GDPR: what we all need to keep in mind

What is General Data Protection Regulation (GDPR)?

GDPR is a regulation that requires businesses to protect the personal data and privacy of European citizens for transactions that occur within European member states.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

How can I prepare for GDPR?

You will find lots of advice on the web to help you prepare for the General Data Protection Regulation (GDPR) which will apply from 25 May 2018. We have decided to share these 12 steps by the  U.K. Information Commissioner’s Office because we think it is the clearest explanatory list, to provide an overview.

  1.      Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

  1.      Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

  1.      Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

  1.      Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

  1.      Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

  1.      Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

  1.      Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

  1.      Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

  1.      Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

  1.  Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

  1.  Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

  1.  International

If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

How Askia can support me to prepare for GDPR

From a researcher’s standpoint, the first areas to be impacted, though not the only ones, would be data collection and data processing.

How can I collect, if I can’t store any individual data with personal data?

A while ago at Askia we started to implement easy-to-use features that will prove to be very helpful to reach your GDPR compliant Holy Grail.

  • Restricted access to data
  • Anonymization
  • Encryption
  • Privacy
  • Deletion
Restricted access to data

We have improved the restriction features and added default templates. Every individual who is granted access to the CCA gets his/her access rights via an elaborated set of restrictions. Access to personal data will only be available if predefined in those restrictions.

Anonymization

During Market research data collection personal information will need to remain accessible. However once fieldwork has been completed, we are no longer allowed to store any personal data. They need to be anonymized.

Askia provides an automatic anonymization feature that will modify personally identifiable information (PII), so they won’t be accessible to be displayed in any kind of data visualisation, nor exportable as part of a data set.

The anonymization process is associated to the above restrictions features that ensure that only data administrators, with appropriate accreditation, will have access to respondent data (until they are permanently deleted).

By default, all personal data will remain unreadable except by the main fieldwork administrator. Askia strongly advises that restrictions schemes are validated by the client’s Data Protection Officer so that they match the GDPR compliance expectations.

Encryption

We strongly advise that you also apply data encryption to all anonymized data. Askia has added anonymization & encryption features across the board that can be activated on all existing data as soon as you have updated to V5.4.9 of Askiafield. Encryption is available on both survey and list data.

Privacy

If a respondent requests not to be contacted anymore, whatever the data collection mode, his/her personal data,  such as phone number or email address must be added into a Do Not Contact list. Before any contact list usage, you need to ensure that you are not using any contact matched with your Do Not Contact list. The Do Not Contact lists are available for each data collection mode or a mix of them.

Deletion

And for those respondents who want to be forgotten you need to be able to demonstrate that you have deleted their personal information. Askia has introduced “Clean-up”, a feature that will generate automatic reports for deleted tasks (surveys, lists, statistics). Existing features supporting the right to be forgotten include deletion reports. Askia advises to run the tool regularly while keeping track of the surveys that need removal from the platform. Once identified, the tool will erase all data related to this survey, whether or not it holds personal data.

Sources

https://www.esomar.org/uploads/public/government-affairs/position-papers/EFAMRO-ESOMAR_GDPR-Guidance-Note_Legal-Choice.pdf

https://www.eugdpr.org/

https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.htm

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

http://ec.europa.eu/justice/smedataprotect/index_en.htm

Why I joined Askia

It’s my first blog post for Askia and I thought a good initial piece would be to summarise the key reasons why I joined the team here. So in no particular order . . . .

  1. Jérôme – I have known Jérôme Sopoçko for over 20 years and he is an incredible talent. One of the best developers & technical brains in the MR industry, he is universally well-respected & liked and one of the go-to people the industry turns to for thought leadership. So a chance to work alongside him has always been an appeal. And despite competing against his company over the years, we always remained good friends and I was invited to every Askia party and received the famous Askia New Year card every time.
    • Other key Askia staff – as well as Jerome I knew that there were a number of people at Askia that I really admired and respected. Patrick George-Lassale is Jérôme’s co-founder and Askia’s CEO. A big guy with a huge heart and a massive smile – I have met him at dozens of industry events and conferences over the years and it was always a pleasure to spend time with him and compare notes. Jamey Corriveau is someone I worked with previously at Quantime/SPSS MR and he is another major industry talent. I always really enjoyed working with him and as soon as I heard about him moving to Askia (to run the US operation), I thought that was a very shrewd move on Jerome & Patrick’s part. Gaëlle Normand too was another person that I respected in the industry, from her time in the UK with SSI & USamp. She moved back to France and Askia snapped her up a few years ago to look after the marketing side of the business. And there were also a cast of characters that I met from time to time who came across really well – people like Christine Caggia in France, Dietmar Dzierzawa in Germany and Matt Long in London. So I knew that the team at Askia was a strong one.
  2. Fit – there seemed to be a perfect fit between what Askia was looking for and what I could bring to Askia. Having worked for three of the main industry technology providers over the last 25 years (SPSS, Confirmit & Decipher), I had a wealth of experience to bring in from these very different organisations.    
  3. Capability – I knew that Askia had an extremely capable solution and that most of the clients have been working with Askia for many years and were loyal “fans”. I was especially looking forward to working at a technology provider that was strong on analytics. I knew from trying to compete in the past that AskiaVista & Analyse were extremely good products. There was also the extensibility aspect that many clients talked about. They had been able to build their businesses around the Askia technology, rather than simply using a set product. I believe that increasingly this is what high-end MR agencies are going to be looking to do. And then the pricing model at Askia has always been very interesting – no cost per complete for online surveys, which is different to most of the rest of the competition. That is an intriguing concept to work with . . .
  4. The wider Askia Group – Askia is part of a group of companies that work closely together. Within the group there is Platform1, which is a really smart panel & community platform that covers both qual & quant research methods. Askia is the survey engine within Platform 1, so the two products are nicely integrated – I had heard that it’s a key part of the technology that Verve uses and they have built an amazingly successful business with it over the last few years. It was very exciting to have that kind of capability available in the group, as well as work with Platform 1 founder Jon Gumbrell – another of the leading technical talents in the MR industry. Also within the group we have MyForce, a long-term sister company of Askia who provides the autodialer & recording integration for Askia’s CATI solution, as well as doing groundbreaking developments involving speech recognition, which could potentially make CATI Centre verbatim responses a much more valuable asset (project Bison).
  5. Great partners – I knew that Askia worked with some excellent partners that would provide the opportunity to work with great, specialist solutions and also reconnect with more people that I have really enjoyed working with in the past. Digital Taxonomy’s new AI coding tool CodeIt is integrated with Askia and that gives me a chance to work again with the considerable talents of Tim Brandwood, Pat Molloy & Rudy Bublitz. Askia and E-Tabs had gone one step further (in terms of partnership) with a commercial joint venture and will be launching the IRIS Dashboard design platform in a few months.

So there you have it. If I was to summarise that all up, the reasons for me coming to Askia are a combination of the great people I will be working with, the overall fit and the strength, depth & reach of the technology that the Askia group is able to provide.

A fortunate chain of events – a dry read

At Askia we love to talk about Askia things… and about a year ago, the technical team got together in a room and agreed on what was our biggest need: the ability to elegantly call a web service from a survey and decipher the result and store it appropriately.

Web-service not included

I have mentioned in previous articles how an API allows you extend your para-data. With the IP-address that you collect (and that we encrypt – GDPR is watching you), you can obtain the general location of the person. With the location, you can get the weather at the time of the interview and the likelihood they voted to a given party in the last elections.

You could always call a web service by adding some JavaScript in your page but that was not very elegant… and also made it hard to hide any authentication method.

So we decided to create a new routing where the Web Service was called from the server and not from the browser – effectively hiding the call from the interviewee. We got inspiration from the Postman interface and quickly put together a new routing.

The interface allows you to run different scripts depending on the success of the call and to manipulate and store the different parts of the response… and we introduced a new keyword CurrentHttpResponse.

QueryWebService

At that point, we thought that this had been relatively easy and we contemplated a well deserved visit to the local pub for refreshments.

XML and the Argonauts

As we were putting together an example – calling openweathermap.org to get the weather anywhere in the world – we hit our first problem.

The response looked like like this:

<?xml version="1.0" encoding="utf-8"?>
<current>
   <city id="6690581" name="Belsize Park">
      <coord lon="-0.18" lat="51.55"></coord>
      <country>GB</country>
      <sun rise="2018-03-06T06:33:58" set="2018-03-06T17:50:36"></sun>
   </city>
   <temperature value="282.33" min="281.15" max="283.15" unit="kelvin"></temperature>
   <humidity value="66" unit="%"></humidity>
   <pressure value="988" unit="hPa"></pressure>
   <wind>
      <speed value="2.1" name="Light breeze"></speed>
      <gusts></gusts>
      <direction value="200" code="SSW" name="South-southwest"></direction>
   </wind>
   <clouds value="40" name="scattered clouds"></clouds>
   <visibility value="10000"></visibility>
   <precipitation mode="no"></precipitation>
   <weather number="521" value="shower rain" icon="09d"></weather>
   <lastupdate value="2018-03-06T13:50:00"></lastupdate>
 </current>

To get the temperature, we would have had to look for the string “temperature value=” and extract the following digits… it was possible but a bit of a dirty hack, we felt. As stated before, at Askia we love to talk but we hate dirty hacks.

So we started talking about having a XML parser. The cool kids in the dev team took a clear stand: we do not need a XML parser and we would be a laughing stock if we implemented one. What we needed was a JSON parser. Even better we thought: what if AskiaScript could natively support JSON? Note: I can confirm it, we did a XML parser anyway – I hope you are not laughing.

JSON native and the dictionary

So we came up with the following syntax:

Dim myAuthorVar = @{
 “name”:”Jerome”,
 “age“:21,
 “occupation”:”laughing stock”,
 “busy”: true,
 “children”: [“Mackenzie”, “Austin”],
 “address” : {
    “postcode”:”SW12”
    “city”:”london”
    }
 }
Return myAuthorVar [“occupation”]

We were very excited but that meant we need a new variable type – it’s sometimes called an object or a map but also a Dictionary – the failed librarians and encyclopaedists that we are loved that… so there it was: the Dictionary. It allows to store a series of named values in one object. You can set its properties with a method Set like this myAuthorVar. Set (”Busy”, False ). And access them like you would with an array but by specifying a string instead of a number like this: myAuthorVar [“name”].

Variant and Arrays of Variant

I mentioned that it would be a good time to go to the pub when somebody asked what was the type returned by a dictionary accessor. In other words what was the type of myAuthorVar [“age”] ? The response to this is “it depends”… and there was no way of knowing before. Right now, it was a number, but if a web service had indicated “age” as “fifty-ish”, the result would be a string.

So we had to introduce a new type: the Variant

If you called myAuthorVar.TypeOf(), it would return “variant”… but inside the variant is a dictionary. So we created a method for Variant to know what was inside and we called it InnerTypeOf. myAuthorVar.InnerTypeOf() does return “dictionary”.

It was also nice to write @[1 ,2 ,3] or even @[3.14159,”pear”, “apple”]  – both are arrays of variants that we decided to call “arrays” for simplicity.

A variant could hold any of what we decided to call the base basic types: number, string, date, dictionary and any array of the types above. OK – let’s go to the pub! But then we remembered that JSON supported Null and Booleans… and because we wanted full compatibility, we had to create two new AskiaScript types: Null (which does not do much) and Boolean having the possibility of only taking two values: true or false.

Booleans and back compatibility

This was a can of worms – because we used to consider True and False to be numbers. Let’s imagine some script like this:

 Dim myVariable = (Q1_Name = 7)
 ' … some clever coding…
 myVariable = 42
 ' … more clever coding…
 If myVariable = 42 Then
    ' Save the world ...
 Endif

In classic AskiaScript, this would create a variable called myVariable as a number with a value of 1 or 0 and later taking the value 42 allowing the world to be saved.

We did not want to break back compatibility. I am going to summarize what was hours of discussions. We decided that comparators (like equal or Has) had to return numbers. If they returned booleans, the setting to 42 would now trigger an error because 42 is not a Boolean. And if we permitted an automatic conversion of numbers into Booleans, my Variable would take the value True (and not 42) which would change the way the scripts ran… and the world as we know would perish.

Wordy woes

Having spoken for so long, we were quite thirsty as you might guess. But we realised that our language would become very verbose and somehow inelegant if we had to convert Variants into the type we wanted whenever we wanted to use them.

In the example above, if we wanted to find out the length of our author’s post-code, we would have had to write:

 Dim hisAddress = myAuthorVar["address"]
 Dim hisAddressAsDic = hisAddress.ToDictionary()
 Dim hisPostcode = hisAddressAsDic ["postcode"]
 Dim hisPostcodeStr = hisPostcode.ToString()
 return hisPostcodeStr.Length

This was ridiculous… it would take ages to write any serious code… and we had better things to do than write verbose code (at that stage I was thinking of all the beers I would not be able to drink if I had to type that much to get my own postcode). So we went back to the drawing table and agreed that

myAuthorVar [“address”] [“postcode”]. Length was all we needed.

This elegant code was only possible if Variants supported ALL the properties and methods of ALL the basic types. That was a lot of unit tests that we had to do. So we focused (no blurred vision) and we wrote them.

This meant a serious rewrite and a careful management of conflicts: Format is a method for numbers and dates and they act very differently. So we put together a set of rules.

I’ll give you a reference

At that point, we had spent a lot of time on this, we were (very) thirsty but we wanted it to be perfect. And we realised we had a problem – what if we wanted to change the Postcode of our author (by code).

myAuthorVar [“address”] returned a Variant holding a dictionary with the address – a copy of the address. So to change the postcode we would have needed to write:


 Dim hisAddress = myAuthorVar["address"]
 hisAddress.Set ( "postcode" , "EC2A" )
 myAuthorVar.Set ("address", hisAddress)

This was again way too verbose. So we decided that accessors ( the closed brackets [ ] used by dictionary and arrays) would not return a copy of the address but a reference to the address of the author. This meant that we could write

 myAuthorVar["address"].Set ( "postcode" , "EC2A" )

This added very serious complication the the code  it’s called pointers as in dangling pointers in C++)… and that’s very difficult to make work. In the above example (as in life), the variable hisAddress can outlive myAuthorVar. We had to write a lot of unit tests to ensure that everything worked and we did not have memory leaks. This is discussed here.

For short, a variable stops being a reference as soon as you assign it something else.

AskiaScript Anonymous

We had an ongoing problem with the Value property of question – and we thought it’d be a good idea to address it now before we went to the pub.

Q1.Value returns a string if Q1 is an open-ended question. And it returns an array of numbers if Q1 is closed with multiple response. It can also be a number or a date…

Now let’s imagine we have a script like this

 Dim myVariable = Q1
 ‘ On Mondays at precisely 12 o’clock
 If Now. Day()= 1 and Now.Hour() = 12 Then
    myVariable = Q2
 Endif
 ‘ What is myVariable.Value here?

AskiaScript is a compiler – it wants to know the type of things before it’s run… but in that example, myVariable. Value could be of a different type depending on the day and time it was run.

And what if we had something like Q1.NextVisibleQuestion.Value?

So we decided that as soon as you put a question into a variable then the variable becomes an “anonymous question”. All methods of an anonymous question would work but the Value property would be a variant…. And we also decided to make sure that CurrentQuestion was an anonymous question. Problem solved! Drinks anyone?

But then we had another huge back-compatibility problem. Let’s look at the following code:

 
 Dim myVariable = QNumeric
 Return myVariable + 1

In classic AskiaScript, the system would add an invisible “.Value” after QNumeric (we call that an implicit property). myVariable would be a number and we would return that number incremented by 1.

But with the introduction of anonymous questions, myVariable was now a question. Facing an operator (the +) we would add again the implicit property .Value. But now value would be a variant and we had no rule to add a variant to something else… up to now.

So we made sure that we had rules to add any variant to another Variant – or any basic type or array of basic types. Not just add but also subtract, multiply, divide, compare – including all the keywords like  Has, HasNone etc. In total, combining 4 operators, a dozen of comparators, with 6 basic types and 3 types of arrays (number, string and variants) that made a lot of decisions to take (and a lot of discussions) and many many unit tests.

Before we started this development, we had 1667 unit tests ensuring that all functions of the AskiaScript behave the same from one version to another.

For this, we had to add 2231 (!) more unit tests. Once they all passed successfully, we added the whole thing to Suite 5.4.8 and we hope you’ll like it.

Enough Quant Tricks, we’ll be in the pub for a swift one – we deserved it.