Survey Design & Outreach Tips

How to Make a GDPR Compliant Survey: Best Practices and Examples

September 7, 2022
Reading Time:
{{ reading-time }}

Although the EU’s new privacy regulations have been enforced for a while, designing a GDPR-compliant survey still brings us headaches. What’s exactly personal and personally identifiable data? What type of questions can you ask? Can you show the survey results to other participants?

These are all valid questions, so let’s have a look at what you as a survey owner can do to meet GDPR standards. We’ll also cover what survey tools like Maptionnaire do to make your quest for making a GDPR-compliant survey easier.

But first things first.

What is a GDPR Compliant Survey?

That’s easy: a survey that complies with GDPR (the General Data Protection Regulation) ensures that an individual owns their personal information and always has access and the right to modify or delete the personal information collected about them. This also goes hand in hand with being transparent about what data is being collected, why, with which tools, and how it will be handled later. 

So what’s that personal data or personally identifiable information? Much more than just an email or home address. According to Article 4, “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” 

In other words, personal data is any piece of information that, together with other data, can lead to identifying an individual behind these responses. 

Examples, please! 

If in a community engagement survey you ask respondents to submit their ideas about how to redevelop an old park, these responses are not personal data — these are simply opinions

If you ask to map their commute from home to work, that counts as personally identifiable information. Because, in theory, with this commute information at hand, anyone can access address directory and then check employment information. Which makes it fairly easy to identify the person behind the answer. 

So what are the implications for you as a survey owner? 

Here are the main points: 

  1. Collect only necessary personal data and be transparent about the purpose and the way you use the data;
  2. Mention all your sub-processors who will have access to this data: for example, if you share this raw data with your colleagues via Dropbox, Dropbox will be a subprocessor;
  3. Make sure respondents can modify or delete any personal data you’ve gathered in your surveys;
  4. Don’t misuse the collected data;
  5. Don’t reveal any personally identifiable information, and remember that not all survey responses are personal data.

And an important note: whenever you’re dealing with the response data of the EU residents, you need to comply with GDPR. Also, GDPR is the strictest privacy regulation to date. So if you comply with it, you’d most likely be in line with other privacy laws and recommendations.

The Best Practices for Making GDPR Compliant Surveys 

Note that these are general guidelines and recommendations; your survey depends on your specific case.  

  1. Present your organization’s privacy policy before the respondent can proceed with the survey.
  2. Ask for publication consent.
  3. Feature a single checkbox on the first page of the survey that the respondent needs to check to consent to your privacy policy.
  4. Don’t reveal any personally identifiable information when sharing the results.
  5. Include any problematic material (e.g. YouTube videos) in pop-ups or on separate pages behind a page jump. Why is YouTube problematic? Because by embedding a video, you’re sharing the respondents’ IP addresses with YouTube. By placing a YouTube video on a separate page or in a pop-up, the respondent chooses whether to access this material or not. 

If you’re using Maptionnaire for your engagement surveys, here’re more tips on how to create GDPR compliant surveys with our platform. You can always ask our support for help with this issue. 

And below are more GDPR-related details. 

Provide privacy policy

a privacy policy at the beginning of your GDPR compliant survey
Provide a privacy policy at the beginning of your questionnaire.

Always include a privacy policy at the beginning of your survey. Provide the policy in the languages that your respondents understand.

In the privacy policy, explain why you require the data and what kind of information will be collected. Also, mention how long the data will be kept. 

List all sub-processors that you use for collecting and analyzing personal data. A curious example: if you use ArcGIS Online for analyzing geodata (which is most likely personally identifiable information), you should mention it as a subprocessor in your privacy policy as well.

To make your life easier (and surveys more secure), Maptoinnaire provides you with a ready-made privacy policy that you can include at the beginning of the survey. Treat it as a form you need to fill in with the details unique to your project.

Do not ask for sensitive information (unless you really need it)

Sensitive information includes health data, political opinions, religious beliefs, and so on. If you need any of such data for your project, be exceptionally mindful of how you use and present the resulting data.

Always check if any of the information you disclose can be used to identify individuals or not. Think like a detective. 🕵️

Once again, it’s your responsibility as a survey owner to treat data confidentially and be transparent about its usage. From our side, Maptionnaire treats all data as if it is sensitive — that is, with the utmost security.

Exclude personal data when showing responses made by others

In Maptionnaire surveys, you can show the responses made by others. It’s a very engaging feature, especially when all the results are put on a map or nicely visualized.          

This is how you can show the responses made by others in Maptionnaire. Note that cycling routes and favorite and disliked places are not considered personally identifiable information.                                

But there is always a “but.” It’s better not to include any personal information on the results page, for example, a map of home addresses. On the other hand, a map of favorite and disliked places will work great and won’t expose any private data (just like the example above). 

Make it easy for respondents to alter or delete their records 

Any respondent has the right to access, alter, and delete personal data collected in a survey. And here we have two most common scenarios. 

If a respondent has login credentials, they can do it themselves. With Maptionnaire, you can enable user authentication with Facebook or Google. To alter or delete responses, a respondent can simply log in and change the information. 

If respondents take a survey without logging in, they should contact a survey owner directly. So make sure you have your contact details upfront in your questionnaires. A note for Maptionnaire users: once you’ve altered the data as requested, contact Maptionnaire support to ensure that the data is changed on our end as well. 

Don’t ask for any personal information from respondents under 13 years old

Children’s personal data is given special protection under EU regulations. The rule of thumb is not to ask for any personal information from individuals under 13. You’d also need to get parental consent from respondents younger than 16 (the age differs from country to country, so check with your local Data Protection Regulation Authority for specific guidance). 

If you need personal information (for example, sociodemographic data), make sure you get the parents’ consent. It’s also advisable to use a common device (a table provided by you or school laptops) for getting survey answers from children. But then remember to set up automatic session reset to save all the answers

Anyways, these regulations should not prevent you from asking for children’s opinions and ideas when developing your city.

Data Protection Responsibilities of Survey Providers (aka Maptionnaire)

  1. Maptionnaire surveys anonymize data. That is, no personal information Maptionaire collects (such as login credentials or device info) is linked to survey results. 
  2. We treat all the gathered data as sensitive.
  3. Our servers collect standard login data (such as IP addresses) as part of routine service operations, but survey owners do not have access to it.  
  4. To make it easier to process personal data, we have a built-in feature for asking consent questions. Just switch on “Ask for publication consent” in your questionnaire's settings.
  5. In Maptionnaire, it’s possible for respondents to edit and delete personal data themselves. Ask your respondents to register (using their email or Google or Facebook accounts) to complete the questionnaire. In this way, they can manage the information they have given through their profile on their own. Otherwise, it’s fairly easy to provide your contact details for those respondents who want to alter or delete their personal data.

Want to check how Maptionnaire surveys look like? Check our demo questionnaires.

As a bottom line, strict GDPR rules should not prevent you from gathering data and insights for your projects. With the right survey provider and the knowledge at hand, you’ll be able to design a survey that respects privacy and personal data — and does its job. 

More Useful Materials about Designing Surveys:

Do you have any questions about designing GDPR surveys for your public engagement activities?

Our team is happy to chat.
Chat with Maptionnaire Team

You'll also enjoy reading:

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.