How to Make a GDPR Compliant Survey

The GDPR data protection law came into effect in the EU on May 25, 2018. While the law itself is quite complicated, complying doesn’t have to be as hard.

When you’re using Survey Anyplace, you’re collecting and processing data. If that data can be used to identify an individual, it’s wise to make a few small updates in your questionnaires. Learn more about whether or not that data falls under the GDPR here.

In this blog post, we’ll explain what you can do to make your surveys and quizzes GDPR-proof and protect the data of your respondents.

Keep in mind that this article is meant to be seen as a resource and not as legal advice. We encourage you to search legal advice on how to comply with GDPR and determine what effect it has on your organization.

gdpr quiz

Considerations to Make Before You Create Your Survey

First of all, when you’re creating (or updating) your surveys to comply with GDPR it’s wise to consider what you’ll be using the data for.

Is it an entirely anonymous survey? 

Make sure that even a combination of the information that you collect cannot help you to identify a person.

For example, if you’re asking the employees of a specific department in your office to take an anonymous survey where you ask them what age range they’re in and what gender they are… That’s entirely fine!

BUT if in that specific department it happens that there’s only one woman in the age range between 31 and 40, then the data can be used to identify that person and the GDPR applies.

Is the data you collect for internal use only?

Check whether or not the data you collect will be used internally and in what departments it can be accessed.

For example, if you collect email addresses on an event and those addresses will be added to a CRM where your sales team is able to access them for further follow-up, you’ll have to communicate this up front.

Another example is that GDPR also applies to employees. Even if you create a survey that collects data of the people you already know, consider who will have access to the information. The home address of a colleague cannot be shared with another colleague who wishes to send a birthday card unless that colleague has given consent for that address to be shared.

Will the data only be saved on your Survey Anyplace account?

Or do you plan on transferring it to other apps as well? Any third-party processor you use is directly and legally obligated to also be in compliance. It’s wise to check if they do before transferring any more collected data.

What will you do with the data?

Before launching your survey it’s more important than ever to list what you plan on doing with it. Each different aspect should be mentioned in your privacy policy and should be attached to your survey.

Moreover, specific actions such as marketing communication or a sales follow up require specific consent from the respondent, aside from being mentioned in the privacy policy.

Is the first checklist done? Then it’s time to get down to business…

4 Quick Things You Can Include to Comply With the GDPR

1. Add a short introduction on the intro screen of your survey.

Simply inform your respondents about what you’ll be using the survey for (like you did before) and specifically state what will be done with the collected personal data.

For example:

GDPR compliant survey - intro example 1GDPR compliant survey - intro example 2

2. Link to a privacy statement with all necessary information. 

The essentials of what you should include in your privacy statement are listed later on in this blog post. There are two ways you can include your privacy statement in your survey.

GDPR compliant survey - privacy policy 1


GDPR compliant survey - privacy policy 2

3. Add active opt-ins near your form fields. 

Make sure that you add your opt-ins the right way. Keep in mind that consent requests need to meet these requirements:

  • Unbundled: Consent requests should be separate from other terms and conditions and they cannot be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid. Luckily the tool only offers unticked opt-in boxes. Another option is to use similarly active opt-in methods. For example: A binary choice where both options are given equal prominence.
  • Granular: Give granular options to consent separately for different types of processing wherever appropriate. For example:  A separate opt-in for a subscription to the newsletter and a subscription to updates of partner companies.
  • Named: Name your organization and any third parties who will be relying on consent. Even precisely defined categories of third-party organizations aren’t sufficient under the GDPR.

GDPR compliant survey - opt in form 2

4. Provide additional information on why you need specific information. 

For example, if you’re asking for a date of birth. You could add something along these lines:
Your date of birth helps us provide you with special promotions and purchase benefits during your birthday month.

These small changes can make a very big difference! An important additional to-do is updating your privacy policy.

While this article is in no way legal advice, the items mentioned below make a great guideline to cover your basics.

What to Include in a GDPR-Proof Privacy Policy:

Basic information about:

– Who you are;
– What you are going to do with your respondents’ data;
– Who this collected data will be shared with.

Insights in and proof of how personal data will be used in a fair way:

  1. Explain how the data obtained will be used in a way that people reasonably expect.
  2. Show awareness of the impact and ramifications of the processing of that personal data.
  3. Be transparent and ensure that people know how their data is used.

Showing fairness in your privacy policy is the key to establishing trust, which is needed for consent! So be as straightforward as possible about what data you have, why you will be using it and how long you plan on holding on to it.

Answers to the following questions:

  • What kind of data do you collect from customers, in minute detail?
  • Do you have good reason to collect this data? Why do you need it?
  • How was the data obtained, exactly? Did users consent to the collection of their information?
  • How long will you retain it?
  • How secure is the data in your possession?
  • Do you ever share the personal information of users with third parties? Do you have good reason to do so?

Clear overview of user rights:

Under the GDPR, user rights are clearly defined. Make sure respondents know they have the right to:

  • Access, view and edit their own information in a timely manner.In the case of Survey Anyplace, this means that they can request the data that was collected while they took a survey or quiz. You can easily provide this information by downloading the responses of that specific individual in a PDF report.
  • Be erased from your records upon request, unless you have a legal reason to hold their information. In the case of Survey Anyplace, this means you can offer respondents to be “anonymized”, deleting the data that can help identify them but keeping the other responses intact. OR you can offer respondents to be deleted along with all of their responses.
  • Access to clear instructions on how to object to or opt-out of marketing messages and/or targeted advertising from your business.

What will happen in the case of a data breach:

If this happens, a couple of actions must take place:

  • The data breach must be detected and reported to the appropriate authorities within 72 hours.
  • If the security of user data is put at risk, then the affected or potentially affected users must be informed within 72 hours as well.

The list of essentials to add to your privacy policy was taken from this excellent source. 

Tips for Complying With the GDPR

There are tons of great examples of adaptations made to comply with the GDPR. Many of those can inspire to create better, stronger survey experiences as well.

Here are some of our favorites!

1. Clarify why people are receiving certain information. 

Focus on highlighting the added value of being subscribed. Found via Optinmonster.

GDPR example by optinmonster (1)

2. Just-in-time privacy notices

Just-in-time privacy notices that give short, understandable snippets of information at the moment you need it. Found via

gdpr example - just in time privacy notice

3. Use “human” language in your privacy policy.

In this case, it makes it almost fun to read and it’s clear and relatable for all audiences. Read the entire thing at

gdpr example by turnkey

4. Add a “plain English” version. 

There’s a simple explanation next to each “serious” aspect of the privacy policy. Great approach, found via

gdpr example by codepen

What’s next? 

About the author:

3 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't bore, get more! Create an engaging survey in minutes.

(No Credit Card required)