The GDPR raises many new compliance topics and will require research and analytics companies to revisit compliance with others to ensure that compliance is adequately documented. Here are some of key topics:

Lawful Basis for Processing

Every data processing activity requires a lawful basis and the two most common for mr/a are:

  • Consent
    • Given by a statement or a clear affirmative action
    • Must be specific
    • Must be informed
    • Freely given
    • Silence is not consent
    • Right to withdraw
  • Legitimate Interest
    • Companies may have a legitimate interest in market research activities
    • Balance assessment: consider whether in this particular circumstance customers would expect that transfer and processing and whether that processing is likely to have a disproportionate impact

Sign Up for GDPR Updates

Receive critical information and valuable guidance on the many operational implications and requirements for marketing research and data analytics companies.


We are committed to keeping your e-mail address confidential. We do not sell, rent, or lease our subscription lists to third parties, and we will not provide your personal information to any third party individual, government agency, or company at any time unless compelled to do so by law.

Appointing a Data Protection Officer (DPO)

  • Both controllers and processors must appoint when:
    • Core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale;


  • Core activities consists of processing on a large scale special categories of data and (or) personal data relating to criminal convictions and offences
    • Special categories = data relating to health/genetic/biometric information, race/ethnicity, sexual life/orientation, trade union membership or religious/philosophical beliefs
  • Qualifications:
    • Professional with “expert knowledge of data protection law and practices” who is appointed by an organization to fulfill the tasks set out in Art. 39.
    • Senior role, but it can be outsourced
    • Must know the law & know the organization
  • Required Tasks

View a helpful DPO Appointment Decision Tree here.

Cross-Border Transfer

Transfer of personal data to recipients outside the EEA is generally prohibited unless:

  • the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
  • the data exporter puts in place appropriate safeguards; or
  • derogation or exemption applies.

One appropriate safeguard is self-certification to the EU-US Privacy Shield Framework. Learn more about the Framework and the Insights Association Privacy Shield Program here.

Core Principles


The GDPR makes controllers responsible for ensuring all privacy principles are adhered to and, requires that organizations demonstrate compliance with all the principles.

Data Minimization

The GDPR strongly emphasizes that companies should only process the personal data that it needs to process in order to achieve its purposes.

Data protection by design and default

This is an extension of the data minimization principle. Data protection by design and default requires that controllers plan projects to include and implement appropriate technical and operational measures to ensure that, by default, only the minimum necessary personal data is processed.

Company Duties

The GDPR imposes more duties on controllers and processors of data. Below are a non-exhaustive lists.

Duties of Controllers:

  • Accountability: must be able to demonstrate, compliance with the Data Protection Principles
    • Data minimization: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed
    • Data protection by design and by default: both in the planning phase of processing activities and the implementation phase of any new product or service, Data Protection Principles, and appropriate safeguards, are addressed and implemented
    • Joint controllers: apportion data protection compliance responsibilities between themselves, jointly liable
    • Appoint a representative in EU (unless processing activities are occasional, small-scale, and do not involve Sensitive Personal Data)
    • Appointing processors: significant new requirements must be included in all data processing agreements.
  • Records of processing activities
  • Cooperation with DPAs
  • Data Security
    • Reporting Data Breaches to DPAs: without undue delay and within 72hrs of becoming aware (exception=no likely harm to data subjects)
  • Notifying Data Subjects of Data Breaches: high risk=undue delay

Duties of Processors:

  • Legal compliance obligations imposed directly on controllers and processors
    • Conflicts between the controller's instructions and applicable (EU) law: processor required to inform controller that it cannot comply with controller's instructions where they conflict
  • If processor makes decisions re: processing will be treated as controller
  • Required to keep records of processing activities
  • Cooperation with DPAs
  • Data security
  • Notify controller of data breach without undue delay
  • Appointment of DPO
  • Data subjects can bring claims directly against processors

 Rights of Individual

The GDPR also creates new rights belonging to individuals (data subjects). Below is a non-exhaustive list.

  • Controller must provide information in relation to data subject rights request within  30 days (can be extended by DPA)
  • Right to access
    • GDPR expands the mandatory categories of information which must be supplied in connection with a data subject access request
  • Right to erasure & Right to restrict processing
    • Notifying third parties about exercise of rights is duty of controller
  • Right to Data Portability
  • Right to Object to Processing (legitimate interest as basis)
    • The right to object to processing of personal data must be communicated to the data subject no later than the time of the first communication with the data subject

Impact Assessments

Where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment.

A single Impact Assessment can cover multiple processing operations that present similar risks.

  • Prior consultation: Where particular risk to rights and freedoms, controller must consult with DPA.
    • National Data Protection Authorities are responsible for creating a list of the types of processing that are subject to Impact Assessments

Disclaimer: The information provided by the Insights Association is for informational purposes only and not for the purpose of providing legal advice. Please contact your attorney to obtain advice on specific issues or questions.