Research operations teams get access to unprecedented customer data and insights. While there’s no question that it’s important to have access to that data, the compliance associated with customer research can be VERY hard to manage.
Here’s a story…
A well-known organization with a directive to do regular customer research, the research ops team, ran as many research projects as their team could handle. Research ops were responsible for managing the panel, scheduling and conducting research, sending incentives, and sharing insights (with the help of the project lead). ½ way through the fiscal year, the CFO came to the head of ReOps and said that the entire incentive budget had been spent for the year. It turns out Product managers were developing their quarterly roadmaps and needed to get customer feedback to validate their roadmap decisions.
The product managers went to customer success friendlies and asked which customers had been complaining about specific features the product manager wanted to build and asked for their contact information. The customer success team members were excited to fix their customer problems. They gladly handed over all the relevant customer information: name, title, company name, email, and phone number to the product manager.
The product manager set up interviews on Zoom conducted research and sent out incentives. Each of the recorded the sessions were uploaded into the repository denoting all the customer data (name, title, company, industry, company size and even email) with video clips for their quarterly product roadmap planning brief. These docs are shared across the entire product and even executive teams. The briefs are stored in the company’s shared intranet and are never deleted.
Do you see the problem here?
When it comes to research ops, there are many security and compliance considerations, from participant data to compliant tools, to clear and regularly updated processes, each has its own level of complexity. In this post, we hope to outline all the security and compliance considerations for a ReOps team and we’ll outline what you can do to protect your participants, your team and your organization.
when asking a participant for their contact information for a study or to join a rolling panel, you need to be clear about what they are joining and clear terms and conditions are communicated each time they opt in for a study.
TIP: At the very least, have your legal teams review consent forms before inviting people to join a panel.
Personally, identifiable information is all over the place. Sometimes it might not even feel like full PII, yet it is. Our favorite definition of PII was given by Kasey Canlas at the recent ReOps Conference. She said, “if you can bring the data to google and uncover more information, then it’s PII.” She used the example of “Joe the customer service rep at HomeDepot” versus “Joe the CEO of HomeDepot” knowing the details of a person may denote PII, or it may not. What you need to do is determine what PII is for your organization and make that very clear to your participants. Then you need to control who can access it.
TIP: Ask yourself, what’s the least amount of information we NEED to conduct this research?
Once you have outlined PII, walk through your data sources and figure out who has access to PII. If they don’t NEED access to all of that PII (maybe they just need title and industry, or title and company size) then you can limit what PII is included in the data sources.
TIP: Make sure you have tools that can obfuscate data based on user permissions
Always be asking yourself and your teams what’s the minimum customer data you need to conduct this research. Yes, you probably need their first name if you are running an interview, but you might not need to know their email address, especially if the scheduling is being coordinated through another team.
TIP: map who has access to what customer information from the point the customer joins your panel to the time they leave your panel.
No one needs to review a customer interview video, survey, diary test, or tree test result from 2 years ago. It’s probably not even worthwhile to keep the data past 6 months. Set a policy and stick to it.
TIP: find a tool that automatically deletes at a time you determine, so you don’t have to manage this process.
We’ve mentioned it a couple of times in this section, but most of this data is kept in tools or systems that also require management. Remember that even a “GDPR compliant” tool still relies on the customer to control access and duration.
The tools you use in the research process play a big role in the security and compliance of participant and researcher data. When evaluating tools, dig into these capabilities (at the very least).
Is there a way to automate consent management for your panelists? Is that updated with each study participation as required by GDPR? Is it easy for the participant to opt out and ask their data to be deleted?
Non-disclosure agreements might come up in early discovery calls, and including custom NDA’s can keep your data more secure. It can also protect your customers, if they are talking about their use case that might contain proprietary information. NDA’s should be able to be customized if needed, within the system you’re managing your participants.
There are specific compliance requirements based on the industry and location your company and your customers exist. Understanding how that plays a part in your research process is important. Look for tools that have compliance certificates where necessary for your requirements.
Controlling access to your panelist data and repository is important. Access controls like SSO and 2-factor authentication make it easy to manage and control permissions based on individuals or roles.
The worst thing you could do is find out that your customer data has been leaked through a 3rd party tool. Find a tool that has validated their security. Look for SOC2 compliance and always ask for security documentation. Share this with legal and your data privacy team to address any additional questions.
Just like you need to manage the records in your system, you need to make you don’t lose your data, either. So, confirm the data retention and backup policies for the solutions you are considering.
Now that we’ve addressed the people and the tools, let’s look at the processes and how security and compliance need to be addressed.
Start by mapping the entire process from outreach to content deletion. There are security and compliance considerations across each part of the research process. They’ve been outlined below for your reference.
This is where you are keeping track of participants, starting with the invite all the way through to a deletion. Understand:
This is most relevant for interviews, because now calendars become visible to participants and researchers, and even stakeholders. Ask yourself:
Interviews are the least private form of research, especially in the world of remote work today. Research is happening in people’s homes all the time. Make sure you are using a tool like Zoom that makes it easy to protect the privacy of the researcher and participant, from editing their name to not revealing email addresses to blurring backgrounds.
When incentives are sent and redeemed, is that compliant with your company policies? What if your participant needs to change their incentive type? Can they do that easily?
There is often a ton of great insight hiding in your repository, but it might not ALL need to be there. If stakeholders can access the PII of participants, it’s probably not a best practice. Being able to pair down the information kept in the repository, while keeping the good information available is a fine balance. Also, consider an auto-delete policy. We suggest videos and survey results older than 6 months aren’t worth keeping in the repository. Insight reports might be kept longer but should be wiped for PII before sharing.
Knowing the people, places, and processes that impact security and compliance for your participants, your team, and your organization is an important part of being a good data controller. As a research ops team member, you are responsible for many of these areas, and its in your best interest to map and refine processes because at the very least it will help reduce biases in your participant set.
By removing PII and limiting access to extra, unnecessary data, teams can form less biased opinions and cannot pick and choose the dataset that best supports their stories.
Five steps to a secure & compliant research ops practice