On May 25th, 2018, the General Data Protection Regulation (GDPR) regulation will enter into effect in the European Union and it will have a fundamental impact on how organizations treat data from individuals in compliance with the new privacy laws.
The GDPR replaces the 22-year-old EU Data Protection Directive and is intended to streamline data privacy laws across Europe and extend their reach to include some companies with no EU presence. Online surveys, which are at the forefront of any consumer, market, or employee research, also need to be made compliant with the updated regulations.
So what does this mean for market researchers doing work in the EU? In short, it means every organization who collects data of any kind must implement a data protocol or risk being fined 4% of total revenue or $20 Million dollars, whichever is higher.
In order to make it easier for QuestionPro survey software users to create and send GDPR compliant data collection surveys, we have put in place a seven-step process to ensure all data being collected for market research in the EU is fully GDPR compliant. Current clients who are on EU servers will automatically have these settings turned on, however, the following information must be added and documented in the settings of QuestionPro your account.
GDPR Settings Structure
There are seven protocols to cover to ensure GDPR compliance. With QuestionPro, we make it easy to implement a process for to get started.
1. Designate GDPR Survey – Data Protection Officer
Every organization that is collecting data from EU citizens must have a named DP officer. This person should be empowered within the organization and represent the organization with respect to data and privacy issues.
2. Survey Data Retention Period
GDPR relations state that companies must make it clear how long data about the respondents and users are retained. Our default policy will be in place, however, we recommend each company to make a decision and create their own data retention policy that protects their business interests that would satisfy the principle of informed consent of subjects and respondents with regards to the expiry of data.
3. Right to Look at All Survey Data Collected
4. Survey Data Breaches and Supervising Authority
GDPR calls for a legal obligation for the notification to supervisory authority regarding a data breach within 72 hours of knowing about it. GDPR allows for selecting a “Lead Supervising Authority” – QuestionPro has selected the Dutch – DPA as the lead supervisory authority that governs data collected by QuestionPro. In some cases, each of our clients may want to select their own Supervisory Authority. Our customers must then use their own supervisory authority and can notify them about a data breach as soon as we notify you.
In cases where there is a data breach without our involvement – example a laptop with data from survey respondents gets stolen, it is up to our clients to notify their own supervisory authority regarding the breach.
5. Notification to Subjects – Regarding Breaches
Processor Agreements: QuestionPro will have a standard processor agreement for all customers that lists our obligations as data processors. Customers who wish to have their own agreement put in place should contact us to apply to your account. Please note this option is only available to our enterprise customers.
Right To Be Forgotten: Respondents can request that their data – on an individual response level be deleted. They can also delete all survey responses. Further – they can also ask for the system to completely “forget” – including all cookies about the user. QuestionPro will automatically remove all references to the user from its servers.
Research and acknowledgment: When users click on data and privacy – the stated purpose of research and data use will be presented.
Questionpro offers default language that includes:
- Use of data for research purposes only
- No commercial sale of data
- No solicitation or marketing
QuestionPro will offer default language that our customers can use. However, it’s up to the customers to decide which options to choose. They may edit the content and language also.
6. GDPR and Data Processing Agreements
There are two kinds of entities as far as GDPR is concerned:
In most cases – there will be a single data collection entity that uses one or more processors. Processors may, in turn, use other data processors also. In order to protect the chain of command, GDPR envisions that DPA (Data Processing Agreements) will be entered into between processors and sub-processors. QuestionPro has a standard GDPR compliant DPA agreement that we will provide. This form/template agreement is a standard form that QuestionPro provides to all our clients. No changes to this agreement will be allowed. Clients with an Enterprise License may request changes to the standard DPA agreement – however, it will take 30-60 days for approval of changes to our standard DPA.
7. List of EU GDPR Authorities by Nation
Each nation of the EU has their own GDPR representative, and it is up to your organization to be in contact with the one that you do the most business in. For more information, click here.
For more information and how to get compliance ready before the May 25th deadline, visit us here. Contact us with any additional questions or comments. We are here to listen and will be happy to address any unique data collection situations and offer the best resolution and strategy that can be implemented prior to the looming deadline.