On May 25, 2018, a new European Union (EU) data protection law, the General Data Protection Regulation (GDPR), takes effect. The GDPR gives individuals in the EU more control over how their data is used and places certain obligations on businesses that process the personal information of those individuals.
Professional Enterprise ReportR DistributR Here’s what you can do and what Pointerpro is doing to help you create GDPR compliant questionnaires and protect the personal data of your respondents.
- Is it necessary to update your surveys and quizzes?
- Basic updates you should consider
- Features that require “prior informed consent”
Keep in mind that this article is meant to be seen as a resource and not as legal advice. We encourage you to consult legal counsel on how the GDPR has an effect on your organization.
Need a quick first insight into whether or not your questionnaires are ready for the GDPR? Take this 1-minute quiz.
1. Is it necessary to update your surveys and quizzes?
The GDPR can be overwhelming, but complying often takes just a few small steps.
Firstly, determine whether or not you’re collecting personal data. If, for example, you use Pointerpro for anonymous surveys only, your questionnaires don’t require any updates.
Unfortunately, there’s no definitive list of what’s considered personal data, so it comes down to interpreting the GDPR’s definition: “Personal data means any information relating to an identified or identifiable natural person (the data subject).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.”
In certain circumstances, someone’s IP address, hair color, location or job could be considered personal data. Just as much as that person’s full name or email address. The context in which data is collected is important: A seemingly irrelevant piece of data that you collected can become very relevant in combination with other data about that person.
That also means that general contact information, such as “info@” email addresses, can be ignored when considering GDPR as they are not linked to a specific person.
>>> Read more on what is considered “personal data” here.
Secondly, the GDPR only applies to data collected from EU citizens.
That also means that it applies to all companies based in the EU AND non-EU companies that collect data of EU citizens, regardless of a physical presence in the EU.
If the two considerations above both apply to your questionnaires, it is possible that you need to make a couple of changes. Usually, it’s not necessary to update your entire survey.
2. Basic updates you should consider
- Communicate transparently and in clear, understandable language what you will be using the collected data for.
You should notify your respondents at the moment the personal data is collected. (Not afterward!)
This should include every type of use, from analysis to sharing it with 3rd parties or reusing it in marketing communication for example.
A short notification in your survey (preferably on the first screen, or at least before you ask for personal information) is a great start. But add a clear link to a Privacy Policy page as well.
>>> Get started on a basic, GDPR-proof privacy policy with this blog post. Create clear opt-ins for any additional uses of personal data.
Aside from providing a clear privacy policy, these opt-ins are necessary according to the GDPR as they require respondents to take more direct and conscious action about sharing their personal data.
The request for consent should be distinguishable from other matters such as accessing the results of a questionnaire, using a service, … The consent must be given freely and be easy to withdraw again.
Additional data uses can be anything, ranging from marketing communication, sales follow-up, subscribing to a newsletter and more.
- Remove any unnecessary questions that collect personal data “just in case” which you cannot justify the use of.
Find out more detailed steps & tips in our blog: How to make a GDPR compliant survey.
3. Features in Pointerpro that require “prior informed consent”
The GDPR includes specific requirements for making a valid request for consent.
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
This means it’s not sufficient to have a clear and complete privacy policy that you link to within your questionnaires. Activating specific features within Pointerpro require you to inform your respondents separately in a way that is prominent and clearly visible to the data subject and that is user-friendly.
The consent request should be visible prior to that feature being activated.
>>> More tips for consent under the GDPR here.
Specific features to keep in mind:
Geolocation
Automatically collect location data from your respondents. Permission from the respondent via popup in the browser is needed for this feature. Luckily, this is already included in all types of browsers, so you do not need to worry about this.
The use of this feature in itself is not considered as collecting “personal data”, but in combination with other information can help in identifying a person. In that case, the GDPR applies.
>>> Help guide on Geolocation.My Contacts
Upload a list of respondents in Pointerpro, these are your “Contacts”. You can send them invitations to take part in upcoming questionnaires.
The fact that you’re uploading personal data of your respondents in the Pointerpro tool should be communicated and requires the respondents’ consent.
>>> Help guide on My Contacts.Email Templates
Send emails with variable content to your respondents based on their selected answers or a quiz/survey score.
Let people know at the beginning of your survey that they will receive emails from you via the email address they need to submit. Be clear about what you'll be communicating (the questionnaire results, newsletter subscription, sales etc).
>>> Help guide on Email Templates.- Data collection options
“Collect IP Address” collects additional information that helps identify a respondent’s computer using the Internet Protocol to communicate over a network and “Collect User-Agent” allows you to identify what type of browser and device a respondent is using.
If you’re switching these features on, we advise you to communicate this at the beginning of your questionnaire.
What's next?
- Read the GDPR (General Data Protection Regulations) basics: The most important GDPR principles, Data Controlling, Data Processing, but also what consequences can you face for not being GDPR compliant.
- Discover what updates were made in the Pointerpro tool to make the software and your questionnaires GDPR proof: Data collection features: IP address & user agent are default on “nocollect”, Automatically add an “unsubscribe” link in your email invitations, Anonymising responses and more.
- Learn how to make a GDPR compliant survey on our blog: When you’re using Pointerpro, you’re collecting and processing data. If that data can be used to identify an individual, it’s wise to make a few small updates in your questionnaires.