How to make a GDPR compliant survey

The GDPR data protection law came into effect in the EU on May 25, 2018. While the law itself is quite complicated, complying doesn’t have to be as hard.

When you’re using Pointerpro, you’re collecting and processing data. If that data can be used to identify an individual, it’s wise to make a few small updates in your questionnaires. Learn more about whether or not that data falls under the GDPR here.

In this blog post, we’ll explain what you can do to make your surveys and quizzes GDPR-proof and protect your respondents’ data.

Remember that this article is meant to be seen as a resource and not as legal advice.
We encourage you to search for legal advice on how to comply with GDPR and determine what effect it has on your organization.

Considerations to make before you create your survey

First, when creating (or updating) your surveys to comply with GDPR, it’s wise to consider what you’ll be using the data for.

Is it an entirely anonymous survey?  

Ensure that even a combination of the information you collect cannot help you identify a person.

For example, if you’re asking the employees of a specific department in your office to take an anonymous survey where you ask them what age range they’re in and what gender they are… That’s entirely fine!

BUT if in that specific department there’s only one woman in the age range between 31 and 40, then the data can be used to identify that person, and the GDPR applies.

Is the data you collect for internal use only?

Check whether or not the data you collect will be used internally and in what departments it can be accessed.

For example, if you collect email addresses on an event and those addresses will be added to a CRM where your sales team can access them for further follow-up, you’ll have to communicate this upfront.

Another example is that GDPR also applies to employees. Even if you create a survey that collects data from the people you already know, consider who will have access to the information. A colleague’s home address cannot be shared with another colleague who wishes to send a birthday card unless that colleague has given consent for that address to be shared.

Will the data only be saved on your Pointerpro account?

Or do you plan on transferring it to other apps as well? Any third-party processor you use is directly and legally obligated to also be in compliance. It’s wise to check if they do before transferring any more collected data. 

What will you do with the data?

Before launching your survey it’s more important than ever to list what you plan on doing with it. Each different aspect should be mentioned in your privacy policy and should be attached to your survey.

Moreover, specific actions such as marketing communication or a sales follow up require specific consent from the respondent, aside from being mentioned in the privacy policy.

Is the first checklist done? Then it’s time to get down to business…

4 Quick Things You Can Include to Comply With the GDPR

1. Add a short introduction on the intro screen of your survey. 

Simply inform your respondents about what you’ll be using the survey for (like you did before) and specifically state what will be done with the collected personal data.

For example:


 
2. Link to a privacy statement with all necessary information.

The essentials of what you should include in your privacy statement are listed later on in this blog post. There are two ways you can include your privacy statement in your survey.


Or:


3. Add active opt-ins near your form fields

Make sure that you add your opt-ins the right way. Keep in mind that consent requests need to meet these requirements:

  • Unbundled: Consent requests should be separate from other terms and conditions and they cannot be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid. Luckily the tool only offers unticked opt-in boxes. Another option is to use similarly active opt-in methods. For example: A binary choice where both options are given equal prominence.
  • Granular: Give granular options to consent separately for different types of processing wherever appropriate. For example:  A separate opt-in for a subscription to the newsletter and a subscription to updates of partner companies.
  • Named: Name your organization and any third parties who will be relying on consent. Even precisely defined categories of third-party organizations aren’t sufficient under the GDPR.

4. Provide additional information on why you need specific information

For example, if you’re asking for a date of birth. You could add something along these lines: Your date of birth helps us provide you with special promotions and purchase benefits during your birthday month.

These small changes can make a very big difference! An essential additional to-do is updating your privacy policy.

While this article is in no way legal advice, the items mentioned below make a great guideline to cover your basics. 

What to Include in a GDPR-Proof Privacy Policy:

Basic information about:
  • Who you are;
  •  What you are going to do with your respondents’ data;
  •  Who this collected data will be shared with.
Insights in and proof of how personal data will be used in a fair way:

Explain how the data obtained will be used in a way that people reasonably expect.

  1. Show awareness of the impact and ramifications of the processing of that personal data.
  2. Be transparent and ensure that people know how their data is used.

Showing fairness in your privacy policy is the key to establishing trust, which is needed for consent! So be as straightforward as possible about what data you have, why you will be using it and how long you plan on holding on to it.

Answers to the following questions:

What kind of data do you collect from customers, in minute detail?

  • Do you have good reason to collect this data? Why do you need it?
  • How was the data obtained, exactly? Did users consent to the collection of their information?
  • How long will you retain it?
  • How secure is the data in your possession?
  • Do you ever share the personal information of users with third parties? Do you have good reason to do so?
Clear overview of user rights:

Under the GDPR, user rights are clearly defined. Make sure respondents know they have the right to:

  • Access, view and edit their own information in a timely manner. In the case of Pointerpro, this means that they can request the data that was collected while they took a survey or quiz. You can easily provide this information by downloading the responses of that specific individual in a PDF report.
  • Be erased from your records upon request, unless you have a legal reason to hold their information. In the case of Pointerpro, this means you can offer respondents to be “anonymized”, deleting the data that can help identify them but keeping the other responses intact. OR you can offer respondents to be deleted along with all of their responses.
  • Access to clear instructions on how to object to or opt-out of marketing messages and/or targeted advertising from your business.
What will happen in the case of a data breach:

If this happens, a couple of actions must take place:

  • The data breach must be detected and reported to the appropriate authorities within 72 hours.
  • If the security of user data is put at risk, then the affected or potentially affected users must be informed within 72 hours as well.

The list of essentials to add to your privacy policy was taken from this excellent source. 

Tips for complying with the GDPR

There are tons of great examples of adaptations made to comply with the GDPR. Many of those can inspire to create better, stronger survey experiences as well.

Here are some of our favorites!

1. Clarify why people are receiving certain information

Focus on highlighting the added value of being subscribed. Found via Optinmonster.

2. Just-in-time privacy notices

Just-in-time privacy notices that give short, understandable snippets of information at the moment you need it. Found via econsultancy.com.

3. Use “human” language in your privacy policy

In this case, it makes it almost fun to read and it’s clear and relatable for all audiences. Read the entire thing at TurnkeyLinux.org.

4. Add a “plain English” version 

There’s a simple explanation next to each “serious” aspect of the privacy policy. Great approach, found via Codepen.io.

What’s next?

  • Read the GDPR (General Data Protection Regulations) basics: The most important GDPR principles, Data Controlling, Data Processing, but also what consequences can you face for not being GDPR compliant.
  • Discover what updates were made in the Pointerpro tool to make the software and your questionnaires GDPR proof: Data collection features: IP address & user agent are default on “nocollect”, Automatically add an “unsubscribe” link in your email invitations, Anonymising responses and more.

The GDPR data protection law came into effect in the EU on May 25, 2018. While the law itself is quite complicated, complying doesn’t have to be as hard.

When you’re using Pointerpro, you’re collecting and processing data. If that data can be used to identify an individual, it’s wise to make a few small updates in your questionnaires. Learn more about whether or not that data falls under the GDPR here.

In this blog post, we’ll explain what you can do to make your surveys and quizzes GDPR-proof and protect your respondents’ data.

Remember that this article is meant to be seen as a resource and not as legal advice.
We encourage you to search for legal advice on how to comply with GDPR and determine what effect it has on your organization.

Considerations to make before you create your survey

First, when creating (or updating) your surveys to comply with GDPR, it’s wise to consider what you’ll be using the data for.

Is it an entirely anonymous survey?  

Ensure that even a combination of the information you collect cannot help you identify a person.

For example, if you’re asking the employees of a specific department in your office to take an anonymous survey where you ask them what age range they’re in and what gender they are… That’s entirely fine!

BUT if in that specific department there’s only one woman in the age range between 31 and 40, then the data can be used to identify that person, and the GDPR applies.

Is the data you collect for internal use only?

Check whether or not the data you collect will be used internally and in what departments it can be accessed.

For example, if you collect email addresses on an event and those addresses will be added to a CRM where your sales team can access them for further follow-up, you’ll have to communicate this upfront.

Another example is that GDPR also applies to employees. Even if you create a survey that collects data from the people you already know, consider who will have access to the information. A colleague’s home address cannot be shared with another colleague who wishes to send a birthday card unless that colleague has given consent for that address to be shared.

Will the data only be saved on your Pointerpro account?

Or do you plan on transferring it to other apps as well? Any third-party processor you use is directly and legally obligated to also be in compliance. It’s wise to check if they do before transferring any more collected data. 

What will you do with the data?

Before launching your survey it’s more important than ever to list what you plan on doing with it. Each different aspect should be mentioned in your privacy policy and should be attached to your survey.

Moreover, specific actions such as marketing communication or a sales follow up require specific consent from the respondent, aside from being mentioned in the privacy policy.

Is the first checklist done? Then it’s time to get down to business…

4 Quick Things You Can Include to Comply With the GDPR

1. Add a short introduction on the intro screen of your survey. 

Simply inform your respondents about what you’ll be using the survey for (like you did before) and specifically state what will be done with the collected personal data.

For example:


 
2. Link to a privacy statement with all necessary information.

The essentials of what you should include in your privacy statement are listed later on in this blog post. There are two ways you can include your privacy statement in your survey.


Or:


3. Add active opt-ins near your form fields

Make sure that you add your opt-ins the right way. Keep in mind that consent requests need to meet these requirements:

  • Unbundled: Consent requests should be separate from other terms and conditions and they cannot be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid. Luckily the tool only offers unticked opt-in boxes. Another option is to use similarly active opt-in methods. For example: A binary choice where both options are given equal prominence.
  • Granular: Give granular options to consent separately for different types of processing wherever appropriate. For example:  A separate opt-in for a subscription to the newsletter and a subscription to updates of partner companies.
  • Named: Name your organization and any third parties who will be relying on consent. Even precisely defined categories of third-party organizations aren’t sufficient under the GDPR.

4. Provide additional information on why you need specific information

For example, if you’re asking for a date of birth. You could add something along these lines: Your date of birth helps us provide you with special promotions and purchase benefits during your birthday month.

These small changes can make a very big difference! An essential additional to-do is updating your privacy policy.

While this article is in no way legal advice, the items mentioned below make a great guideline to cover your basics. 

What to Include in a GDPR-Proof Privacy Policy:

Basic information about:
  • Who you are;
  •  What you are going to do with your respondents’ data;
  •  Who this collected data will be shared with.
Insights in and proof of how personal data will be used in a fair way:

Explain how the data obtained will be used in a way that people reasonably expect.

  1. Show awareness of the impact and ramifications of the processing of that personal data.
  2. Be transparent and ensure that people know how their data is used.

Showing fairness in your privacy policy is the key to establishing trust, which is needed for consent! So be as straightforward as possible about what data you have, why you will be using it and how long you plan on holding on to it.

Answers to the following questions:

What kind of data do you collect from customers, in minute detail?

  • Do you have good reason to collect this data? Why do you need it?
  • How was the data obtained, exactly? Did users consent to the collection of their information?
  • How long will you retain it?
  • How secure is the data in your possession?
  • Do you ever share the personal information of users with third parties? Do you have good reason to do so?
Clear overview of user rights:

Under the GDPR, user rights are clearly defined. Make sure respondents know they have the right to:

  • Access, view and edit their own information in a timely manner. In the case of Pointerpro, this means that they can request the data that was collected while they took a survey or quiz. You can easily provide this information by downloading the responses of that specific individual in a PDF report.
  • Be erased from your records upon request, unless you have a legal reason to hold their information. In the case of Pointerpro, this means you can offer respondents to be “anonymized”, deleting the data that can help identify them but keeping the other responses intact. OR you can offer respondents to be deleted along with all of their responses.
  • Access to clear instructions on how to object to or opt-out of marketing messages and/or targeted advertising from your business.
What will happen in the case of a data breach:

If this happens, a couple of actions must take place:

  • The data breach must be detected and reported to the appropriate authorities within 72 hours.
  • If the security of user data is put at risk, then the affected or potentially affected users must be informed within 72 hours as well.

The list of essentials to add to your privacy policy was taken from this excellent source. 

Tips for complying with the GDPR

There are tons of great examples of adaptations made to comply with the GDPR. Many of those can inspire to create better, stronger survey experiences as well.

Here are some of our favorites!

1. Clarify why people are receiving certain information

Focus on highlighting the added value of being subscribed. Found via Optinmonster.

2. Just-in-time privacy notices

Just-in-time privacy notices that give short, understandable snippets of information at the moment you need it. Found via econsultancy.com.

3. Use “human” language in your privacy policy

In this case, it makes it almost fun to read and it’s clear and relatable for all audiences. Read the entire thing at TurnkeyLinux.org.

4. Add a “plain English” version 

There’s a simple explanation next to each “serious” aspect of the privacy policy. Great approach, found via Codepen.io.

What’s next?

  • Read the GDPR (General Data Protection Regulations) basics: The most important GDPR principles, Data Controlling, Data Processing, but also what consequences can you face for not being GDPR compliant.
  • Discover what updates were made in the Pointerpro tool to make the software and your questionnaires GDPR proof: Data collection features: IP address & user agent are default on “nocollect”, Automatically add an “unsubscribe” link in your email invitations, Anonymising responses and more.

Create your
own assessment
for free!

Create your
own assessment
for free!

About the author:
Stefan Debois

Stefan Debois

As the CEO of Pointerpro, Stefan focuses on how to get the best results from the tool - preferably backed with real-life data.

3 Responses

  1. The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018. The motive behind introducing such a regulation was to provide data subjects with more control over their personal data.
    data protection policy template

Recommended reading

Want to know more?
Subscribe to our newsletter and get hand-picked articles directly to your inbox