DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR and User Research: How to Run Interviews, Surveys, and Usability Tests Compliantly

#gdpr #ux #privacy #research

User research is how great products get built. But user research — interviews, surveys, usability sessions, diary studies — involves collecting personal data from real people. Under GDPR, that makes it a regulated activity with specific obligations attached.

This guide covers everything UX researchers, product teams, and startup founders need to know to run user research compliantly: lawful basis, informed consent, recording participants, incentives, research platforms, data storage, anonymisation, and participant rights.

Why User Research Is a GDPR Processing Activity

Any time you collect information about an identified or identifiable person, you're processing personal data under GDPR. User research almost always involves:

  • Names and contact details (to recruit participants)
  • Video and audio recordings of interviews or usability sessions
  • Survey responses that may include opinions, experiences, or demographic data
  • Screen recordings and interaction logs from usability testing tools
  • Session notes and verbatim quotes

Each of these is personal data. And collecting, storing, analysing, or sharing personal data requires a lawful basis under Article 6 GDPR.

Lawful Basis for User Research: Why Consent Is Usually Required

GDPR provides six lawful bases for processing. For user research, the relevant options are:

  • Consent (Article 6(1)(a)) — the participant actively agreed
  • Legitimate interests (Article 6(1)(f)) — your interest in improving the product outweighs the participant's privacy interests

In practice, consent is the correct basis for almost all user research. Here's why legitimate interests is risky:

  • Research participants have a reasonable expectation that participating is optional and voluntary
  • Recording video and audio is intrusive; relying on legitimate interests for recordings is very hard to justify
  • Special category data (health conditions, disability, mental health) may arise in research — legitimate interests cannot be used for special categories; explicit consent is required

The practical takeaway: build proper consent collection into your research process from the start.

What Informed Consent Looks Like for Research Participants

GDPR consent must be freely given, specific, informed, and unambiguous. For user research, this means participants need to understand — before the session starts:

  • Who you are (organisation name, contact details)
  • What data you'll collect (recordings, notes, survey responses)
  • How it will be used (product improvement, internal analysis — be specific)
  • Who will see it (researchers, design team, external note-takers, research platforms)
  • How long it will be kept and when it will be deleted
  • That participation is voluntary and they can withdraw at any time
  • Their rights (access, erasure, correction)

A robust participant information sheet and separate consent form — signed before the session — covers all of this. For remote sessions, this can be a digital form completed before the call starts.

What consent is not:

  • Clicking "I agree" to a buried clause in a platform's terms of service
  • Verbal agreement noted only in the researcher's own notes
  • An assumption that payment implies consent

Recording Interviews: Video and Audio Consent

Recording a user interview introduces additional considerations. Under GDPR, recordings are personal data. In some EU member states (Germany, Austria, the Netherlands), recording laws add additional layers on top of GDPR.

Best practice for recorded interviews:

  1. Get explicit written consent for recording specifically — your consent form should include a separate checkbox or signature for "I consent to this session being recorded"
  2. State who will access the recording — will it be shared with product managers, the wider team, a research repository platform?
  3. Set a clear retention period — e.g., "Recordings will be deleted after 12 months" — and honour it
  4. Give participants the option to pause or stop recording — and actually honour requests during the session
  5. Do not upload recordings to platforms without checking that a Data Processing Agreement (DPA) is in place with that platform

If a participant withdraws consent after the fact, you must delete their recording.

Incentives and Consent Validity

Many research teams pay participants for their time — gift cards, cash, discounts. Does payment invalidate GDPR consent?

The concern is that incentivised consent isn't "freely given" — that people feel coerced to participate (and share data) because of the payment.

The ICO and EDPB guidance is nuanced here:

  • A reasonable incentive for time (e.g., a £30 gift card for a 60-minute session) does not automatically invalidate consent
  • The issue arises when participation feels compelled — e.g., employees required to participate in internal research, or where declining means losing access to a significant benefit
  • Participants must be able to withdraw without forfeiting the incentive if they've already participated

Practical guidance: pay participants for their time regardless of what they share. Make it clear in your consent documentation that they can withdraw at any point without affecting their payment.

Using Research Platforms as Data Processors

Research platforms — UserTesting, Maze, Dovetail, Lookback, dscout, Hotjar Recordings — process personal data on your behalf. Under GDPR, they are data processors, and you are the data controller.

Article 28 GDPR requires a written Data Processing Agreement with every data processor. Before using any research platform:

  1. Check whether the platform has a DPA available — most enterprise platforms do; check their privacy or legal pages
  2. Sign the DPA before uploading participant data or recordings
  3. Check where data is stored — EU-based storage or adequate safeguards (SCCs) required for EU participant data
  4. Review the platform's subprocessor list — data may flow to AWS, Zoom, Mux, Snowflake; you need to be comfortable with this chain

Platform-specific notes:

  • UserTesting: Has a DPA; check their EU data residency options
  • Maze: DPA available; review their subprocessor list carefully
  • Dovetail: DPA available; Australian company with US data storage — check SCCs
  • Hotjar Recordings: Hotjar has a DPA and offers EU data residency; ensure you have configured consent-gating so recordings only capture consented users
  • Lookback: DPA available; review storage location

A DPA does not replace participant consent. You need both.

Survey Tools and GDPR: Typeform, SurveyMonkey, Google Forms

Survey responses are personal data when they can be linked to an individual — which is almost always the case when you're tracking who responded.

Typeform: DPA available; EU data storage option; review their subprocessor list. Add a clear privacy notice to your survey introduction. Do not use Typeform's built-in respondent tracking features without disclosing this to participants.

SurveyMonkey: DPA available for enterprise plans; check which plan tier includes data processing terms. EU data hosting available but needs to be configured. The free tier has limited data governance controls.

Google Forms / Google Workspace: Google's data processing terms are built into Workspace agreements. Responses stored in Google Sheets inherit Google's data processing. Using personal Gmail accounts for research surveys (rather than a Workspace account) significantly weakens your compliance position.

General rules for all survey tools:

  • Include a privacy notice at the start of the survey
  • Do not collect more data than you need (data minimisation)
  • Do not ask questions that could reveal special category data unless genuinely necessary — and if so, get explicit consent
  • Set a retention period and delete responses when it expires

Storing Research Recordings and Notes

How long should you keep research data? There is no universal GDPR answer, but the principle of storage limitation requires you to keep data only as long as necessary for the stated purpose.

Common retention approaches:

Data type Suggested retention
Raw video/audio recordings 6–12 months
Verbatim transcripts 12 months
Anonymised analysis and insights Indefinitely
Participant contact details Until next scheduled research cycle or 12 months

Whatever period you set, put it in writing (your privacy notice and consent form) and enforce it. Create a calendar reminder or automated deletion process.

Access controls matter too. Research recordings should not be publicly accessible within your organisation. Apply need-to-know access — product managers, designers, and researchers who worked on the project.

Anonymising Qualitative Data

Anonymisation is the goal for research insights. Once data is genuinely anonymised — meaning no individual can be identified from it, directly or by combination — it falls outside GDPR's scope.

But anonymisation is harder than it looks with qualitative data:

  • A quote like "As a nurse in a small rural town, I struggle with..." is potentially re-identifiable even without a name
  • Demographic combinations (age + job title + region) can be identifying in small participant pools
  • Video clips showing faces or distinctive characteristics are not anonymised by removing a name

Practical anonymisation steps:

  1. Transcribe recordings and remove names, replacing with "P1", "P2" etc.
  2. Review transcripts for identifying details (employer names, locations, unusual job titles) and redact or generalise
  3. Store the key linking recordings separately from the anonymised analysis
  4. When sharing insights with stakeholders, share the anonymised analysis — not raw recordings

Sharing Research Findings Without Exposing PII

Research insights are valuable precisely because they're grounded in real participant experiences. But sharing raw quotes, recordings, or session clips internally exposes PII beyond the people who obtained consent.

Safe sharing practices:

  • Share anonymised written insights rather than raw recordings as the default
  • When sharing video clips to illustrate a finding, get explicit additional consent from the participant to use their likeness in internal presentations
  • If using a research repository like Dovetail, configure access controls so only authorised team members can view raw recordings
  • Redact or blur faces in video clips before wider sharing where additional consent isn't available
  • Do not share participant contact details beyond the research team

Participant Right to Withdraw

Under GDPR, participants have the right to withdraw consent at any time. This has practical implications:

  • Before the session: If a participant withdraws before a session starts, do not proceed
  • During the session: If a participant asks to stop, stop. Stop the recording immediately
  • After the session: If a participant contacts you to withdraw consent after the fact, you must delete their recording and any identifiable notes. You can retain anonymised insights derived from the session

Make the withdrawal process easy. Include a contact email address in your consent form and privacy notice. Set an internal SLA for withdrawal requests — 72 hours is reasonable — and log that you completed the deletion.

Research Compliance Checklist

Use this checklist before starting any user research project:

Before recruitment

  • [ ] Identify lawful basis (consent for almost all cases)
  • [ ] Draft participant information sheet covering all GDPR-required disclosures
  • [ ] Create consent form with separate checkboxes for recording consent if applicable
  • [ ] Determine retention periods for each data type
  • [ ] Identify all platforms and tools you'll use — check DPAs are in place

During recruitment

  • [ ] Collect and record consent before any research activity begins
  • [ ] Do not store more contact data than needed for scheduling
  • [ ] If paying incentives, confirm participants can withdraw without forfeiting payment

During sessions

  • [ ] Confirm consent verbally at session start before recording
  • [ ] Honour any requests to stop recording or pause the session

After sessions

  • [ ] Transcribe and anonymise before broader sharing
  • [ ] Apply access controls to raw recordings
  • [ ] Upload to research platforms only under active DPAs

Ongoing

  • [ ] Delete recordings and identifiable data at the retention deadline
  • [ ] Maintain a record of research activities in your ROPA
  • [ ] Have a process for handling withdrawal requests

Running Research Compliantly Without Slowing Down

GDPR compliance in user research is not about doing less research — it's about building the right process once and repeating it. A good participant information sheet and consent form, a clear retention policy, and DPAs with your research platforms are the foundation. Once set up, the overhead per study is minimal.

The payoff is research participants who trust you with their time and insights — and an organisation that isn't exposed to regulatory risk when conducting the research that makes your product better.

Ready to check whether your website is collecting data compliantly? Scan your website free at app.custodia-privacy.com/scan — results in 60 seconds.

This post provides general information about GDPR compliance for user research. It does not constitute legal advice. Requirements vary by jurisdiction and individual circumstances differ. Consult a qualified data protection professional for advice specific to your organisation.

Top comments (0)