Today it only takes four letters to spread fear and panic among most companies: GDPR. The General Data Protection Regulation went into effect on May 25th, 2018. GDPR changes how you must handle personal data. Organizations that disregard the new regulation can expect heavy sanctions. However, many companies are overwhelmed with trying to understand the effects of GDPR. In this article, Netigate explains how GDPR impacts the way you use and store data from employee and customer surveys. We also help you to understand what you need to pay close attention to to ensure GDPR-compliant survey data.
Time is money. We have marked the most essential information for you in bold. This will give you a quick overview of GDPR in as little as 60 seconds.Handle with care. GDPR sets new rules on how to handle personal data.
Who is responsible for adhering to GDPR?
Any company that collects, handles, and/ or processes personal data.
Does it affect all companies that conduct employee or customer surveys?
No, not in all cases. If you conduct a survey anonymously – without referring to personal data – GDPR does not apply.
However, the term anonymous is quite vague. How can you be sure a survey is truly anonymous? In fact, even if your company does not collect personal details from participants (such as their name, email address, etc.) it does not mean that the survey is truly anonymous. If you can trace data to the survey respondent in any way, then the survey is personalised.
What does this imply for your company?
To run an anonymous survey means one is obliged to prevent participants from being identified. This may still happen even if names and surnames are not specified. Technically, for a respondent to be identified, a survey could only collect information such as e-mail address, phone number or bank details. This means that you can trace an individual by combining bits of information. For instance, surveys that ask employees to specify age, gender, and duration of employment may be enough to recognise an employee.
What if you need to collect information like email addresses, phone numbers or age?
In theory, you can ask all the questions you want (within reason). For example, employee surveys must follow labour laws. However, when companies ask for personal data, they must follow GDPR guidelines.
What are the specific guidelines?
Data needs to be processed and handled legally, ethically, and transparently. This includes earmarking, data minimisation, and accountability. Companies are obligated to report and inform and there are guidelines for the data protection officer. Review the GDPR for more details.
I don’t have time to read all 11 GDPR sections or 99 articles. What should I really know?
Of course, you don’t need to read the entire GDPR document. However, you should know how GDPR will impact your daily operations and your organisation as a whole. Unfortunately, you cannot generalise the details. Ultimately, this will vary for each individual organisation.
However, some parts of the GDPR impact most companies. For example, article 7 states that survey participants must provide consent to allow an organisation to collect and handle their personal data. So, what needs to be taken into account?
Participants’ consent is only effective if several conditions are met: Companies must clearly inform participants about how their data will be used as well as the purpose of the survey. Then, participants can choose whether or not to consent to the survey. In regards to online surveys, the consent checkbox must not be selected by default. Participants also reserve the right to revoke their consent at any time.
Does timing matter when asking for consent?
Yes. Survey respondents must give consent prior to collecting any personal data. Referring to the online survey example, GDPR information must be published on a separate website prior to the start of a questionnaire. This site must contain all the GDPR information as mentioned earlier.
Article 5 refers to data minimisation. What does this mean?
GDPR dictates that companies should collect as little data as possible. Surveys must only ask for information that is absolutely required. For example, if asking for an individual’s age is relevant, then providing a question with age ranges would suffice rather than having an individual provide his or her exact date of birth. This information would be redundant.
Article 5 also refers to accountability. This means that companies must prove their GDPR compliance. What is the best way to do this?
Companies must be able to prove at any time that their methods of collecting personal data are compliant with GDPR. This can be achieved by implementing a processing register, data protection management system or by performing a periodic comprehensive examination of data processing activities.
What exactly is a processing register?
The processing register is a comprehensive documentation method that enables companies to prove they meet GDPR requirements to operating protection offices and the supervising authority.
What does the register need to specify?
The content is specified by law. It particularly applies to the scope of data, the affected group of participants, data storage, categories of data recipients and data security measures.
Do all companies that conduct surveys need a data protection officer?
No. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” like that which details race or ethnicity or religious beliefs.
Who should you appoint as data protection officer?
Data protection officers should have the necessary technical knowledge and experience in data protection. Furthermore, you must avoid conflicts of interest at all costs. In some countries, company CEOs may not be eligible to become data protection officers.
Is the data protection officer accountable for GDPR violations?
No. In most GDPR violations, the company is accountable—not the data protection officer personally. However, there are some cases when a data protection officer may be held liable. For example, if the data protection officer acts intentionally or grossly negligent in holding up their responsibilities or in handling personal data.
What should you do if a data breach occurs—despite all the required measures and efforts?
Companies must report a data breach to the appointed supervising authority within 72 hours of its occurrence. The individual who discovered the breach must describe the incident as well as identify potential risks and the group(s) affected in his or her report. The individual should also explain the measures that have been taken to exclude or minimise further damage.
What happens if a company knowingly or unknowingly makes an error while executing GDPR?
The affected persons are legally within their right to ask for compensation for any damages that have occurred as a result of company errors. Supervising authorities may also impose fines up to 20 million Euro or alternatively 4% of the annual turnover (depending on the severity of the error).
If a data protection violation is intentional, the incident may be treated as a criminal offense, which could involve fines as well as imprisonment. However, this is not regulated by GDPR, but rather national data protection legislation.
Let’s assume one does not want to deal themselves with GDPR – for any reason whatsoever. Could a company appoint an external survey provider that handles GDPR requirements?
Unfortunately, this is not as simple as we would like. Companies are permitted to appoint an external survey service provider to conduct surveys as well as collect and process data. However, this is only permitted with verified service providers and a processing agreement is in place. If this is the case, then a company or a survey service provider may conduct or process surveys. BUT—the buying company is still technically the survey host and thereby will be held responsible for all data processing activities conducted by the service provider.
How do I recognise a reliable service provider to help ensure GDPR-compliant survey data?
Do your research prior to choosing a service provider. Be sure to assess a provider’s availability, reliability, quality of customer support and licensure. Reputable service providers will carry the ISO certificate 9001/27001. ISO 9001 determines how a quality management system has to be constructed, and ISO 27001 defines the information safety management systems.
As of May 25th, 2018, companies must follow GDPR. Does this apply to ANY survey(s) being conducted on this particular day?
Yes. If your company wants to process legacy data – and this includes data storage – they must meet GDPR. Therefore, it’s important to evaluate all data to determine if it is truly required for the survey, or if it can be removed.
Netigate is GDPR compliant. Our leading survey platform meets all GDPR requirements.
If you want to know more please visit https://www.netigate.net/en/impressum/#legal. Of course, you can contact us at any time questions arise. This is how you can reach us:
Phone: +46 (0)8 612 04 10
If you would like to read more on GDPR, we recommend the following sites: