Is your UXR business legally compliant?
2021 was a year of big legal investment for Curiosity Tank. I invested far more money and time into becoming legally compliant in all aspects of the business than I had anticipated.
I don’t enjoy this aspect of being a small business owner but it’s a required responsibility to conduct UXR for clients and to teach other people around the world to conduct user research.
The basic requirements for a security program for a research B2B agreement/ relationship require:
Written Information and Security Program (WISP). This is an overarching program that references all of the policies below.
Information and Security Policy. A internal facing policy that specifies how information must be handled and protected.
Document Retention Policy. A internal policy on how records must be kept and disposed.
a Cyber Incidence Response Plan. An internal policy doc on how company will respond in event of data breach.
If you don’t have any of these, you’ll be knocked out in the RFP stage or considered in breach of an agreement that is bound to require these.
What did we tackle in laymen’s terms? An updated privacy policy, terms and conditions, new data and deletion policies, new data privacy and security awareness training, revised agreements for students, vendors, and project sponsors, data breach incident response plans, PII protocols, new and increased insurance, and more.
Conducting research today has many more requirements than it had two years ago. If you haven’t reviewed your own policies against the updated rules I suggest you do so, quickly.
The best response plan is one you never need. Take all necessary steps to protect your business – and customers – from falling victim to a data breach.
This is not a sexy part of our #UX work, but it’s unfortunately extremely necessary today and directly ties to our UX research industry’s ethics.