What impact has the GDPR on your surveys? Here's how you can comply

On May 25, 2018, a new European Union (EU) data protection law, the General Data Protection Regulation (GDPR), takes effect. The GDPR gives individuals in the EU more control over how their data is used and places certain obligations on businesses that process personal information of those individuals.


Here’s what you can do and what Survey Anyplace is doing to help you create GDPR compliant questionnaires and protect the personal data of your respondents. 


Keep in mind that this article is meant to be seen as a resource and not as legal advice. We encourage you to consult a legal counsel on how the GDPR has an effect on your organization.


------------------------------------------------------------------------------------------------------------------------------------

Need a quick first insight in whether or not your questionnaires are ready for the GDPR? Take this 1-minute quiz.  

------------------------------------------------------------------------------------------------------------------------------------


Is it necessary to update your surveys and quizzes? 


The GDPR can be overwhelming, but complying often takes just a few small steps. 


Firstly, determine whether or not you’re collecting personal data. If, for example, you use Survey Anyplace for anonymous surveys only, your questionnaires don’t require any updates. 


Unfortunately there’s no definitive list of what’s considered personal data, so it comes down to interpreting the GDPR’s definition: 

“Personal data means any information relating to an identified or identifiable natural person (the data subject).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”


In certain circumstances someone’s IP address, hair color, location or job could be considered personal data. Just as much as that person’s full name or email address. The context in which data is collected is important: A seemingly irrelevant piece of data that you collected can become very relevant in combination with other data about that person. 


That also means that general contact information, such as “info@” email addresses, can be ignored when considering GDPR as they are not linked to a specific person. 

>>> Read more on what is considered “personal data” here


Secondly, the GDPR only applies to data collected from EU citizens.
That also means that it applies to all companies based in the EU AND non-EU companies that collect data of EU citizens, regardless of a physical presence in the EU. 

>>> Read more on who is considered a “EU citizen” here


If the two considerations above both apply to your questionnaires, it is possible that you need to make a couple of changes. Usually, it’s not necessary to update your entire survey.


These are the basic updates you should consider: 


  • Communicate transparently and in clear, understandable language what you will be using the collected data for. 
    You should notify your respondents at the moment the personal data is collected. (Not afterwards!)
    This should include every type of use, from analysis to sharing it with 3rd parties or reusing it in marketing communication for example.

    A short notification in your survey (preferably on the first screen, or at least before you ask for personal information) is a great start. But add a clear link to a Privacy Policy page as well.
    >>> Get started on a basic, GDPR-proof privacy policy with this blog post. 
     
  • Create clear opt-ins for any additional uses of personal data.  

    Aside from providing a clear privacy policy, these opt-ins are necessary according to the GDPR as they require respondents to take more direct and conscious action about sharing their personal data.

    The request for consent should be distinguishable from other matters such as accessing the results of a questionnaire, using a service, … The consent must be given freely and be easy to withdraw again.

    Additional data uses can be anything, ranging from marketing communication, sales follow up, subscribing to a newsletter, …


  • Remove any unnecessary questions that collect personal data “just in case” which you cannot justify the use of.


Find out more detailed steps & tips in our blog: How to make a GDPR compliant survey. 


Features in Survey Anyplace that require “prior informed consent” 


The GDPR includes specific requirements for making a valid request for consent.

“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” 


This means it’s not sufficient to have a clear and complete privacy policy that you link to within your questionnaires. Activating specific features within Survey Anyplace require you to inform your respondents separately in a way that is prominent and clearly visible to the data subject and that is user-friendly. 

The consent request should be visible prior to that feature being activated.
>>> More tips for consent under the GDPR here


Specific features to keep in mind:

  • Geolocation
    Automatically collect location data from your respondents. Permission from the respondent via popup in the browser is needed for this feature. Luckily, this is already included in all types of browsers, so you do not need to worry about this.

    The use of this feature in itself is not considered as collecting “personal data”, but in combination with other information can help in identifying a person. In that case the GDPR applies.
    >>> Help guide on Geolocation.

  • My Contacts 
    Upload a list of respondents in Survey Anyplace, these are your “Contacts”. You can send them invitations to take part in upcoming questionnaires.

    The fact that you’re uploading personal data of your respondents in the Survey Anyplace tool should be communicated and requires the respondents’ consent.  
    >>> Help guide on My Contacts.

    Based on the action “uploading personal data into the Survey Anyplace tool”, the following features also fall under this remark: 

  • Email Templates  
    Send emails with variable content to your respondents based on their selected answers or a quiz/survey score.

    Let people know at the beginning of your survey that they will receive emails from you via the email address they need to submit. Be clear about what you'll be communicating (the questionnaire results, newsletter subscription, sales, ...).
    >>> Help guide on Email Templates.

  • Data collection options 
    “Collect IP Address” collects additional information that helps identify a respondent’s computer using the Internet Protocol to communicate over a network and “Collect User Agent” allows you to identify what type of browser and device a respondent is using.

    If you’re switching these features on, we advise you communicate this at the beginning of your questionnaire. 


Extra information: 

Find out what updates were made in the Survey Anyplace tool to make the software and your questionnaires GDPR proof. 

Read up on the basics of GDPR and learn why it is important to comply. 

Learn how to make a GDPR compliant survey on our blog.