Surveys are used to collect different kinds of data about, for example, customers, employees and other stakeholders. The onset of the General Data Protection Regulation (GDPR) has raised a lot of questions about how personal data privacy should be taken into consideration in surveys.
Keep in mind, there's no need to panic about the GDPR! We compiled a list of frequently asked questions for you, so that you can have a better sense of what factors of the GDPR should be taken into consideration when creating surveys.
Does the GDPR have an effect on every answer given in a survey?
NO. The GDPR primarily takes a stand on how personal data is collected, stored and processed. It is also possible to create a survey, where no personal data is processed.
Some of the most commonly found forms of personal data in a survey are the respondent's name and email address. These are needed, when the survey is sent out to respondents via email. On top of this, it is sometimes necessary to have a contact information question in a survey, especially when the respondents are given the option to take part in a competition or are given the option to sign-up for newsletters or other marketing communication.
Do keep in mind that a combination of survey answers can also be considered as personal data. Data is considered to be personal data when an individual can be identified, directly or indirectly, through that data.
Example: An individual answers two choice questions in a survey: "Question: What company do you work at? Answer: Company ABC" and "Question: How old are you? Answer: 34". If the Company ABC has only one 34-year-old employee, the combination of these two answers can be considered to be personal data.
Can surveys be sent to under 16-year-olds?
YES. Personal data of under 16-year-olds can be processed, if consent is given or authorized by the holder of parental responsibility over the child.
Example: The parent of a 13-year-old gives consent to the child's school for them to use the child's email address for sending the child a survey invitation.
Do I need the recipient's permission to send them a survey via email?
YES. You should have the recipient's permission before processing their personal data, such as their email address. For example, sending mass emails to unknown target groups is not allowed. Keep in mind that personal data (such as personal email addresses) should only be used for the purpose that the registered person has given permission for! Also take into consideration what was mentioned previously about sending surveys to children.
In some cases, specified consent might not be necessary for sending a recipient a survey invitation via email. For example, if you have a contract and DPA with your customers, where you have agreed that you are allowed to use their personal data for customer service purposes, then you are most likely also allowed to send them an email invitation with a survey link, through which they can evaluate your customer service.
Should the GDPR be considered in the introduction of a survey?
YES. As mentioned previously, you need to have the recipient's permission to process their personal data before using their contact information to send them a survey. If new personal data is collected via the survey, this should be clearly communicated with the respondents at the beginning of the survey. In addition to this, the respondents should be told why, how and by whom their personal data will be processed and the survey should have a clear opt-in for the processing to occur. It is also good practice for each survey invitation email to have an opt-out (unsubscribe) possibility, so that respondents can choose to no longer receive these types of survey invitations.
What information should I give to the respondent, when I collect personal data through the survey?
If you want to collect personal data with a survey, you should let the respondent know, for example, why their personal data is collected, how it will be processed and how long it will be stored. Do keep in mind that you must not use personal data for purposes that you have not asked and been given permission for. Personal data can be, for example, the respondent's name, email address, phone number or picture.
Does survey data have to remain within the European Union?
IT DEPENDS. Respondents' personal data should not be transferred outside of the European Economic Area (EEA) unless appropriate safeguards are in place. The European Economic Area includes the European Union member states, Norway, Iceland and Liechtenstein.
Am I allowed to integrate my survey with our CRM system?
YES. The GDPR does not explicitly forbid the transfer of personal data between different registers. To be allowed to do so, this requires the consent of the registered individual (thus the "owner" of the personal data). However, do remember to first check that the third parties that the data is transferred to are GDPR compliant and that you have the necessary safeguards in place, if personal data is transferred outside of the EEA.
According to the GDPR, who can process data collected with a survey?
Personal data should not be used for any other purposes except for the purpose for which permission has been received. Personal data should not be sold or given to third parties without the registered person's permission. Also take a look at the section on storage periods of personal data.
How long can personal data be stored for?
To put it simply, personal data should be stored only as long its processing is necessary. For example, personal data should not be held on to in feedback surveys for any longer than is actually needed, so respondent data (such as the respondent's name and email address) should be anonymized or removed once it's no longer needed. It's a good idea to define the survey's personal data's storage period already before the personal data is collected.
Should a respondent always be given the chance to remove their response data from a survey?
NOT NECESSARILY. All respondents should be given the chance to view and request the deletion of their personal data. This, however, does not necessarily cover all response data, such as anonymous data that does not include any personal data.
Does every survey create a new register?
NOT NECESSARILY. A new register is created when, for example, a survey is used for collecting new personal data. However, it is possible to create a survey where no personal data is processed.
Can I download a survey's report to my own computer?
YES. Do note, however, that this can create a new register that includes personal data. Also this personal data should be anonymized or deleted, once its processing is no longer necessary.
What is the survey tool supplier's role according to the GDPR?
If you use a survey tool to independently create your own surveys, then you are most likely the controller of the personal data. In these cases, your survey tool supplier is a processor of the personal data. Read more about controllers' and processors' responsibilities, as well as about the GDPR in general, from the Regulation (EU) 2016/679 (General Data Protection Regulation).
NOTE: The information in this blog is not meant to be taken as legal advice. Please consult a lawyer to receive legal advice and consultation on the GDPR.