How can I ensure that my surveys GDPR compliant?
Last updated
Last updated
This page provides some practical instructutions to help our Users run surveys that are fully GDPR compliant.
of GDPR states that:
The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
It is therefore your responsibility to make sure that your data processors operate in a GDPR-compliant way.
So if you have a Data Protection Officer, ask them to check your supplier’s (processors’) privacy and security policies to ensure that they adhere to the GDPR.
We can assuree you that our survey took is GDPR compliant and you can read our here
The first Principle of GDPR is that personal data must be 'processed lawfully'.
We understand this to mean that either or both of the following is in place:
Consent. When collecting personal data your respondents must deliberately and willfully tell you that it is OK that you collect data about them, for the purposes that you clearly explain to them.
Legitimate interest. When collecting personal data you (your organization or company) should be able to convincingly prove that collecting personal data is in your **** legitimate interest. ie that it’s in your (and your customers’) interests to collect feedback, data and their personal info. For example to solve your customer's problems, or enhance your services.
If you genuinely feel that your research and use of data has a legitimate interest and is respectful of your Respondents, then don’t feel that you also need to obtain consent. Just make sure you’re completely transparent about “how” and “why” you are collecting data and the part it plays in your research process. Also give people the chance contact you for further info or to opt-out. Otherwise, you must obtain consent.
Consent basically means getting permissions for something you want to do. Consent must be “unambiguous”, and in the case of sensitive personal data, “explicit”.
This means you cannot use tactics like pre-ticked checkboxes, or trick people somehow to agree with something that they don’t really understand or haven't properly read.
According to the GDPR, for non-sensitive data, you need “unambiguous, affirmative” consent, not “explicit” consent. Therefore, you can rely on a clear notice at the start of your survey.
for example:
By filling out this survey you agree that we will process your data in line with our our privacy policy
The image above shows an example of a getting consent for non-sensitive data in a survey, using a landing page.
Note that this is just an example. The amount of information that you provide here and how you describe it is up to you and your research case.
Remember that you must explain what personal data is being processed, purpose of processing, intended retention, subject rights, source of data, conditions of processing. Of course it can become a heavy start for a survey and you don’t want to scare people. So, it’s good to keep it short and add a link to your privacy policy page, or a page that fully describes your research process.
According to the GDPR, to collect sensitive data, you need “explicit” consent.
Therefore in addition to the information you provide for collecting non-sensitive data, it is important that consent is given in the form of a clear affirmative action on the part of the data subject. In practical terms, this means asking for a positive “opt-in”.
There are two main ways of doing this using our service.
Respondents are asked to agree to our own Terms of Service before they can start a survey.
Users have the option to add their own terms which can be displayed either on the page itself or as a pop up box. This is an excellent way of getting explicit consent for collecting sensitive personal data as Respondents must give this consent before they can commence the survey. There is also a clear opt out option.
Perhaps you want to collect several pieces of sensitive data about your respondents. Therefore, it might easily become too much and too intimidating to describe why you need to collect each of them at the beginning of the survey.
What you can do provide general information about why you are collecting Respondents data and how you will protect in on your landing page. Then describe the way specific bit of data will be used right under the question itself.
Our platform has a feature called 'helper text' . Helper text is announced by screen readers and adds a piece of text with a smaller font size underneath the question text. You can use this to explain why you need the data. Make sure these questions are marked as 'optional'.
Here is a couple of examples of how it could look like:
This way, you are not only more transparent and more clear about your use of their data (which is in accordance with GDPR regulation), but also, it is easier for a human brain to process the information. It will be less scary and less intimidating to answer your questions.
It’s great to obtain the consent. But what if some people say 'no'?
You must make it as easy for respondents to refuse consent as it is for them to provide consent.
If your respondent’s refuse consent but have either already answered some questions containing personal data, or provide personal data anyway, it is your responsibility to manually remove any of their personal data which is collected. We can help you do this but it can be time consuming and so is best avoided.
With our service, you can export collected survey data in different formats, and share it with 3rd parties (externally, not within our system).
You will be reminded of your data protection responsbilities before downloading any data. You will also have the option of downloading an 'anonmyized' dataset.
An 'anonmyized' dataset won't include any metadata or data response feild that have been marked as 'private' by the person who created the survey.
If you do export a 'raw' or 'humanized' version of your survey results it is your responsibility for keeping the data safe and treating it in line with GDPR.
What happens if you figure out that there has been some data breach and your collected personal data has been exposed to third parties?
Reporting is only required for breaches which will result in:
“risk to people’s rights or freedoms”
“discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”
If you identify that there is a “high risk to their rights and freedoms”, then you must notify your respondents too.
For most types of feedback forms, it’s quite difficult to consider the data-breach as high-risk. Unless you’re processing sensitive data, for example if your business is in the health sector.
A good place to have this information in your questionnaires is the . This feature allows you to add a welcome page for your survey, which can include data, pictures, and a button to START the survey.
Make sure you have a Privacy Policy which you can refer to which is compliant with GDPR. This guide can help you write a if you don't already have one in place.
In they mention that if your respondents’ personal information is exposed in a way that results in risking or damaging them, you (the data controller) not later than 72 hours after having become aware of it, must notify the personal data breach to the supervisory authority competent in accordance.
