Although the EU’s new privacy regulations have been enforced for a while, designing a GDPR-compliant survey still brings us headaches. What’s exactly personal and personally identifiable data? What type of questions can you ask? Can you show the survey results to other participants?
These are all valid questions, so let’s have a look at what you as a survey owner can do to meet GDPR standards. We’ll also cover what survey tools like Maptionnaire do to make your quest for making a GDPR-compliant survey easier.
But first things first.
What is a GDPR Compliant Survey?
That’s easy: a survey that complies with GDPR (the General Data Protection Regulation) ensures that an individual owns their personal information and always has access and the right to modify or delete the personal information collected about them. This also goes hand in hand with being transparent about what data is being collected, why, with which tools, and how it will be handled later.
So what’s that personal data or personally identifiable information? Much more than just an email or home address. According to Article 4, “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In other words, personal data is any piece of information that, together with other data, can lead to identifying an individual behind these responses.
If in a community engagement survey you ask respondents to submit their ideas about how to redevelop an old park, these responses are not personal data — these are simply opinions.
If you ask to map their commute from home to work, that counts as personally identifiable information. Because, in theory, with this commute information at hand, anyone can access address directory and then check employment information. Which makes it fairly easy to identify the person behind the answer.
So what are the implications for you as a survey owner?
Here are the main points:
- Collect only necessary personal data and be transparent about the purpose and the way you use the data;
- Mention all your sub-processors who will have access to this data: for example, if you share this raw data with your colleagues via Dropbox, Dropbox will be a subprocessor;
- Make sure respondents can modify or delete any personal data you’ve gathered in your surveys;
- Don’t misuse the collected data;
- Don’t reveal any personally identifiable information, and remember that not all survey responses are personal data.
And an important note: whenever you’re dealing with the response data of the EU residents, you need to comply with GDPR. Also, GDPR is the strictest privacy regulation to date. So if you comply with it, you’d most likely be in line with other privacy laws and recommendations.
The Best Practices for Making GDPR Compliant Surveys
Note that these are general guidelines and recommendations; your survey depends on your specific case.
- Ask for publication consent.
- Don’t reveal any personally identifiable information when sharing the results.
- Include any problematic material (e.g. YouTube videos) in pop-ups or on separate pages behind a page jump. Why is YouTube problematic? Because by embedding a video, you’re sharing the respondents’ IP addresses with YouTube. By placing a YouTube video on a separate page or in a pop-up, the respondent chooses whether to access this material or not.
If you’re using Maptionnaire for your engagement surveys, here’re more tips on how to create GDPR compliant surveys with our platform. You can always ask our support for help with this issue.
And below are more GDPR-related details.
Do not ask for sensitive information (unless you really need it)
Sensitive information includes health data, political opinions, religious beliefs, and so on. If you need any of such data for your project, be exceptionally mindful of how you use and present the resulting data.
Always check if any of the information you disclose can be used to identify individuals or not. Think like a detective. 🕵️
Once again, it’s your responsibility as a survey owner to treat data confidentially and be transparent about its usage. From our side, Maptionnaire treats all data as if it is sensitive — that is, with the utmost security.
Exclude personal data when showing responses made by others
In Maptionnaire surveys, you can show the responses made by others. It’s a very engaging feature, especially when all the results are put on a map or nicely visualized.
But there is always a “but.” It’s better not to include any personal information on the results page, for example, a map of home addresses. On the other hand, a map of favorite and disliked places will work great and won’t expose any private data (just like the example above).
Make it easy for respondents to alter or delete their records
Any respondent has the right to access, alter, and delete personal data collected in a survey. And here we have two most common scenarios.
If a respondent has login credentials, they can do it themselves. With Maptionnaire, you can enable user authentication with Facebook or Google. To alter or delete responses, a respondent can simply log in and change the information.
If respondents take a survey without logging in, they should contact a survey owner directly. So make sure you have your contact details upfront in your questionnaires. A note for Maptionnaire users: once you’ve altered the data as requested, contact Maptionnaire support to ensure that the data is changed on our end as well.
Don’t ask for any personal information from respondents under 13 years old
Children’s personal data is given special protection under EU regulations. The rule of thumb is not to ask for any personal information from individuals under 13. You’d also need to get parental consent from respondents younger than 16 (the age differs from country to country, so check with your local Data Protection Regulation Authority for specific guidance).
If you need personal information (for example, sociodemographic data), make sure you get the parents’ consent. It’s also advisable to use a common device (a table provided by you or school laptops) for getting survey answers from children. But then remember to set up automatic session reset to save all the answers.
Anyways, these regulations should not prevent you from asking for children’s opinions and ideas when developing your city.
Data Protection Responsibilities of Survey Providers (aka Maptionnaire)
- Maptionnaire surveys anonymize data. That is, no personal information Maptionaire collects (such as login credentials or device info) is linked to survey results.
- We treat all the gathered data as sensitive.
- Our servers collect standard login data (such as IP addresses) as part of routine service operations, but survey owners do not have access to it.
- To make it easier to process personal data, we have a built-in feature for asking consent questions. Just switch on “Ask for publication consent” in your questionnaire's settings.
- In Maptionnaire, it’s possible for respondents to edit and delete personal data themselves. Ask your respondents to register (using their email or Google or Facebook accounts) to complete the questionnaire. In this way, they can manage the information they have given through their profile on their own. Otherwise, it’s fairly easy to provide your contact details for those respondents who want to alter or delete their personal data.
Want to check how Maptionnaire surveys look like? Check our demo questionnaires.
As a bottom line, strict GDPR rules should not prevent you from gathering data and insights for your projects. With the right survey provider and the knowledge at hand, you’ll be able to design a survey that respects privacy and personal data — and does its job.
More Useful Materials about Designing Surveys:
- 12 Best Practices of Survey Design to Boost Your Public Participation
- 5 Tips for Creating a Visual Survey for Urban Planning (Examples Inside)
- How to Get People to Take a SurveyThrough Social Media
- How to Engage Stakeholders with a Survey: 6 Winning Methods to Increase Response Rates
- How to Design Community Engagement Survey Questions