacting them. So, protecting the privacy and security of their data is of utmost importance. 

At the ReOps Conference 2022, we heard Kasey Canlas talk about PII and why, as ReOps professionals, it’s our responsibility to control access to the data. That means we have to know:

  • What PII is
  • Where it lives
  • Who has access to it
  • When it should be anonymized/deleted
  • Why we have it in the first place

What is PII?

PII stands for personally identifiable information.

I loved Kasey’s description of PII because it’s much easier to remember than the legal description you find in all the laws. If someone can take a few bits of information about a person and type it into Google, revealing contact information for that person, then it’s PII.  It’s not all the legal words, but it gets the point across. 

Where does PII live in research operations?

For ResearchOps teams, the PII of your participants can live in a bunch of places: your panelist database, your repository, and data even exists in your calendar. And, if you are using a bunch of different platforms to manage each of those steps in the research process, each of those tools just got harder to control because there is PII in each, and the number of folks who have access to this data just got larger.

Who can access PII while conducting research

When it comes to access to PII, many people underestimate just how much access we have to participant PII, and it’s unnecessary. For example, as a product manager, you don’t need to know the participant's email address who said they want feature A over Feature B in the next iteration of the roadmap. You might need their title and company data, but you don’t even need their name and email address. Marketers and designers don’t need all the phone numbers of the people who said they didn’t like the latest website, they just need their titles and company sizes. 

Managing what PII is seen by whom, or not at all, can be difficult if you don’t use a tool that can easily remove PII from the database. With Great Question you can determine what PII is based on the users' access and remove PII from the participant panel and any other parts of Great Question, including the repository. 

When to anonymize/delete PII

Going back in time might be nice for some, but recency is best for research. There’s often little need to keep participant details for someone who hasn’t responded to the last three inquiries in the last six months. It’s up to you to determine the parameters for when to keep and when to delete. Still, if you are constantly refreshing your participants via regular recruiting work, removing folks who aren’t engaged is easy. 

When it comes to when to anonymize, consider the following:

  • What participant PII is in your systems
  • Who is accessing it and why
  • How might this PII make its way out of the systems if you do nothing?
  • Would you want this to happen to your PII? 

Why do you have PII?

My favorite part of Kasey’s talk was when she reminded us always to ask “why.” It’s such an obvious question that researchers ask it all day long. But, in this case, ask why you may or may not need all this information. Do you need a last name, do you need the email address for a quant survey? Maybe you just need industry and company size? Always be asking “why,” and remove unnecessary information requests. 

Tools & best practices for protecting PII

Kasey provided a great template that she shared during the session. You can clone it and document your research operations organization's 5W’s for PII. 

Once it’s documented, you can determine how you can anonymize data in certain steps and/or to certain groups. Make sure you update stakeholders so they understand why you made the change. 

Lastly, find a tool that helps automate as much of this as possible. Great Question is a GDPR-compliant research ops tool. We’ve made compliance a feature because we believe that a great research experience starts with consent and ends with deleted data. We’ve recently received our SOC2 Type 2 compliance certificate (after just nine months on the market) because on our mission to democratize research, we want everyone to feel secure.

Request a demo today today!

Similar posts

Try the all-in-one UX research platform