Client insight interviews are normally full of deep commercial insight. Often they will contain information about service delivery, the performance of teams, and may include comment upon individuals that the client has worked with at your firm.
It is essential to manage all feedback with discretion and confidentiality. Acuigen normally undertake client interviews on the basis that the client’s opinions are reported in an attributable manner, therefore clients’ comments are categorised as personal data, so our decisions on the handling of the content are treated accordingly, particularly with respect to GDPR.
Most importantly, the client interviewed must be able to make an informed decision regarding the information they provide to you, in the knowledge of what you intend to do with it before they provide the information. Therefore, when undertaking client interviews you need to record that the client has provided consent to use their feedback; often this consent is gained at the start of an interview and reconfirmed at the end.
It is important that the consents requested have been properly considered by the data controller of a client feedback project - to enable a firm to use the information as you intend, for example, have you confirmed that the client is happy for a response to BD opportunities if mentioned?
Collecting sensitive data
Occasionally clients may discuss or reference personal data, personal opinions or comments about their personal circumstances. This type of comment moves the client feedback interview into a GDPR ‘special category’, i.e. it is personal data that requires more protection because it is very sensitive. It may be necessary to undertake a further data protection privacy impact assessment for this type of sensitive information processing.
Whilst most client feedback is of a routine and commercial nature when reporting sensitive client feedback within your firm, an interviewer may need to seek advice on how sensitive information should be handled.
At Acuigen we have a post interview process available called ‘quarantine’ whereby an interview transcript that has particularly sensitive content or may need special handling, can be placed into prior to it being passed to our client’s project team, so that they too can be ready to respond appropriately upon its receipt.
The sponsor of a client feedback programme is normally the [data] controller of the information gathered, and it is their responsibility, to ensure appropriate controls are in place to mitigate the risks of compromising the content.
Tips for interviewers
-
Conduct interviews on the basis of voluntary informed consent
-
Explain to the interviewee the consents that you seek at the outset of the interview, and that they can withdraw from an interview if appropriate
-
When preparing your interview report or transcript, remember to only include information that is relevant and necessary for the purpose of the interview and its subsequent use. If in doubt discuss this with the interviewee or the controller as appropriate
-
Only retain the information that you need to process for an appropriate period (e.g. how long do I need to retain it on my laptop after an interview).
Checks for Data Controllers
-
Consider if the permissions/consents that you seek from the client at the outset of the interview meet the current and future intended uses of the information to be collected, and that these will comply with appropriate data privacy laws
-
Special category content (e.g. medical) will normally have a much shorter useful life than other information (e.g. perceptions of brand that are useful for trend analysis over many years) and may need to be redacted or removed at an earlier stage
-
Consider having a quarantine process to manage support interviews that may need special handling
-
Consider providing advice to interviewers about redacting unnecessary sensitive comments (and other special category content) that may not be appropriate to share with a wider audience
-
Whilst GDPR does not apply to the deceased, all matters must be considered sensitively and respectfully
-
Within Europe, check that your data protection ‘notifications’ to your data protection supervising authority (the Information Commissioners Office in the UK) include a right to process sensitive special category information. Document the special categories of data that you are processing
-
Consider undertaking a privacy impact assessment to understand the risks associated with holding special category data and that your processes (and that of your data processor) are sufficiently robust, particularly regarding data minimisation and information security.
Continue the discussion
If you’re interested in understanding the process of client feedback to a greater extent or are interested in initiating or scaling up a client feedback programme in your firm, get in touch with our team who be happy to talk further to assist you and to share our experiences.
This article is intended as a general interest article and is not intended as legal advice, so is provided without legal responsibility. Reference to GDPR is based upon UK law. In the UK, the ICO (ICO.org.uk) has many useful articles on this subject. Please contact your legal professional for legal advice.