How to Write GDPR-proof Privacy Policy for your Surveys

As we refered to in this guide about , an important part of having a GDPR-compliant survey is having a GDPR-compliant privacy policy. This guide helps you in writing a GDPR-compliant privacy policy for your surveys.

The basics

The most important aspect of GDPR-compliant privacy policy texts is that they must be written in an easy-to-understand and simple way. Therefore, you should avoid using the commonly used jargon seen in legal texts.

So, a good privacy policy text for your surveys should be:

• Short

• Easy to read

• Easy to understand

• With no legal jargon

What should the privacy policy explain

For establishing trust and getting consent for your respondents you need to write a transparent and straightforward policy.

In a privacy policy page intended for survey or research project, you normally explain who you are (if your respondents don’t already know about you or your organization). Additionally your policy must clarify the type of personal data which is processed, purpose of processing, intended retention, subject rights, source of data, conditions of processing.

So, these are the points that need to be explained in your text:

1. What you collect and how. In your text, explain what type of personal data you are collecting and how. Is it respondents email, name, or IP address? Is it simply by asking them questions, or are you collecting data automatically (for example their geo-location or IP address)?

2. Why you collect. Your privacy policy text must clarify your reasons for collecting personal data. Explain for instance why you need their email. Do you have good reasons for collecting their name or address?

3. How will you use their data. It is important to let your respondents know how you are going to use their personal data. Are you going to share it with third parties? In that case, say who these 3rd parties are and why you need to share their data with them. If you ask for their contact info for instance, are you going to use it to contact them, or send them something?

4. How long will you keep their data. The GDPR requires you to define a so called “data retention” period, when you collect personal data. Thus your privacy policy text should explain how long you will retain the data. After your data retention period is over, you must delete all collected data, even those which are shared with 3rd parties!

5. How secure is the data in your possession. Your privacy policy must also explain what security measurements are applied when you collect, export, share, and store personal data of your respondents. What tools are you using, and if your data processors are also taking the security of the data seriously.

6. Clarify your respondents rights. The GDPR clearly defines individuals rights for their own personal data. You must also make sure to reflect these rights in your privacy policy text, and inform your respondents about their rights, which are as follows:

   • Right to access, view, and edit their own personal information in a timely manner

   • Right to be forgotten, which means their personal data being deleted from your survey results

   • Also right to be able to opt-out fromm your future messages (e.g. if you use their data to send them ads or marketing messages)

7. Who to contact. Every organization that is collecting data from EU citizens must have a Data Protection officer. The DPO is a person in the organization who can represent the organization with respect to data and privacy issues. Including the DPO’s contact information in your privacy policy is great for your respondents, in case then need to ask questions or exercise their rights.

Examples of a privacy notice inside a survey

We have gone through the requirements of the GDPR for writing privacy policies, but what then does a privacy notice actually look like?

You can present your privacy policy in different ways. It could be a part of your survey’s welcome page, like the example below, which illustrates a fair way of getting consent for collecting none-sensitive data.

However, if suitable for your case, you can split up your privacy policy and spread it within the survey, displaying information where they are most relevant. This helps you make reading your privacy policy less scary and less intimidating for readers, while letting them know how and why you are collecting their data.

In the example below, the part of the privacy policy which informs Respondents of your legitimate interests for collecting the information has been built into the survey itself with the 'help text' being used to explain the legitimate interest at the point of data collection.

Conclusion

When you ask respondents to provide their personal information, they may sometimes feel a bit guarded and doubtful. However, by disclosing your privacy policies up front, you’ll not only increase your response rates by immediately putting your respondents at ease, but also do your research more professionally and according to law.

Writing a GDPR-compliant privacy policy text is super easy if you just cover the points that we explained above.