The GDPR data protection law came into effect in the EU on May 25, 2018. While the law itself is quite complicated, complying doesn’t have to be as hard.
When you’re using Pointerpro, you’re collecting and processing data. If that data can be used to identify an individual, it’s wise to make a few small updates in your questionnaires. Learn more about whether or not that data falls under the GDPR here.
In this blog post, we’ll explain what you can do to make your surveys and quizzes GDPR-proof and protect your respondents’ data.
Remember that this article is meant to be seen as a resource and not as legal advice.
We encourage you to search for legal advice on how to comply with GDPR and determine what effect it has on your organization.
Considerations to make before you create your survey
First, when creating (or updating) your surveys to comply with GDPR, it’s wise to consider what you’ll be using the data for.
Is it an entirely anonymous survey?
Ensure that even a combination of the information you collect cannot help you identify a person.
For example, if you’re asking the employees of a specific department in your office to take an anonymous survey where you ask them what age range they’re in and what gender they are… That’s entirely fine!
BUT if in that specific department there’s only one woman in the age range between 31 and 40, then the data can be used to identify that person, and the GDPR applies.
Is the data you collect for internal use only?
Check whether or not the data you collect will be used internally and in what departments it can be accessed.
For example, if you collect email addresses on an event and those addresses will be added to a CRM where your sales team can access them for further follow-up, you’ll have to communicate this upfront.
Another example is that GDPR also applies to employees. Even if you create a survey that collects data from the people you already know, consider who will have access to the information. A colleague’s home address cannot be shared with another colleague who wishes to send a birthday card unless that colleague has given consent for that address to be shared.
Will the data only be saved on your Pointerpro account?
Or do you plan on transferring it to other apps as well? Any third-party processor you use is directly and legally obligated to also be in compliance. It’s wise to check if they do before transferring any more collected data.
What will you do with the data?
Is the first checklist done? Then it’s time to get down to business…
4 Quick Things You Can Include to Comply With the GDPR
1. Add a short introduction on the intro screen of your survey.
Simply inform your respondents about what you’ll be using the survey for (like you did before) and specifically state what will be done with the collected personal data.
2. Link to a privacy statement with all necessary information.
The essentials of what you should include in your privacy statement are listed later on in this blog post. There are two ways you can include your privacy statement in your survey.
3. Add active opt-ins near your form fields
Make sure that you add your opt-ins the right way. Keep in mind that consent requests need to meet these requirements:
- Unbundled: Consent requests should be separate from other terms and conditions and they cannot be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid. Luckily the tool only offers unticked opt-in boxes. Another option is to use similarly active opt-in methods. For example: A binary choice where both options are given equal prominence.
- Granular: Give granular options to consent separately for different types of processing wherever appropriate. For example: A separate opt-in for a subscription to the newsletter and a subscription to updates of partner companies.
- Named: Name your organization and any third parties who will be relying on consent. Even precisely defined categories of third-party organizations aren’t sufficient under the GDPR.
4. Provide additional information on why you need specific information
For example, if you’re asking for a date of birth. You could add something along these lines: Your date of birth helps us provide you with special promotions and purchase benefits during your birthday month.
While this article is in no way legal advice, the items mentioned below make a great guideline to cover your basics.
Basic information about:
- Who you are;
- What you are going to do with your respondents’ data;
- Who this collected data will be shared with.
Insights in and proof of how personal data will be used in a fair way:
Explain how the data obtained will be used in a way that people reasonably expect.
- Show awareness of the impact and ramifications of the processing of that personal data.
- Be transparent and ensure that people know how their data is used.
Answers to the following questions:
What kind of data do you collect from customers, in minute detail?
- Do you have good reason to collect this data? Why do you need it?
- How was the data obtained, exactly? Did users consent to the collection of their information?
- How long will you retain it?
- How secure is the data in your possession?
- Do you ever share the personal information of users with third parties? Do you have good reason to do so?
Clear overview of user rights:
Under the GDPR, user rights are clearly defined. Make sure respondents know they have the right to:
- Access, view and edit their own information in a timely manner. In the case of Pointerpro, this means that they can request the data that was collected while they took a survey or quiz. You can easily provide this information by downloading the responses of that specific individual in a PDF report.
- Be erased from your records upon request, unless you have a legal reason to hold their information. In the case of Pointerpro, this means you can offer respondents to be “anonymized”, deleting the data that can help identify them but keeping the other responses intact. OR you can offer respondents to be deleted along with all of their responses.
- Access to clear instructions on how to object to or opt-out of marketing messages and/or targeted advertising from your business.
What will happen in the case of a data breach:
If this happens, a couple of actions must take place:
- The data breach must be detected and reported to the appropriate authorities within 72 hours.
- If the security of user data is put at risk, then the affected or potentially affected users must be informed within 72 hours as well.
Tips for complying with the GDPR
There are tons of great examples of adaptations made to comply with the GDPR. Many of those can inspire to create better, stronger survey experiences as well.
Here are some of our favorites!
1. Clarify why people are receiving certain information
Focus on highlighting the added value of being subscribed. Found via Optinmonster.
2. Just-in-time privacy notices
Just-in-time privacy notices that give short, understandable snippets of information at the moment you need it. Found via econsultancy.com.
In this case, it makes it almost fun to read and it’s clear and relatable for all audiences. Read the entire thing at TurnkeyLinux.org.
4. Add a “plain English” version
- Read the GDPR (General Data Protection Regulations) basics: The most important GDPR principles, Data Controlling, Data Processing, but also what consequences can you face for not being GDPR compliant.
- Discover what updates were made in the Pointerpro tool to make the software and your questionnaires GDPR proof: Data collection features: IP address & user agent are default on “nocollect”, Automatically add an “unsubscribe” link in your email invitations, Anonymising responses and more.