How to conduct your interviews in a GDPR-compliant manner
Qualitative interviews usually contain personal data, and these need to be handled carefully. Unfortunately, this is going to be a long checklist, so let’s get started right away without much introduction:
Download the consent form file above and customize it for your specific project. Add project information, goal of research, and address information. Print the document twice to hand out one and keep one.
2. Commitment to data secrecy
All persons who help you and get to see the data must be bound to data secrecy, including friends or family members. You can find a sample of the independent federal and state data protection authorities here.
3. informing the interview partners
Inform your interview partners in advance about the contents of the consent form: about the fact that you want to record, transcribe and evaluate the interview. Explain the purpose of the research, who will have access to the data, and how you will handle data protection. Briefly elaborate on the points of your consent form, and explain individual passages if asked.
4. Obtain consent
Have the interviewees signed the consent form and keep a copy of it. If the interviewees are under 16 years of age, the consent must be signed by the parents (additional information is provided by the Bavarian State Office for Data Protection Supervision).
If special categories of personal data are involved, additional data protection requirements must be observed (guidance from the independent federal and state data protection authorities can be found at here. Hand out a copy of the consent form to the interviewees.
5. Record, transfer and save qualitative interview
Make sure that the storage location for the qualitative interviews is within the scope of the GDPR (European Union – EU or European Economic Area – EEA). Optimal here is the network drive of the university or local data carriers on password-protected computers. The unencrypted transmission by e-mail is not suitable for confidential data. For a transfer of personal data to a country outside the EU / EEA – e.g. when uploading to American servers – please note the additional data protection requirements. In case of doubt, it is better to do without this. Information from the independent federal and state data protection authorities can be found at here.
The data must also be protected by technical and organizational measures, especially against unauthorized access and access. The minimum level of security should be a non-publicly accessible computer with a current, supported operating system (i.e., no Windows Vista, macOS High Sierra or older). Current anti-virus software, firewall and a password-protected account that is not used privately should be in place. Of course, the access data should only be known to authorized persons. Additional information about data security can be found at here.
6. Clarify transfer to external parties
If you want to outsource transcription or processing (e.g., coding), it is mandatory to conclude a “commissioned processing agreement”. This also applies to external hosters or service providers, e.g. for online surveys. These must already be fixed before the interviews, because they must be listed in the declaration of consent. In particular, it must be ensured that any subcontractors also comply with data protection standards. General information from the independent federal and state data protection authorities on commissioned processing can be found at here.
7. Delete safely
After the end of the project or the agreed retention period, make sure to delete the data securely. Moving the data to the recycle bin or “normal” deletion alone is not sufficient, since in these cases the data could usually be recovered without much effort. The Federal Office for Security and Information Technology provides technical advice on correct deletion on its website. Secure deletion can be realized via free software.
This also and especially applies to the memory of recording devices! Especially if the devices are borrowed (e.g. from the media center of a university), the recordings must also be securely deleted from there.
8. Document everything
All steps, including deletion etc., must be documented. What such documentation must look like in concrete terms is not specified in detail here. For example, a short Excel list or a text file can be created. The important thing here is that you can prove in the event of an audit that all of the above points have been considered and taken into account.
9. If something goes wrong: information obligations
If there is a reasonable suspicion that data has been lost or has fallen into the hands of unauthorized persons, there may be a legal obligation to immediately inform the supervisory authority (usually the data protection officer of the country) and the persons whose data is affected (additional information is provided by the Bavarian State Office for Data Protection Supervision).
10. Do not be deterred!
Et first seems like a lot to consider. In fact, various points must be taken into account in the declaration of consent. Therefore, you should use templates or samples. You can, for example, use our template or ask at the methods center of your university.