GDPR: FIVE KEYS to compliance for online survey designers
The General Data Protection Regulation (GDPR) from the EU, which celebrated its first anniversary last week, has had a major impact on how companies and organisations deal with personal data. Driving "GDPR awareness" down through an organisation requires effective policy communication, but also having data collection tools that actively underline GDPR rules is the most sure and cost-effective way of enforcing compliance.
Highlighting compliance issues as users are building surveys is something we at Demographix have built into our toolset, at no extra charge to our customers. So, let's review the FIVE key safeguards Demographix has designed to help ensure you are more GDPR compliant than users of other survey systems:
1. Every write-in question added to a survey triggers a GDPR compliance alert: Survey builders are asked to consider whether they are adding a question that will collect personal data, and labelling it as Personal Identification Data (PID) if it is. We advise all new users that PID data must be accompanied by an active opt-in (tick box) statement indicating the respondent has been made aware who is storing this data, for what purposes it will be used, and that they consent to this. We suggest that survey-designers make the data collection questions conditional on respondents having seen the statement and ticked the box (i.e. get the consent before showing them the data collection questions).
2. PID data security protections and PID question search: Any data in a survey question labelled as PID is given special protections so that it can not be easily accessed through the standard interface. Users must download an Excel file with this data to view it, and default file download is restricted to the survey owner and high-level log-ins. We have also introduced a PID question search option that will scan all the surveys in your account and flag-up the write-ins that could be PIDs (i.e. the question text has trigger words like "name" or "email" or "mobile" in it). This list can be used to easily designate questions on it as PID.
3. Panel membership upload alerts: Uploading a panel membership list (in Excel spreadsheet format) or inputting individual member details manually now both generate an alert asking if you have had active consent from these individuals for keeping their data and using it to email them to take part in surveys. A record of the procedure is then recorded to indicate that the user has acknowledged that they have these permissions.
4. Checking what data on any given individual is held in your account: Demographix now includes a "Right to erasure request" tool in its data management suite. This allows high-level log-ins to search all the survey data in their account for specific personal data (an email address, postal code, name, etc) if a specific person asks whether you hold their personal data. If there are any instances of this data being held in surveys or panels, these are listed in a downloadable format, with links allowing you to delete the data.
5. Data redaction on closed and archived surveys: Closed and archived surveys with PID questions in them, and which have stored PID data, now have a new management tool under the data section of Available Actions. Choose this option and the personal data will be redacted (or overwritten). As this is irreversible, there is a confirmation alert before the action is carried out. Your data has gone for good.