A practical guide to GDPR-compliant user research

While the General Data Protection Regulation (GDPR) may not be exactly thrilling for some user researchers, if your research involves EU participants, data protection isn't optional. The good news is that GDPR compliance doesn't have to kill your research; when done right, participants trust you more. This post covers everything you need to stay compliant and ethical. No legal jargon, no scare tactics, just practical advice.

Why GDPR matters in user research

GDPR at its core, involves giving individuals control over their data. Here's the thing, every time you conduct user research, you collect personal data. Think about it:

• The video recording of your last user session? Personal data.

• The screen recording shows someone navigating your prototype? That too.

• Even seemingly innocent demographic questions become part of user data protection when tied to specific responses.

The official GDPR definition is broad but basically, if it can identify an individual, compliance applies. Non-compliance can result in fines up to €20 million or 4% of annual global turnover.

As a result, part of your job as a user researcher is to be upfront about what data you're collecting, getting informed consent, keeping the data secure, and respecting participants' choice to withdraw and deleting their personal information after.

GDPR terms you should know

• Personal data: Information like names, that can identify a person, directly or indirectly. Voice recordings, device IDs and IP addresses count too.

• Data controller vs. processor: Your company (controller) decides what personal data to collect and how to use it. Third parties like transcription services or research tools are processors handling data on your behalf.

• Consent vs. legitimate interest: Consent means explicit, freely given agreements from participants. For most user research, this is the safest path to GDPR compliance. Legitimate interest is trickier and usually needs legal review.

• Pseudonymisation vs. Anonymisation: Pseudonymisation means replacing real names or details with fake ones, like calling someone "Participant 001" instead of "Sarah." Anonymisation means removing all personal details completely, so no one can tell who the person is.

Before the research

Informed consent under GDPR must be freely given, specific, informed, and unambiguous (no pre-ticked boxes or buried clauses). Your consent form needs to explain:

• What data you're collecting: "We'll record our 45-minute video call and note your responses."

• Why you need it: "We're testing our app's checkout process to spot usability issues."

• How long you'll keep it: "We'll delete the video recording within 12 months."

• Who gets to see it: "Only our team will access the recording."

• What rights they have: "You can stop the session at any time, ask us to delete your data, or request a copy of what we've collected."

Note the differences below to get a better understanding of using informed consent language:

• Legal-speak version: "The data subject hereby consents to the processing of personal data under Article 6(1)(a) ..."

• Informed consent language: "I'm happy to participate in this research. I understand that [Company] will record our conversation to help improve their app. If I change my mind, I can withdraw my consent anytime by emailing research@company.com."

During the research

Don't be greedy with data collection. Less data means easier user data protection and simpler compliance. Secure data practices include:

• Using participant IDs (like "P001") in all research materials except your secure master list.

• Skipping basic spreadsheets for sensitive data and using encrypted, password-protected storage instead.

• Acknowledging sensitive topics when they come up without recording the specifics.

After the research

How long should you keep research data?

• Raw recordings: Usually deleted within 6-12 months after extracting insights

• Properly anonymised insights: Can stick around indefinitely since they can't be traced back.

• Transcripts: Can be kept longer if anonymised properly

• Respect participant rights: Participants can ask to see their data, correct mistakes, or have everything deleted so provide clear contact information and respond swiftly.

• Secure storage and deletion: When deleting data, ensure secure deletion across all systems and backups.

Common pitfalls to avoid

• Assuming your tools handle everything: Compliance is your responsibility, with or without GDPR features. Review privacy policies and configure settings properly.

• Forgetting to anonymise transcripts: Raw transcripts often contain personal identifiable information. Clean these up before long-term storage.

• The "just in case" data trap: GDPR requires you to stick to what you need now. You can always ask for consent for future research.

GDPR compliance makes you a better user researcher by building trust and encouraging honest feedback, leading to better insights. The key is embedding good data protection into your user research process from the start. Your participants will appreciate it, your legal team will thank you, and your research outputs will be rich.

Resources and Next Steps

For detailed guidance, check out the official GDPR information portal.

Start implementing GDPR-compliant user research by downloading our fully customisable data storage and privacy policy template.