If you are creating forms or surveys for a business which is based in the European Union (EU), or if you collect and process the personal data of EU citizens, the General Data Protection Regulation (GDPR) affects you.
The GDPR (General Data Protection Regulation) law basically says that:
- you must obtain freely given, specific, informed, and unambiguous consent from your respondents when you collect their personal data. In other words, you shall not force people to respond to or fill out your surveys or forms, or somehow trick them to collect their personal data.
- Additionally, must explain how you plan to use their personal data, in a clear and easy to understand way.
- Also, as individuals have the right to be forgotten, you must delete information that you have collected from them if they request.
So, as a SurveyLegend user you’re already covered. But we have made this article for you to help you stay compliant with this law when you collect personal data using surveys or forms made with our solution. We’re not going to investigate GDPR line by line, because it’s 88 pages long. We just want to guide you through the must-know basics for collecting feedback.
Before you start
Here are some things to know before you begin this process.
- You can read detailed information about SurveyLegend’s GDPR Compliance here.
- Just because we SurveyLegend is compliant with GDPR does not automatically make you compliant too. We provide the infrastructure for you, to conduct your research in a GDPR-compliant way.
- How you handle your respondents’ personal data, which may be collected by means of our platform is your own responsibility.
- To collect consent from your own new and existing respondents, you personally must take action.
At SurveyLegend, trust is our number 1 value and protection of our customers’ data is paramount. Therefore, long before GDPR we were trying to create an online survey solution with respect to your and your respondent’s privacy and security. Recently, thanks to the new GDPR legislation and clearer directions from EU, we’ve updated parts of our system to fully comply with the new privacy protection law.
In this article:
- Fundamental GDPR info
- Making your questionnaires GDPR-compliant
- Obtaining consent in your surveys or forms
- Sharing collected data in a GDPR-friendly way
- In case of data breach
- We have nothing to do with EU citizens
Some fundamental GDPR info
Honestly, nobody likes to be watched or followed without knowing who’s watching them and why; it’s creepy.
And yet many companies and organizations silently monitor us and collect data about us. We don’t know why they do it and what they want to do with it. We don’t know how they get hold of our personal information, how long do they keep it, how do they process it, with whom do they share it, and what can they really understand from it. This is where the beloved GDPR laws are originating from, to protect everyone from nasty intentions and also to teach us the magnitude of our responsibilities and to reflect how serious it is to collect and process personal information about people.
So, let’s be positive and welcome this law. It doesn’t have to be hard to be GDPR-compliant. Just a few new things to learn. So let’s start:
What is “Personal Data”
So, let’s see what does “personal data” mean.
The word “data” is pretty technical and has an ambiguous meaning. This PDF that the ICO provide can explain the legal definitions if you want to be very pedantic about it. Otherwise, we recommend that you to be pragmatic and assume that, yes, your business does deal with data and specially Personal Data; as this is usually the case with forms and surveys.
Personal data on the contrary is easy to define:
data which relate to a living individual who can be identified:
- a) from those data, or
- b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller*.
Of course a list of names and addresses can be considered as personal data. But if you have another list with pieces of information and a way to match that list with a list of names and addresses, that would also be considered as personal data.
There’s also a more specific category of personal data that you need to be more careful about, sensitive personal data, which is essentially any personal data which relates to:
Sensitive personal data are:
- racial or ethnic origin
- political opinions
- religious beliefs
- trade union membership
- health (physical or mental)
- sexual activity
- genetic and biometric data
What is processing of personal data
Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.
Principles of processing personal data
Keep in mind that the way GDPR puts it, literally anything you do with the personal data, means that you are processing it. Having that in mind, we go to Article 5 of the GDPR, which defines 6 principles for processing personal data:
- processed lawfully, fairly and transparently;
- processed only for specified purposes, not for other purposes;
- collected as much as needed for what you intend to do and preform the job accurately, not more;
- accurate and up to date if necessary, otherwise they must be erased or corrected;
- kept no longer than necessary;
- kept and processed securely.
Who is “Data Controller ?” and who is “Data Processor ?”
- ? Data Controller is any person who determines how and why (i.e. the business purpose) personal data will be processed;
- ? Data Processor: is any person who processes personal data on behalf of a data controller.
Keep in mind that when the act mentions persons, it’s actually talking about legal persons, which includes most businesses. Therefore a controller will be the business you work for, not you personally.
So, normally, when you do research and conduct surveys, you (your organization or company) are both data controller and data processor simultaneously. But sometimes you may want to outsource the processing of data to third parties. So you must make sure that your data processor is compliant.
Whilst our company (SurveyLegend) is processor for all of our customers, we’re also a controller for our own employees, customers and users data.
Is your ? data processor compliant?
So, let’s assume that you are hiring a data processor to improve your research process, Article 28 states that:
The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Transferring data ? → ? outside the EU
The GDPR also puts up some restrictions on transferring data outside of the European Union. Only if “appropriate safeguards” such as privacy shield are in place, you can let the data to go out of the EU. Your processor should be able to explain where they store their data, and prove it’s either in the EU or other country but covered by an agreement such as Privacy Shield. See ours here.
The hole point with GDPR is that individuals own their own data. It’s not like before that companies “owned” your/our data and could do whatever they wanted with it and the only choice we had was “deleting our account” if we didn’t want to use their services or didn’t like their policies. Even that wouldn’t give us back the data which we had shared with them up-to that point.
So, because data is owned by the individuals, law gives them the following rights:
- Access their personal data;
- Correct errors in their personal data;
- Erase their personal data;
- Object to processing of their personal data;
- Export personal data.
✅ Making your questionnaires GDPR-compliant
Now let’s see how you can apply all of these principles in your research practice and when conducting surveys.
To make your surveys or forms compliant with GDPR, you must do several things. So, here we must briefly review a few additional notions of “lawful processing”, “legitimate interest” and “consent”.
First of all, you must do a lawful processing of data. What is considered lawful is explained here in Article 6, subparagraph 1 if you want to challenge your skills of comprehending the English language. However, as we understand it they are just trying to say that:
- When collecting personal data your respondents must deliberately and willfully tell you that it is OK that you collect data about them, for the purposes that you clearly explain for them. In other words, they should give you consent.
- When collecting personal data you (your organization or company) should be able to convincingly prove that collecting feedback is in your legitimate interest.
“Legitimate interests” means that it’s in your (and your customers’) interests to collect feedback, data and their personal info. For example to solve their problems, or enhance your services.
Please note that the GDPR is extrememly explicit at not letting organisations use the “legitimate interests” clause as an excuse for marketing activities. You may need to doublecheck this if you are doing Market Research activities. So, make sure your feedback processors and marketing folk have a thick wall in between.
Consent basically means getting permissions for something you want to do, or agreeing with your individual respondents that you are going to collect their data. Consent must be “unambiguous”, and in the case of sensitive data, “explicit”. This means you cannot use dark patterns like pre-ticked checkboxes, or trick people somehow to agree with something that they don’t really understand what it is and what they are agreeing with!
The new law says:
“When the processing has multiple purposes, consent should be given for all of them”
also, your request [for consent] must be clear, brief and not disruptive to the use of the service for which it is provided.
So, just be sure you’re fully transparent about how and why you’re intend to use data in your research, and also make sure that you give people the chance to opt-out or ask you to delete their data if they change their minds.
Obtaining consent in your surveys or forms
If you genuinely feel that your research and use of data is respectful of your respondents, then don’t feel that you need to obtain consent. Just make sure you’re completely transparent about “how” and “why” you’re planing to use data in your survey process. Also give people the chance contact you for further info or to opt-out. Otherwise, you must obtain consent.
It’s important to know that once you’ve gotten consent, you can’t double-back and use another base for processing. So if a respondent does not give you permission and says “no”, you can’t then change your mind and send the survey anyway with the justification of “legitimate interests” for instance.
Keep in mind that you must records of how and when consent was given, because he GDPR says:
So if you decide that you need to obtain consent, here is how you can do this:
For collecting non-sensitive data:
According to the GDPR, for non-sensitive data, you need “unambiguous, affirmative” consent, not “explicit” consent. Therefore, you can rely on a completely unmistakable notice along the lines for example:
A good place to have this information in your questionnaires is the Welcome page. This feature allows you to add a starting screen for your surveys or forms, which can only include data, pictures, and a button to START the survey.
This shows an example of a getting consent for non-sensitive data in a survey, using a Welcome Page.
You provide clear information and put a note for getting consent. The amount of information that you provide here is up to you and your research case.
Optimally you must explain personal data processed, purpose of processing, intended retention, subject rights, source of data, conditions of processing.
The image above shows an example of a getting consent for non-sensitive data in a survey, using a Welcome Page.
You provide clear information and put a note for getting consent. Note that this is just a simple example. The amount of information that you provide here and how you describe it is up to you and your research case.
You can easily link any piece of text to external pages, for example to your “policy page” or a page that explains why and how you are doing this survey. Read more about adding links to your survey content.
It might also be a good idea to include a brief version or repeat this information at the ending section of the survey, using a Thank You Page.
Sometimes we see people try to obtain the consent in the end of the survey. For instance they use a Section Break right at the end and tell people: “If you submit, you agree with our privacy terms and give us your consent.” Like the image below:
This might be a good idea for regular online forms, but when you use SurveyLegend this strategy is not good for two reasons:
- SurveyLegend collects data as soon as respondents start typing or selecting choices. This is to ensure you will get even unfinished surveys. Your respondents might get tired and just leave before submitting the survey.
- People might simply miss this. Because it is at the end of the survey. If the questionnaire is too long, they might not even see this; or due to being tired after answering all your questions they may not pay enough attention. So this is against the regulation which requires you to inform people clearly and transparently.
If you do it this way, you must manually filter and remove collected data from “un-submitted” participations.
Of course none of these has to be included inside the survey itself. It depends on how you handle your survey process.
If you inform people via other ways in advance and have their consent, and if you are sure that they are informed before starting the survey, then don’t include them here. But remember that surveys are sent as links, so anyone can share open them! Are you sure no one outside of your target group will receive the survey?
For analytical purposes, you might want to collect survey respondents’ IP-addresses; for example to identify whether one person has participated in the same survey several times to affect the results. This feature is OFF by default in our tool, unless you manually enable it.
Keep in mind that IP-addresses are considered as personal data, particularly by the GDPR. Therefore collection of IP-addresses without asking for permission from the respondents makes your questionnaire none-compliant with the General Data Protection Regulation!
If you want to enable this feature, we strongly recommend you to explain your policies and obtain consent from your respondents, because otherwise your respondents will not have any way to know that you are collecting their IPs.
For collecting sensitive data:
According to the GDPR, to collect sensitive data, you need “explicit” consent.
As we already mentioned, individuals must understand clearly and unambiguously what they are giving permission to. Therefore,you must simply articulate your request and be specific.
What is important here is that, consent should be given in the form of a clear affirmative action on the part of the data subject. In practical terms, this means asking for a positive “opt-in”. It also means that pre-ticked boxes should not be used, before they start the survey.
Here you see that you are providing a clear “opt-in” possibility. Respondents must give you permission to use their data, since answering is required.
Perhaps you want to collect several pieces of sensitive data about your respondents. Therefore, it might easily become too much and too intimidating to describe why you need to collect each of them at the beginning of the survey.
So, do we have a nicer solution for this? Oh yes!
What you can do is to simply describe the way data will be used right under the question itself. SurveyLegend has a little nifty feature called Instructions For Respondents. Enabling this will add a piece of text with a smaller font size underneath the question text, where you can explain why you need the data.
Also, make sure to turn on the “Always visible instructions” setting, so that your respondents won’t miss your explanation. Here is an example of how it could look like:
What is your full name?
We need this to be able to verify your membership at our institute.
What is your email address?
We need your email to be able to send you information about your results of this survey.
What is your ethnic origin?
This information helps our organization to have better marketing campaigns and external communications, reaching the right audience.
This way, you are not only more transparent and more clear about your use of their data (which is in accordance with GDPR regulation), but also, it is easier for a human brain to process the information. It will be less scary and less intimidating to answer your questions.
What if they say NO?
It’s great to obtain the consent. But what if some people say NO?
If your respondent’s answer NO, yet they keep filling out the questionnaire; OR IF they say NO but have already answered some questions containing sensitive personal data, before answering this question (in case you didn’t put it right in the beginning) you must manually remove their data which is collected. Deleting data is your own responsibility and is done either using our deleting individual respondents feature, or you do it in your exported data and then delete the entire survey from your account.
If you keep data on different locations for example by using our APIs to pull the data into your servers, or by exporting the data locally or to your Google Drive, you must remember that you may have several copies of the same data. Therefore, deleting responses from people who do not give you their consent only only from one of those places that you keep the data is not enough. Make sure to delete every instance of the data.
Also, when your data retention period is over, you are expected to delete the collected data.
However, a better solution is to stop collecting their personal data as they fill out the questionnaire. Because rest of the answers which do not include any personal data may still be interesting for you as a researcher. So why not keeping that part and just throwing away the personal data part?
To do so, you can easily use logic flows. Basically, what you need to do is to make one logic flow like this:
IF their answer is (No), THEN hide those questions that collect personal data.
This way, those questions will be displayed by default (for clarity place them right after this conditional question). But if the respondents select “No”, the questions will be hidden. And even if they have answered them before choosing “No”, that data will automatically be deleted from our servers. Therefore, you will never collect such data in your analytics. But you can still take advantage of the rest of collected data.
Also, you can place this question anywhere in your survey and it doesn’t have to be the first thing that respondents see.
In case of data breach
What happens if you figure out that there has been some data breach and your collected personal data has been exposed to third parties?
Reporting to your respondents
If you identify that there is a “high risk to their rights and freedoms”, then you must notify your respondents too.
For most types of feedback forms, it’s quite difficult to consider the data-breach as high-risk. Unless you’re processing sensitive data, for example if your business is in the health sector.
Will I have to pay a 20 million Euros fine if something happens?
Almost certainly not! This €20,000,000 has been a hot headline but this is for the absolute worst cases. There is also a lower fine of 10 million Euros which is also for standard offences.
According to ICO’s news blog, fines are the last resort. The law is there to help (or sort of force) businesses to do the right thing and correct their structure. It’s to protect people. It is not about giving fines to small businesses here and there.
Fines are for the bad guys with bad intentions! You’re not one of them. You’re a legend, already finishing this article, because you want to do the right thing.
But our organization has nothing to do with EU citizens
Many people wonder about this. Our company is not located in the EU. We’re not dealing with citizens of Europian Union? Should we still care about GDPR?
Well, the short answer is: “usually not, but it depends”. However, the right answer is, “Of course you should!”.
Unlike the old law of Data Protection Directive, the GDPR can apply to any globally operating company. It is not made just for those located in the EU.
Under the GDPR, organizations may be in scope if:
- the organization is established in the EU, or
- the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.
Even if your company is not established here, we recommend you to take the law very seriosuly and reform how you handle personal data in your organization.
The GDPR is about having a healthy digital culture in the company. It is about respecting privacy of individuals. It is not about EU citizens.
It’s true that the initiative has taken place in EU to protect their own citizens. But first of all, how do you know when your own company will enforce similar laws? Isn’t it better to be ready for it already? Secondly, why not practicing a better version of treatment for personal information of people who trust you and give it to you? There is noting wrong with that 🙂
And you never know, maybe someone from EU answers your surveys and then…. things go ?
If for some reason you must treat citizens of other regions differently in your surveys when it comes to personal data collection, then use our survey logics, ask if they are from EU, and if the answer is NO, do show or hide those questions that you must.
This article is written in a simple way, and can be used for most companies and researchers. We have tried to clarify what we have understood from GDPR, when it comes to collecting data using Surveys, Forms, or online questionnaires.
However, every research case is different and every company or organization may collect data (or personal data) for different purposes and in different ways.
Therefore, the precautions and practical tips that we suggest here may not be enough for some special cases.
Therefore, we strongly recommend you to consult a professional, if your organization have access to a lawyer and you are in doubt about the way you collect process your respondents’ personal data.
Please don’t hesitate to let us know if you find flaws in our article, together we can make it even more GDPR-proof. So leave us some comments, don’t be shy.