Is Time ‘on the Side of Change’? Incorporating the GDPR in (some of) our Research Practices

Abstract

French

The General Data Protection Regulation (GDPR) now serves as a framework for research, among other activities, when it involves collecting and using data which directly or indirectly allow the people in question to be identified. This therefore affects our research practice and, we believe, requires collective discussion. We suggest opening up the debate in this article by looking at what GDPR compliance means for our work in concrete terms, based on our own experience beginning a study on family transmission of banal nationalism (the ETPAF project). We also give an account of how, in our case, this new regulatory situation has afforded us the opportunity to add a (small) popular education dimension (or participatory science) to our work that was not part of the initial project and that we consider genuinely stimulating.

Keywords

ethics GPDR nationalism participatory science projective methods

Introduction

The GDPR, which stands for General Data Protection Regulation, is gaining ground in social science and humanities (SSH) research centres. This European regulation, adopted in 2008, aims to reinforce the protection of individual personal data at a time when we leave digital traces everywhere and these have become a commodity. As citizens, we find it reassuring to have a say in whether or not an online commercial platform records data about us and we are very glad that the information we entrust to our doctors or employers cannot find its way ‘online’ or be made available to the highest bidder. On the other hand, as researchers, we are quickly frustrated by the new layer of administrative procedures that the GDPR adds to our work. Worse still, the precautions now required in terms of providing information and ensuring the material security of data – let alone the infamous ‘informed consent’ necessary for ‘special data’, which we will come back to later – have considerable, often less than desirable, consequences for our investigative methods.

What should we do in the face of this situation? Resist and protect our way of doing research by ‘playing for time’ and waiting to see whether we ultimately face any sanctions? Protect ourselves by interpreting the rules as strictly as possible, even if this means giving up on research projects that no longer fit into the boxes? Or perhaps, instead, protect the pleasure we derive from our research by taking on board the rules and adapting our methods in ways that then lend meaning to the changes we make? In this text, we defend the third option. We show that this means wagering that ‘time is on the side of change’¹ and that the GDPR is encouraging us to adapt to the changes in social relations that it recognises within European societies. Ours is a situated point of view, and deliberately so, especially seeing as we believe that adapting to the GDPR presupposes thinking about its consequences in concrete terms, based on different examples. In this article, we offer an account of our current research experience, namely a study on ‘banal nationalism’ within the family. For this study, which focuses on both children and politics, we expected the worst when it came to ensuring our work complied with the law. However, this proved neither particularly complicated nor terribly frustrating, insofar as the first lockdown² left us waiting impatiently far longer than the time it took to obtain our data processing authorisation. However, our decision to respect the spirit of the regulation did have a real influence on the interview scenario that we devised. In considering here how the GDPR shaped our research practice, we are not looking to provide one definitive answer to the questions the GDPR raises for the social sciences more generally, or even for sociology and political science more specifically. In fact, our aim is quite the opposite. We wish to open up a debate that will be enriched by the broad range of methods, subjects, and theoretical inspirations that define these disciplines.

We shall provide an account of our experience by first briefly summarising our research project, then expressing in our own words how we understood the GDPR requirements, and next, narrating as faithfully as possibly how the process unfolded for us, before finally discussing the lessons we learned from it.

A Study on the Sources of Banal Nationalism

Our study aims to understand the ways in which what Michael Billig refers to as ‘banal nationalism’ (Billig, 1995) is passed on to young children in the family context. ‘Banal nationalism’ refers to the massively widespread ideology according to which the world is naturally and necessarily divided into nations. In Billig’s view, this embedding of political ties within a grammar of nation – which is, it should be said, a relatively recent product of history as the debate on the origin of nations has shown (Anderson, 1991; Gellner, 1983; Hobsbawm, 1992) – is an ‘international ideology’ in the sense that there is no longer any place where we have access to other ways of conceiving of the world’s political organisation (Billig, 1996). Without these alternative repertoires, our political imagination is constrained by what seems to be self-evident – the ‘naturalness’ of the existence of nations. This is why Billig describes this form of nationalism as ‘banal’. Unlike ‘hot’ or vituperative nationalism – the ‘return’ or the ‘rise’ of which prompt concerned commentary – banal nationalism slips by unnoticed below the radar of our awareness because we have learned to consider it normal. Throughout our lives, we are reminded of the natural division of the world into nations by a set of ‘flags’, which are omnipresent in the media, in public discourse, in everyday consumer goods, in cultural objects, and in many other routine aspects of our lives. This flagging endlessly reminds us of our nationality, mainly without our realising it, leading us to forget that humanity was not always divided into nations and that the world could be thought of in different terms.

While many studies have offered accounts of the permanent flagging that perpetuates nationalism, whether banal or politically committed, we know much less about our socialisation to the self-evidence of the nation. Yet this socialisation must necessarily occur in order for reminders of our own national belonging to function. We only know, thanks to K. Throssell, that it seems to take place in early childhood: at the age of 7–8, children have already learned that the world is divided into countries and that it is important for everyone to have ‘their own’ and to feel a strong attachment to it (Throssell, 2015). Hence the focus of our study in which we wish better to understand how children find themselves coming to grips with this ‘international ideology’ and hypothesise that this does not just play out on the school stage but also, among other places, in everyday family life, backstage, as it were.

With this in mind, we devised and tested³ a protocol in which we recruit families with at least one child age 5–6 to carry out three 2–3-hour sessions of interviews/activities in the family home. We ask the parents and the child to talk about their everyday family life and more specifically about their relationships to the self-evidence of the nation. Of course, we don’t ask this question in this way: we use an indirect approach focusing on narratives of family practices, especially given that our hypothesis is that the self-evidence of the nation and of a sense of belonging is only partly passed on to children as part of an ‘educational vision’. When questioned on the matter, most parents do consider it important for their child to know where they come from and for them to have ‘roots’. However, parents are rarely aware of the presence of flags (in the literal sense) or other national reminders in their children’s bedrooms and much less of any possible continuum between the requirement to ‘belong’ and holding a preference for one’s own nation. We therefore approach these questions largely via projective activities (Anzieu et al., 2017; Lavabre, 2002) in which we present visual and/or auditory materials to which they are asked to react. We run these interview sessions in pairs because while certain activities do involve all the members of the household, we mainly work in parallel, with one researcher talking to the parents (projective activities and semi-structured interviews) while the other talks to, plays with, or reads stories to the child, preferably in his or her bedroom when he or she agrees. This kind of protocol is quite demanding of the families, if only in terms of the time they have to give us. In order not to limit our sample to families interested in our research, with all the resulting effects particularly in terms of social selection, we decided to compensate the parents for their participation in the study.

Our study therefore involves children and their parents and focuses on what could easily be considered a sensitive topic, i.e. nationalism. It implies collecting data in a ‘highly qualitative’ manner, insofar as the statements recorded are personal, perhaps even intimate, and the data difficult to anonymise (see below). Finally, it uses an indirect, even projective, approach that might seem to be studying the parents without their full knowledge. All these features led us to worry that it would be difficult to obtain our project’s ‘entry on the research centre’s register of processing operations’, which is a prerequisite to beginning field work. Before describing exactly how this process unfolded, we shall begin by explain our understanding of the new GDPR requirements as they apply to researchers of all kinds and particularly in the social sciences.

The GDPR’s Key Notions: Personal Data, Information, and Data Protection; ‘Special’ or Sensitive Data, and Informed Consent

The key resource in France for understanding how GDPR applies to social science research is a document entitled Les sciences humaines et sociales et la protection des données à caractère personnel dans le contexte de la science ouverte [The social sciences and humanities and the protection of personal data in the context of open science] (André-Poyaud et al., 2019). This document provides a detailed account of the reasoning and categories that we should apply to our studies – an account that is far more exact, in legal terms, than the one we shall provide here. In this text, we discuss the GDPR framework for the social sciences in our capacity as social science practitioners and using terms that account for the ways in which we came ultimately to understand the regulation. Any translation implies some form of betrayal of the original, but translation remains essential in order to communicate between different cultural worlds including professional ones. The cost in effort for understanding the rationale of the regulation seemed particular high to us, despite our colleagues’ endeavours to explain its subtleties to us. We therefore thought it useful to publish our ‘translation’, i.e. what we finally understood of it, in everyday language.

We can certainly discuss the effects that the GDPR will have on how we conduct research, but it is important first to recall an essential point: the regulation was not designed for – or rather against – the social sciences. This is obvious every day when we surf the Internet and are now asked to consent to the use of cookies, or when we use services that will involve storing data about us. The regulation is indeed ‘General’ in the sense that it offers a framework for all social activities in which ‘personal data’ are produced and above all stored. In reality, research, as a task carried out in the public interest, benefits from certain specific dispositions making it possible (see below).

The GDPR regulation is not so much about how we produce data as it is about what we then do with that data. This sets it apart from the ethics committees⁴ which, for many researchers, are now an implicit point of reference when it comes to institutional frameworks overseeing field work. In the case of the GDPR, the concern is not so much with ensuring that our research practices comply with ethical principles as it is with following a legal regulation that aims to protect research participants’ personal and identifying data. Of course, the GDPR is linked to ethical issues. It is a legal norm and, as such, it serves to set up a social arbitration of what should and should not occur. However, compared to ethics committees, ensuring study compliance with the GDPR essentially consists in checking that the personal data we process as part of our research is protected, thus safeguarding us from potential legal proceedings on the part of our participants should they disagree with how we use data concerning them.

Before coming back to what taking the GDPR into account actually entails on a concrete level when we conduct research, we shall outline and briefly discuss the types of data underpinning the different levels of protection for which the regulation makes provision. The ‘personal data’ to which the GDPR refers is information that directly or indirectly allows a person to be identified. In the social sciences, and especially in qualitative studies, it is rare for us to produce and process data that are truly anonymous (i.e. that allow no identification whatsoever, even when cross-referencing information). It is possible to work using categories that are broad enough to make it practically impossible to identify participants, for example age categories rather than a year of birth, broad socio-occupational categories rather than a specific occupation, the general features of the place of residence rather than the actual name of a town, village, etc. Marie Plessz explains that in the case of certain questionnaire-based surveys these operations are possible without being too detrimental to the analysis (Plessz, 2020). Theoretically, this can also be done in qualitative studies. In the text published in this issue, Daniel Bizeul relates how he anonymised a survey of French Front National activists in order to make it available in a databank and emphasises how costly this was. First, because anonymising study material to such a degree that it can be freely consulted requires considerable time. Second, because converting this material also comes at a substantial cost to its sociological quality. By subsuming the diversity, refined and embodied nature of the material we produce within broad and/or neutral categories, we drain it – ‘clean it’, almost – of some of its sociological richness. This runs the risk, writes Bizeul, of ‘extinguishing all hope of an understanding rooted in the actual lives of human beings’ (Bizeul, 2021, in this volume). Faced with these difficulties, working on data that are not anonymous may seem a highly legitimate choice. But then these data must be protected.

In GDPR terms, the social sciences collate four types of data: anonymous data (1), personal data that concern directly or indirectly identifiable natural persons (2), and personal data that are considered ‘special’ either because they focus on sensitive topics⁵ (3) or because they entail particular risks (4). The GDPR first establishes that personal data collection and processing must involve providing information to data subjects and making their data secure. It then stipulates that collecting special or risky data is prohibited, but that there are particular provisions including exemptions for ‘tasks carried out in the public interest’. State-funded research, especially when conducted in a CNRS research centre, falls under the remit of this exemption. It is therefore entirely legal for researchers to collect and process personal data provided they respect certain conditions, which are more or less demanding depending on whether or not the data in question fall into the category of sensitive or potentially dangerous data.

Let us look at this in more detail. Data that allow the subject to be identified but are not considered particularly sensitive can be collated and analysed, on several conditions. The first condition is essential and we will come back to it in detail in the third section of this text: the data must be made secure in material terms. At a time when information can be extracted from the Internet in myriad ways, security means ensuring that study materials are not accessible to any person who does not have specific authorisation to consult them. The second condition is that data collection must respect a principle of relevance and proportionality, that is to say the data must correspond to the analytical aims of the research. This requires having a fairly precise idea, from a very early stage, of why we are doing the research, which can prove problematic for any work – and this includes most qualitative studies – that takes an inductive approach. Luckily, the GDPR does make provision for altering and refining the objectives of data processing as the research progresses. It is then necessary to remember to adapt the information given to participants accordingly. This information, which is a requirement of the regulation and which few research centres provided before, must remain available throughout the research process. It must also stipulate what will happen to the data once the results have been published. For as long as we are working on them, they must be stored securely (see below). After they have been processed, however, they must be destroyed, anonymised, or archived on secure storage for future use, solely for the purposes of scientific research.

If the research also focuses on data considered sensitive, a ‘principle of lawfulness’ must be followed: in our case, this is the exemption in place for tasks carried out in the public interest, combined with the consent of our study participants. The category ‘sensitive data’ relates to everything concerning opinions – political or ‘philosophical’ – as well as health, sexuality, ‘ethnic’ origin, religious beliefs, trade union membership, and legal data. Up until now, and when the circumstances of access to participants allowed it, some researchers did ask the latter for their consent for ethical reasons. Today, this has become mandatory. Furthermore, when our participants consent to provide us with the data we require, they must also certify that they have been fully informed about the project’s uses. In other words, they must understand what we intend to do with the information they give to us and they must know how we intend to store their data, both during and after the research.

The final ‘level’ of data protection for which the GDPR makes provision concerns data that could place data subjects in danger if revealed. This could be owing to the nature of the information (on sexuality, for example) or to the participants’ particular circumstances (especially those who are vulnerable or dependent). Our use of data about them therefore presents risks that extend beyond simply contravening their wishes in terms of what we do with their information. In this case, an extra level of protection is required and in order to define it, it is mandatory to conduct an impact assessment of the effects for these people’s privacy.

To summarise, the GDPR does not concern truly anonymous data that do not allow data subjects to be identified, whether directly or indirectly. However, it does require us to limit the personal data we collect and process, to ensure that they are stored securely, and properly to inform the people they concern. Moreover, in theory it prohibits working on data considered to be sensitive but there are exemptions, which include tasks carried out in the public interest such as research in a state research centre. However, in these cases it is still necessary to obtain the participants’ informed consent. Finally, if we suspect that disclosure of the data could prove dangerous, an in-depth assessment must be envisaged. The general idea underpinning this mechanism is the following: the information that our participants provide is not a gift that they give us and that we can use in any way we choose. As long as they are alive, these data belong to them. Rather than no longer conducting research with them, we must work on protecting this information, which never belongs to us, and ensure we have the means to prove that we have done so should one of our participants feel aggrieved. To achieve this, certain measures are necessary and we outline these in the two sections that follow.

A Declaration of GDPR Compliance Obtained without Encountering Opposition

We received our first funding for this study shortly before France went into its first lockdown. The INJEP⁶ agreed to fund an exploratory phase requiring several series of interviews with families to test our methodology. The lockdown made these interviews impossible, so it seemed sensible to us to use that time to complete the various necessary steps related to the GDPR.

Timeline of our Exchanges with the CNRS Data Protection Department

Our research centre has several parent institutions and could have chosen to refer to the personal data protection department of any one of them. It chose the CNRS Data Protection Department (henceforth DPD), which is run by Gaëlle Bujan. In July 2019, the DPD comprised 6 people responsible for several hundred centres. On 27 March 2020, we sent the first version of our authorisation form, along with the research project and a draft outline of our project intended for our website (we will come back to this), to the address indicated. We immediately received acknowledgement of receipt, signed by the DPD stating that they would get back to us as soon as possible.

On 20 April (in the middle of the lockdown), we had still heard nothing back and wrote to the DPD again stating that we had, in the meantime, put the description of our study online on the Centre Emile Durkheim’s website, in accordance with what we had set out we would do a month earlier. Three days later, the head of the department replied asking us for our interview grids. We responded immediately with the provisional ‘discussion scenario’ we had devised, specifying that the lockdown had prevented us from testing the study protocol as planned. On 5 May, we wrote a follow-up email explaining that we were wondering about the possibility of obtaining ‘family’ consent rather than individual consent from each parent and child – a question we had asked ourselves after having delved further into the literature on studies involving children that emphasises the difficulty of obtaining their consent (Davies, 2008).

On 15 May, we received a first substantial reply from Emilie Masson, who is responsible for the DPD’s legal coordination, summarising what she had understood of our project in relation to the key points relevant to determining the level of protection necessary for our data. If the data processing took place as part of a research project and in the families’ homes, as long as the data did not fall under the category of ‘sensitive’ data then we did not need to obtain consent unless we intended to film or record our interviews. She also underlined that we should better describe how we intended to ensure the data remained secure, given that the care taken to ensure material data protection is a key point in the new regulation.

We asked to speak to Emilie Masson on the telephone, who agreed to do so that very day. This allowed us to specify the ‘sensitive’ nature of our data insofar as the parents’ opinions on education would necessarily reveal more general opinions – particularly in ‘political, philosophical, and religious’ terms – and insofar as the detailed presentation of the family would necessarily reveal its members’ ethnic or racial characteristics or origin. Following these details, this legal specialist concluded that our data would indeed be sensitive and that we therefore did need to obtain individual consent from the parents – but not the children because, as she explained to us, it was up to each parent to consent for their child. We therefore sent the completed data protection form back to the DPD and proposed an initial version of the consent form.

On 18 May, a further email from E. Masson raised the question of the transcriptions we had stated we intended to have done by a professional. In the eyes of the law, this meant using the services of a subcontractor. It would therefore be necessary to sign an agreement with that person, in order to make sure that he or she would also ensure the security of the data. However, it was agreed that we could resolve this issue later when we reached that stage. We would simply have to send the agreement to the DPD that would then validate it (after having pointed out any necessary changes), add it to our file, and alter our entry accordingly.

The same day, Sylvie Collignon, a legal assistant in the department who answers the requests for information sent to the DPD, sent us the draft of our study’s entry on the research centre’s register of processing operations, for verification. As soon as she received our remarks, she provided us with a registration certificate, which gave us de facto authorisation to begin our interviews. It had therefore taken us a little under two months, two dozen emails, and one telephone call to obtain our open sesame, without counting the time it took us to prepare the documents required. Let us now turn to what has to be sent to the DPD as part of this application.

Filling out the Registration Form for the Research Centre’s Register of Processing Operations

On a formal, or legal, level, authorisation for researchers to use personal data in their studies is provided by the data processing in question being entered on the research centre’s register of processing operations. This is a virtual register, in our case managed by the CNRS Data Protection Department, which in principle concerns all the centre’s processing whether scientific or administrative. In order to obtain this entry, a registration form must be filled out and sent to the email address dpd.demandes@cnrs.fr along with a few documents to allow the DPD team to understand the project and determine the necessary level of protection for the data that will be collected and processed. This form can change and indeed, it did change between May when we obtained our entry and November as we are writing these lines. We have attached, as an appendix to this article on the BMS website, the version of the form we filled out and on the basis of which we were authorised to conduct our study. It will be clear that many sections and boxes remain empty insofar as the same document will be used for different purposes, for example, by a research unit organising a large conference and creating a database of delegates for that purpose. Our form differs quite considerably in its presentation from the version currently distributed by the DPD, but the sections and information requested remain the same. We shall now give a brief overview of this form.

Initial entry or modification: this does not require any detailed commentary, other than to note that this first question does indicate that the project – or the processing – can be modified. One concern researchers have is that research projects evolve over time. We should not hesitate to inform the DPD of these changes. Unlike ethics committees, the DPD will not refuse authorisation, but it may require reinforced data protection if, for example, the type of data changes as the study progresses.

The first part of the form identifies the stakeholders. The person responsible for processing: strange as this may seem to researchers, this conforms to the organisational hierarchy of CNRS units and refers to the director of the research centre and not the person conducting or coordinating the study.⁷

The person responsible for implementation: this does refer to the researcher behind the project whatever his or her status (incidentally, the form itself does not use gender neutral language, but refers to these roles in the masculine singular). This will be the Principle Investigator (PI) in the case of a funded project but also the doctoral student in the case of PhD theses (with the exception of PhDs funded by collective research projects and using the same data).

It should be noted that the new form also specifies the ‘department responsible for rights of access and means of exercising that right’ that did not exist in the previous version. This refers to the people to whom those interviewees, dissatisfied with how their data has been processed, can turn for explanations and redress. In a SSH research centre such as ours, the person responsible for implementation, i.e. the researcher in charge of the project, fulfils this role if necessary.

Use of a subcontractor: if the team uses a service provider of any kind, this must not only be indicated but an agreement must be signed with that service provider in which they commit to protecting the data and explain how they intend to do so. In our case, this will be the person who will transcribe our interviews, once a protocol has been established by Louisa McDonald (the doctoral student funded by our project) based on transcriptions of the interviews with the test families.

Contact person: this simply provides the DPD with the contact details of the person who is going to follow up the processing application. In our case, as with most SSH projects, it is once again the person responsible for implementation, i.e. the person in charge of the study.

The second part of the form aims to explain what exactly the processing of personal data will entail in the case at hand. In our terms, this means providing an outline of the research project. Emphasis is placed on how the project will be implemented but the projects objectives must also be indicated given that, as we have seen, the GDPR establishes a principle of proportionality between the data collected and their intended use.

What is the purpose, the objective of the processing? We have to begin by summarising our study’s aims in a way that is comprehensible to everyone. The first readers of this document will be the members of the DPD, who are legal experts not social science researchers. It is perfectly possible, and even desirable, to attach the research project itself, but this is more for the file than anything else as it is clear that the people we deal with at the DPD are unlikely to have the time to read it. It is worth polishing the summary of the aims in a few clear sentences as this will be used again for the consent form and the online description of the project.

Lawfulness: As we have already mentioned, the GDPR prohibits processing ‘special’ or sensitive personal data, but with exemptions including tasks carried out in the public interest and state-funded research falls under this category in general. In this case, it is still necessary to obtain informed consent from study participants in order for the processing to be considered lawful.

Description of the processing: here the form asks for documents to be attached explaining how the data will be processed. In the case of a qualitative study like ours, which uses interviews, processing in fact refers just as much to how the data will be collected and produced as to the methods of analysis, which are rarely outlined in much detail. It is important to remember also to provide, in addition to the research project, the interview grids or document serving as an equivalent (in our case, the discussion scenario).

People concerned by the processing: this refers to our research participants. The number of people will depend from one study to another but for classic qualitative studies we will, in all likelihood, tick the box from 10 to 99. We must also specify, in writing, whether there is anything particularly sensitive regarding these people (all relevant explanations are provided on the form) and how we go about recruiting them.

Measures taken to inform people: alongside material data protection, informing data subjects is one of the GDPR’s two main ideas. In the case where consent is required, it cannot be simply a verbal agreement or signature, as used to be the case in the past. Consent must be informed, and informed over time insofar as participants must have the possibility to change their mind and request that the information concerning them be withdrawn later, even if they provided (informed) consent at an earlier stage. The information in question is therefore twofold: as we have already seen, it focuses on the project, its purposes, the data collected, and what will be done with it; but it also focuses on the participants’ rights, on what we must tell them about the study, on the fact that they are not obliged to participate, and on their right to withdraw at any time. Finally, we must be able to provide evidence of this information in the case of an appeal.

For our study, we therefore chose to provide information in two ways: the first when we obtain consent and begin to collect data and the second to ensure that any participants who experience doubts can retrieve the information and ask for further information or for their data to be withdrawn from the study. The first method consists in giving the parents a document, at the time of the first interview, with all the information listed on the form, that is to say:

The people concerned must be informed, at the moment of data collection, of the identity of the controller, the purposes of the processing, whether responses are obligatory or optional, any potential consequences they might face for failing to respond, the recipients of the data, how long the data will be stored, and their right to object, their rights of access to and rectification, erasure, and limitation of personal data, their right to data portability, and how to exercise these rights, as well as the legal basis for the data processing and their right to file a complaint with the CNIL [French data protection agency] (Registration form for the CNRS DPD register, June 2020 version, p. 6).

The ‘Guide de l’InSHS’ offers a template for both the information document and the consent form (André-Poyaud et al., 2019, p. 29 sq.), however the language is very technical and legal. Given how dry it is, it seemed necessary to us to translate this information into more down-to-earth language that ‘de-judiciarised’ it somewhat, in order to avoid placing our research relationship with the study participants on that level.⁸

In order to do this translation, we drew on the work we did to devise our second mode of information, i.e. the page we drafted for our research centre website to ensure the information was available in the long term. In our experience, participants do not take particular care to keep the document we give them to read, far from it. It is therefore important that they can easily find us again if they have any concerns later on. Breaking down this information and putting it online helped us to express it in less dry terms. https://durkheim.u-bordeaux.fr/Organisation-de-la-recherche/Identifications/Projets-finances/ETPAF.⁹ We then reused this information to put together the document we would give to participants when obtaining their consent, referring them to the website for more detailed information.

The third part of the form focuses on the data themselves. It has to allow the DPD to assess the necessary level of protection for GDPR compliance: are these personal data, but which could be disclosed without major consequences? Are the data sensitive, therefore requiring absolute confidentiality? Or even data which could endanger the subjects if they were disclosed?

Description of the data: an initial table makes it possible to look through a series of types of personal data, from civil status to geolocation or professional and financial data. These must be listed and it must be stipulated how the data will be collected and how long they will be stored: here we advise indicating the estimated time until the end of publications, so about five or six years. This table is then supplemented by a second one for providing details of the special data that we often refer to as ‘sensitive’ data. Based on these tables, the DPD is then able to establish that the principle of proportionality between the purposes of the research and the data collected has been respected, and then to assess, first, whether or not the data subjects’ consent is necessary, and second, whether a more stringent mechanism should be considered because collecting and potentially disclosing this data could put participants at risk.

Recipients of the data: another table requires us to list one by one the different recipients of the data, before specifying in detail any that (potentially) concern the circulation of the data outside the E.U. At this stage, it is necessary to think about how the data will be passed on from one team member to another.

The fourth part of the form is devoted to data security. It seemed to us more complicated to fill out than the previous part because it related to issues about which we were not well-informed, particularly making data secure in a digital format. Above all, it called into question very fundamentally the admittedly quite cavalier ways in which we tend to work. Technological progress, from tape recorders to smartphones with sophisticated microphones, and from typewriters to our constantly connected laptops, has considerably facilitated the collection of opinions. The permanent circulation of the information we store on our mobile phones and laptop computers (which now happens largely without our knowledge) makes it imperative for us to take measures to ensure that our study data does not fall into other hands, given that it is now clear that while we may have produced them, they do not belong to us.

Data location: the first technical issue to deal with is determining where our data will be stored. There is no longer any question of us leaving them on our computer hard drives without protection nor of keeping multiple back-ups on USB keys or Dropbox files. Yet our research centre, like many others, does not possess a secure server. It is therefore necessary either for it to invest in one, with the help of its parent institutions, or for our computers to be properly encrypted and for us to ban any transfer of data by email or other non-secure means, and to purchase encrypted and protected USB keys for backups.

Other security measures: the table itself is not especially informative for studies such as ours, where there is little question of users, accreditation, incidents, etc. We can tick the boxes corresponding to the ‘cryptographic functions’ but for those who, like us, are really not very familiar with these issues, it is better to describe in words that the DPD will be able to interpret exactly how we intend to ensure the confidentiality of our recordings, photographs, field notes, and transcriptions.

This question of the material security of the data does not only concern researchers. They will need the necessary equipment and this is going to require research centres, including ours, to make certain changes. To conclude this section looking at the authorisation request in practice, let us return quickly to the collective dimension of the reorganisation required by the GDPR.

Organisation at the Level of Research Centres

The application for an entry to be made on the research centre’s register of processing operations must make it possible to check that the studies conducted there comply with GDPR requirements and to anticipate any potential legal proceedings that could be brought about by participants who feel aggrieved by the way their personal data has been processed and disseminated. In this case, it is the Director of the Research Unit (DR) who is responsible and the penalties are severe: up to five years in prison and a 300,000-euro fine (Article 226-16 of the Penal Code). But it is also possible that the person responsible for implementation will be prevented from completing the research.

Insofar as they are responsible for processing operations in their research centres, it is up to the DRs to make material provision for study data to be stored securely. This can potentially lead to directors monitoring the studies being carried out in ways that researchers may experience as constraining. It is also probable, however, that the DRs find it just as disagreeable to have to deal with concerns about the security of the data processed in their centres and to play the role of inspector. In order to ensure that GDPR compliance does not create tensions between colleagues, it is therefore important for all researchers, whatever their status, to truly take this new regulatory situation into account. We have just seen that this does not only mean asking participants for their informed consent. In fact, the fixation that researchers have with the question of consent can be a problem because it overshadows the question of data security, which is really at the heart of the GDPR.

In concrete terms, these data must be stored on encrypted hard drives, keys, or computers, and must be transferred securely between the different project partners whose identities must all have been declared. Furthermore, access to the consent forms (which are by definition personal data) must be materially protected. One possible option – the one adopted by the research unit where we work – is to store them in a safe on the premises. Copies of study data, on encrypted storage, can also be kept there (which presents the advantage that we would not lose everything if our computers, hard drives, and work keys were lost or stolen). It is therefore necessary for research centres to set themselves up so that all people who collect and analyse personal data – beginning with doctoral students – have access to secure storage materials and transfer procedures. This represents a considerable investment. One option, in line with proposals for other expenses, would be to use the budgets of externally funded projects to buy some of the necessary material, especially for doctoral students, as a way of compensating for the projects’ administrative costs for the research centre but also of balancing out resources among colleagues.

We must also organise ourselves collectively to learn to fill out the registration forms for the research centre’s register of processing operations as efficiently as possible. The DPD team is small and if we want them to remain available to help researchers and their centres, and particularly if we want them to be able to process our initial requests and changes without too much delay, it is important that we send them the clearest forms possible. Each study, and so each processing operation, is unique, but the answers that need to be provided in order to secure the data are not, especially within the same professional environment, insofar as these answers are determined to a considerable extent by research traditions and the material way work is organised. Within research centres, or certainly within ours, support staff are too few and far between for us to be able to consider delegating all this extra work to them. It is necessary for researchers to share their experiences in order to make sense of a procedure which, in light of our own experience, can actually mean more than simply an extra layer of administration.

It means more, but what? How can we claim, as we did in our introduction, that by giving ourselves the means to respect the GDPR, we can contribute to ‘protecting the pleasure we derive from doing research’? In what ways and at what points can we be said, with our project, to have ‘protect[ed] the pleasure we derive from our research by taking on board the rules and adapting our methods in ways that then lend meaning to the changes we make’ as announced in our introduction? This text intends to help our colleagues better understand what the GDPR expects of us. We have therefore given a detailed account of how we filled in the form and obtained authorisation for our project. Beyond the laborious side of the procedures and timeframes, we also want to show how taking the GDPR principles seriously, and especially ‘informed consent’, led us to develop our study methods in productive ways.

An Additional Participatory Science Component

For our study on family transmission of banal nationalism, we brought together a team of researchers from different disciplines. We realised, as we wrote the project and during our initial meetings, that everyone on the team was not necessarily equally convinced by the hypothesis of banal nationalism, i.e. the omnipresence of the notion of nation in how people represent their place in the world and its harmful effects. From this perspective, we had initially suggested a title for the project that made explicit our hypothesis that nation was central in the points of reference passed on to children regarding politics and identity: ‘Red, white, blue teddies: Study of family transmission of the sense of nationhood’. However, our colleagues luckily made two remarks. First, in terms of the project’s content, given that to them it was not necessarily self-evident that the nation was central among all the frameworks of belonging given to children, we would have to begin by proving this. Second, in terms of how the project was presented, they were worried that for most people, the notion of ‘Red, white, blue teddies’ and ‘the sense of nationhood’ would be seen as referring to far right political positions, from which is it considered good form to distance oneself, and that this therefore was a far too divisive way of presenting our project.¹⁰ Before submitting the last version of our project, and thus before beginning our administrative steps with the DPD, we therefore returned to the ‘nationalism’ variable in our study and to how we presented it.

In terms of the substance, we wanted to give ourselves, collectively, the means to understand how our participants connected their ties to the nation with the other socio-political communities to which they might potentially feel they belonged, even though we (the two authors of this text) remain convinced that this will demonstrate banal nationalism – in other words, the all-powerful nature of the framework of nationhood in socialisation to the political order. In terms of the form, we tried to avoid using terms that referred, in everyday language, to political positions with which it might be politically costly to align oneself. Our title therefore changed to ‘Study on early childhood transmission of forms of belonging in the family context’ – which in French gave us a nicely energetic acronym: ETPAF¹¹.

When we started the process for obtaining authorisation for our project, we therefore presented the study and its aims by expanding the forms of belongings that we stated we wanted to investigate. It was therefore based on this information that our participants would consent (or not) to participate in the study. However, we soon began to feel disloyal towards these people whom we were going to ask to confirm that we had told them everything about the purposes of the study before they consented. Projective methods pose ethical problems because they do not give participants all the tools to direct their replies and they therefore establish a profound inequality in the exchange and production of knowledge – this idea is not new. Almost fifty years ago, the feminist sociologist Liliane Kandel used this argument to critique the unstructured interview, itself partly inspired by clinical psychology (Duchesne, 1996; Kandel, 1972). However, at the time, it was rare for the issue of inequalities in the social division of the questioning process to be raised. The data that participants produced by complying with sociologists’ requests were considered to be the property of these sociologists. And above all, interviewees were not asked for their informed consent.

The GDPR, on the other hand, states that the very personal – and both identifying and sensitive – statements produced by participants in study protocols such as ours in ETPAF remains the property of those participants, i.e. of the parents in our case. Furthermore, it requires us not only to obtain their consent to the study but also to ensure that when they give this consent, they explicitly state that they are fully aware of the reasons why we are asking for their participation. It soon seemed to us that concealing the reality of our questions about nationalism, in both the title and the brief presentation of our study, equated to a lack of loyalty even though this omission was scientifically justified.

In order to ‘make up’ for this and not walk away from ‘our’ families at the end without having actually enlightened them about our intentions, we eventually introduced a discussion at the end of each series of interviews that focused on our hypothesis that the notion of ‘nation’ is a central point of reference in our systems of belonging. Mirroring the beginning of the very first session, in which the two investigators take time to present the study to the parents and obtain their informed consent, in this final sequence of the third interview, we explain the theory of banal nationalism. In doing so, we use skills we learnt during a popular education training session that we attended to devise a conférence gesticulée (or ‘dramatised popular lecture’; see https://conferences-gesticulees.net/) on banal nationalism. We begin with the idea that nations are socially constructed and historically recent and then discuss how we are led to forget these facts, in the day-to-day, in banal ways which instead impose the idea that nations are eternal and thus inescapable – in political discourse, in media coverage of current affairs, in the way products we buy every day are marketed, and so on.

This change in our interview scenario came from the need to inform our participants as much as possible about our hypotheses, but it in fact led to discussions that were far richer than we could ever have imagined. During the test interviews, it seemed to us that our participants had truly grasped the aspects of their relationship to the world on which our work was focusing. There were some very meaningful moments when they seemed to be questioning, with us, the ways in which nationalism weighs upon our lives, their lives, and right into their homes and their children’s bedrooms. In other words, there was clearly informed consent, even though the full information was only provided at the end of each series of interviews.

In this case, GDPR compliance afforded us an opportunity to add a ‘participatory science’ dimension, with hints of popular education, into our study protocol itself, despite this not being initially planned when we put the project together. Of course, it did not force us to do so: the way this unfolded in our case was also the result of our own research perspectives. While we are not yet in a position fully to assess the consequences in terms of the material we have collected, we do find very promising first, the research relationship it allowed us to establish with our participants and second, the co-construction of knowledge it allowed us to initiate.

In point of fact, the GDPR does establish a change in the relationship between science and society (among the other areas of social activities it regulates). The academic world has long been inhabited like a fortress by those within its walls or experienced as such by those outside them. In fact the very etymology of the word ‘university’ refers back to the image of an autonomous space withdrawn from the agitation of the world (Verger, 2013). And while this relative autonomy is beneficial in several respects (Lahire, 2016), it seems to us that the argument of the ‘exceptional’ nature of universities can also pose problems, especially when it is marshalled to justify practices that are both questionable and rarely absolutely necessary, e.g. recording interviewees without their knowledge, disclosing information concerning them without worrying about whether or not they might be identifiable, keeping their statements on record when they do not wish this to be the case, and so on. For those of us who conduct our research with people we often refer to as ‘ordinary citizens’, the GDPR establishes a more symmetrical relationship. At the very least, by stating firmly that the data concerning our participants belong to them and that we must negotiate our access to and use of these data with them, it forces us to work ‘with’ them, to some extent, rather than ‘on’ them. And this is perhaps no bad thing.

This is the meaning we wanted to give to the expression we borrowed from Ruth Bader Ginsburg: ‘time is on the side of change’. When she was fighting to change the law, there had already been a shift towards greater equality between men and women in many segments of society. But it took considerable effort to get this change enshrined in law. Here, on the contrary, it seems to us that the principle of equality regarding personal information that is enshrined in law by the GDPR, and that most of us no doubt consider to be beneficial, has yet to be accepted where research is concerned. This is no doubt a further loss to the privileges of universities at a time when their monopoly over the production of knowledge is also disappearing. While in many respects, this is regrettable,¹² as academics we can also rejoice when the erosion of some of these privileges helps us to establish less unequal relationships with others, especially in the case of research relationships with our study participants. We wager that for the kind of studies that we carry out, engaging in a more participatory form of science will in fact enhance the quality of our research.

Supplemental Material

Supplemental Material, sj-pdf-1-bms-10.1177_0759106321995709 - Is Time ‘on the Side of Change’? Incorporating the GDPR in (some of) our Research Practices

Supplemental Material, sj-pdf-1-bms-10.1177_0759106321995709 for Is Time ‘on the Side of Change’? Incorporating the GDPR in (some of) our Research Practices by Sophie Duchesne and Maylis Ferry in Bulletin de Méthodologie Sociologique

Supplemental Material

Supplemental Material, sj-pdf-2-bms-10.1177_0759106321995709 - Is Time ‘on the Side of Change’? Incorporating the GDPR in (some of) our Research Practices

Supplemental Material, sj-pdf-2-bms-10.1177_0759106321995709 for Is Time ‘on the Side of Change’? Incorporating the GDPR in (some of) our Research Practices by Sophie Duchesne and Maylis Ferry in Bulletin de Méthodologie Sociologique

Footnotes

Acknowledgements

We would like sincerely to thank our colleagues who read this text and offered many comments and suggestions: Camille Bedock, Alexia Boucherie, Damien Cartron, Delphine Coudrin, Dominique Darbon, Florence Delmotte, Maël Gauneau, Xabier Itçaina, Viviane Le Hay, Irene Lizzola, Violaine Rebouillat, Isabelle Rigoni, Emilie Ronflard, Caroline Sagat, Andy Smith, Alina Surubaru, Benoit Tudoux, and Cécile Vigour. Having been fortunate enough to receive so much helpful advice, we were not able to include it all, but this in no way detracts from our appreciation. We would also like to express our immense gratitude to the members of the CNRS DPD – especially Gaëlle Bujan and Emilie Masson – for their detailed feedback. If this text faithfully communicates the spirit, if not the letter, of the GDPR, it is thanks to their help. Finally, we extend our warm thanks to Lucy Garnier who translated this text with great accuracy and faithfulness.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The research on which this article is based receives the following funding: INJEP, convention 2020-001-MER; DEPS (Ministry of culture), convention 2020; Changes Department, Bordeaux University, program 2020; Region Nouvelle Aquitaine, contract AAPR2020F-2019-8102110.

Supplemental Material

The French version of this article is available on the BMS website. It can be downloaded as ‘supplementary material’ from the online version of this article. You will also find the form filed to check the conformity of the project with the GDPR.

Matériel supplémentaire

La version française de cet article est disponible sur le site internet du BMS. Elle est téléchargeable en tant que “matériel supplémentaire” joint à l’article. On trouvera aussi le formulaire déposé pour vérifier la conformité du projet au RGPD.

Notes

References

Anderson

BRO

(1991) Imagined Communities: Reflections on the Origin and Spread of Nationalism. Londonn/New York: Verso.

André-Poyaud

Astor

Baude

Boudjaaba

Bujan

Collignon

Dubois

Kessous

Maurel

Roger

(2019) RGPD – Guide pour SHS. Paris: Institut SHS du CNRS

Anzieu

Chabert

Louët

(2017) Les méthodes projectives, Paris: PUF.

Balsiger

, et al. (2020) Why a special issue on ‘precarity’? Bulletin of Sociological Methodology/Bulletin de Méthodologie Sociologique 147/148: 8–12.

Billig

(1995) Banal Nationalism. London/Thousand Oaks, CA: Sage.

Billig

(1996) Nationalism as an international ideology: Imagining the nation, others and the world of nations. In: Breakwell

Lyons

(eds) Changing European Identities: Social Psychological Analyses of Social Change. Oxford: Butterworth and Heinemann, 181–194.

Bizeul

(2021) Faut-il tout dévoiler d’une enquête au Front national? Réflexions sur le partage des données et le devoir éthique en sociologie. Bulletin of Sociological Methodology/Bulletin de Méthodologie Sociologique 150.

Davies

(2008) Reflexivity in research practice: Informed consent with children at school and at home. Sociological Research Online 13: (4)5.

Duchesne

(1996) Entretien non-préstructuré, stratégie de recherche et étude des représentations. Ou: peut-on déjà faire l’économie de l’entretien ‘non-directif’ en sociologie? Politix 35: 189–206.

10.

Gellner

(1983) Nations and Nationalism. Ithaca : Cornell University Press.

11.

Haggerty

(2004) Ethics creep: Governing social science research in the name of ethics. Qualitative Sociology 27 (4): 391–414

12.

Hobsbawm

(1992) Nations and Nationalism Since 1780: Programme, Myth, Reality. Cambridge, UK/New York: Cambridge University Press.

13.

Kandel

(1972) Réflexions sur l’usage de l’entretien, notamment non-directif, et sur les études d’opinion. Epistémologie sociologique 13: 25–46.

14.

Lahire

(2016) Pour la sociologie et pour en finir avec une prétendue ‘culture de l’excuse’. Paris: La Découverte.

15.

Lavabre

M.-C

(2002) Un exemple d’utilisation de méthode projective en sociologie. In: Donegani

Duchesne

Haegel

(eds) Aux frontières des attitudes entre le politique et le religieux. Hommage à Guy Michelat. Paris: L’Harmattan, 297–311.

16.

Plessz

(2020) Un protocole pour une enquête par questionnaire anonyme au sens du Règlement européen. Bulletin of Sociological Methodology/Bulletin de Méthodologie Sociologique 145: 100–110.

17.

Throssell

(2015) Child and Nation : A Study of Political Socialisation and Banal Nationalism in France and England. Bruxelles/New York: P.I.E. Peter Lang.

18.

Vassy

Keller

(2008) Faut-il contrôler les aspects éthiques de la recherche en sciences sociales, et comment? Mouvements 3: 128–141.

19.

Verger

(2013) Les universités au Moyen Age. Paris: Presses Universitaires de France (Quadrige).

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.00 MB

0.38 MB

1.11 MB