The General Data Protection Regulation (GDPR) covers all organizations collecting personal data. Since surveys are one of the most common methods of collecting personal data, researchers are obliged to know and apply GDPR requirements. In this guide, we share the basic steps of preparing a GDPR-compliant survey.
How Does GDPR Affect Surveys?
Under GDPR, "personal data" refers to any information relating to an identified or identifiable natural person. Information such as name, surname, email, phone number collected in surveys is directly personal data. However, information that serves to identify the person indirectly (IP address, location, behavioral data) is also within the scope of personal data.
Special categories of personal data (health information, religion, ethnicity, political opinion, etc.) require additional protection and cannot be processed without explicit consent.
Things to Do Before the Survey
1. Obligation to Inform
The following information must be provided to participants at the beginning of the survey:
- Identy and contact details of the data controller
- For what purpose personal data is collected
- To whom and for what purpose data may be transferred
- Data collection method and legal reason
- Rights of the participant under GDPR
2. Obtaining Explicit Consent
Explicit consent regarding the processing of personal data must be obtained from participants. Explicit consent must have the following characteristics:
- Specific: Which data is collected for what purpose must be clear
- Informed: The participant must have read the privacy notice
- Freely given: No disadvantage should be created due to not giving consent
3. Data Minimization
One of the fundamental principles of GDPR is collecting data only appropriate to the purpose and in limited amounts. Collect only the data that is really necessary for the research purpose in your survey.
GDPR Principles in Survey Design
Anonymous and Pseudonymous Surveys
If possible, design your survey completely anonymously. When you collect no information that will identify the participant, your GDPR obligations decrease significantly. If you need to collect personal data, consider anonymizing the data using a pseudonym (nickname).
Additional Measures for Sensitive Data
If you collect special categories of data such as health, religion, ethnicity:
- Definitely obtain written explicit consent
- Store this data in a separate and encrypted environment
- Keep access authorization limited
- Determining the processing duration strictly
Surveys Regarding Children
Parental/guardian consent is mandatory for participants under the age of 16 (age may vary by country). Additional protection mechanisms must be applied in the collection and processing of children's personal data.
Technical Security Measures
GDPR mandates taking technical and administrative measures for data security:
- Encryption: Data transfer with SSL/TLS, database encryption
- Access control: Access of authorized personnel to data
- Logging: Record of who accessed which data when
- Backup: Regular backup and disaster recovery plans
- Deletion policy: Secure deletion of data when the period expires
Data Retention and Destruction
You cannot store survey data indefinitely. When the research purpose ends or the determined period expires, data must be deleted, destroyed, or anonymized. Create a data retention and destruction policy.
Participant Rights
Remember that participants have the following rights under GDPR:
- Learning whether their data is processed
- Requesting correction or deletion of data
- Requesting restriction of processing
- Knowing third parties to whom data is transferred
- Objecting to automated processing results
Conclusion
Preparing a GDPR-compliant survey is a whole of research ethics and legal requirements. When applied correctly, it both protects the rights of participants and increases the reliability of your research. YouReply platform provides legal assurance to researchers with GDPR-compliant consent mechanisms, data encryption, automatic deletion, and anonymization features.
Power your research with YouReply
Create a free account and start using advanced survey tools immediately.