CustomerSure

Doing Business in Europe? Stay GDPR Compliant

Creating a GDPR compliant survey may seem complicated, but with a little advice from the experts - that’s us! - you’ll find it’s easier than you think. We’re here to provide specialist advice on how exactly it applies to feedback surveys, customer satisfaction surveys and Voice of Customer programs to streamline the process of gathering valuable information whilst staying compliant.

The GDPR might seem like a tangled web of legalese, but it’s actually a good thing. Think about it: as a data subject, you want companies to handle your data with care and responsibility. The GDPR sets a standard that ensures your personal information is protected and used ethically. Not only that, but these rules help improve trade by ensuring that all businesses follow the same guidelines, making it easier and more trustworthy to do business across borders.

Even though the UK is no longer in the EU, GDPR was integrated into UK law as the Data Protection Act (DPA) 2018. So, it’s still something that needs to be on your radar. Whether you already know what GDPR is or you’re a complete beginner, stick with us, and you’ll see that being GDPR compliant not only keeps you on the right side of the law but also boosts your customers’ confidence in your brand.

Disclaimer: This article is not specialist legal advice. If you need professional legal guidance, we recommend contacting a qualified lawyer to ensure your specific needs are met and you remain fully compliant with GDPR and other relevant laws

What is GDPR?

Alright, let’s break it down. The GDPR, or General Data Protection Regulation, is a set of rules designed to give people more control over their personal data and make sure companies handle this data properly. Essentially, it’s about being transparent with your customers about how their data is used, ensuring it’s kept safe, and respecting their privacy rights.

In summary, the GDPR:

  • Standardises data protection legislation across the EU. Instead of a myriad of slightly incompatible parliamentary acts based on a directive, one data protection regulation will govern all of the European Union.
  • Upgrades the rights individuals (that’s you and I) have around controlling their own data.
  • Clarifies and improves the rules around transferring data out of the EU.

It’s hard to argue with these objectives - as both a business, and as individuals, we’re in favour of giving people stronger rights around their own personal data. As a human being, it’s nice to know I’m better protected, and as a business, we’ve spent fourteen years advocating that companies treat their customers respectfully, so it’s great to see this approach get better legal backing

Enforcement of the GDPR occurs at the national level. In the UK, this is done by the ICO – the Information Commissioner’s Office. We’ll refer to a lot of their guidance in this piece, but each EU member state has its own, similar enforcement body.

Understanding Data Protection Law

Let’s get on the same page with some terminology which dates all the way back to the original Data Protection Act (1998).

Personal data

Personal data is pretty straightforward: it’s any data that relates to a living individual who can be identified either directly from that data or indirectly when combined with other information. So, a list of names and addresses is personal data, and so is a list of purchases if you can match those purchases to specific individuals

There’s also a more specific category of personal data, sensitive personal data, which is essentially any personal data which covers:

  1. racial or ethnic origin
  2. political opinions,
  3. religious beliefs
  4. trade union membership
  5. health (physical or mental)
  6. sexual activity,

Does this apply to your customer satisfaction surveys? Probably not, unless your business touches on any of these sensitive areas. For example, if you deal with a specific health condition, any customer completing your survey is indicating they have that condition, making your feedback sensitive

A few more key definitions.

  • Data subject: That’s you and I. Anyone who is the subject of personal data.
  • Data controller: This is the person or entity that calls the shots on how and why personal data is used. Think of the data controller as the decision-maker. For example, if your company decides to collect customer feedback through a survey, your company is the data controller because it decides what data to collect, how to use it, and why it’s being collected in the first place.
  • Data processor: This is the person or entity that handles the data on behalf of the data controller. They follow the instructions given by the data controller without making any decisions themselves. So, if you hire an external company to run your customer satisfaction surveys and manage the data collected, they are the data processor.

Still with us? That’s all the background covered. Let’s dive into the details of getting feedback from your customers through a GDPR compliant survey

Customer Feedback vs Market Research vs Marketing

If we want to look at how the GDPR affects satisfaction surveys, we have to be clear about what satisfaction surveys are and are not.

Done right, customer feedback is a vital part of “business as usual” with your customers. For a well-run business that wants to deliver a first-rate customer service, it’s as legitimate a part of normal trading as issuing purchase orders, invoices, or dispatch confirmations.

This is different to market research.

In the words of the British Library, Market Research is research undertaken to:

Give businesses like yours the luxury of making insight-driven, informed decisions to create a profitable marketing strategy. For those heading into untapped markets or diversifying into a completely new sector, market research helps to mitigate business risks by finding out exactly what your customers want.

In short, it’s research, for your benefit, so you can do better marketing. It might involve mailing or calling your customers, but it might involve other forms of data gathering too. Crucially, when you get the results of your research, you’re going to use it to implement or improve a marketing strategy.

That’s important, but it’s not customer feedback. (The UK’s Market Research Society offers their own guidance on GDPR for Market Research).

Customer feedback is giving each and every customer a chance to tell you if you’re doing a good job for them. It’s done for your customers’ benefit, so they are happier. When you receive customer feedback, you’re going to act on it and fix any problems arising from it, not compile it into a spreadsheet.

So although you may want to collect data from your customers for both customer feedback and market research, and you’ll have obligations under the GDPR either way, it’s important to recognise they’re not the same thing.

Finally, and hopefully this goes without saying, both feedback and market research are separate activities to direct marketing. (For example, sending email newsletters). This might sound painfully obvious now, but it will become relevant in a moment when we come to talk about consent.

Is your processor GDPR compliant?

So, you’re working with a data processor to enhance your feedback process. In a nutshell, you need a contract, and they need a GDPR compliant privacy policy (ours is here).

Article 28 of the GDPR says it’s your responsibility to ensure your suppliers (processors) operate in a GDPR compliant way. You (or your Data Protection Officer) need to vet their privacy and security policies to ensure they’re up to scratch.

The GDPR contains a list of conditions that your contract must contain. We won’t list all the conditions here (but you can read Article 28 if you’re interested).

Often, a processor will rely on other processors, or “sub-processors,” to help with tasks. For example, many software companies use cloud servers from Amazon, Microsoft, or Google to store data.

The GDPR requires that your processors also have GDPR compliant contracts with these sub-processors. So, it’s not enough to have a general agreement that says, “we’ll honestly look after your data.” The contracts must include specific clauses mandated by the GDPR. For instance, our hosting partner, Amazon, already offers such contracts, and we expect the rest of the market to follow suit.

Transferring Data Outside the EU

If you’re UK or EU-based, you need to be careful about transferring data to servers outside the EU, like in the US. Not all countries have the same strict data protection laws as the GDPR, which can lead to potential risks and compliance issues.

But don’t worry, there’s an easy way to avoid this hassle: use CustomerSure. We ensure that your data is never stored outside of the UK or EU. This means you don’t have to stress about your data ending up somewhere with less stringent privacy laws.

Data processing principles

The GDPR defines the following 6 principles for processing personal data (which basically means doing anything with data). Here’s a quick rundown according to Article 5 of the GDPR:

  1. processed lawfully, fairly and transparently: This means you need proper contracts in place and must be open about how you use data
  2. collected for specified purposes: Only use data for the purpose you collected it for. For example, don’t use Voice of Customer (VoC) data for marketing without consent
  3. just the right amount Collect only what you need. Don’t overload your surveys with unnecessary questions
  4. Accurate and up to date: Ensure the data you hold is correct and current.
  5. Kept no longer than necessary: Don’t hold onto data longer than you need to.
  6. Processed securely: You use a processor like CustomerSure who will always encrypt your data: at rest and in transit, and who conduct audits to ensure our security measures are adequate

A few of these touch upon your customer satisfaction surveys - so let’s dive into what they mean a bit more.

Security

The GDPR emphasises security from both theft and loss but doesn’t specify the type of security needed. However, the ICO is completely clear that this means at the minimum encryption and backups. They say that if data losses occur and encryption wasn’t used, regulatory action may follow.

a padlock

You should quiz your data processors about their backup strategy and encryption methods. HTTPS is important for protecting data in transmission, but data must also be encrypted when stored. Check that your processor uses database or full-disk encryption.

Lawful Processing

To have a GDPR compliant survey, the guidelines say you need to process data “lawfully.” For customer satisfaction surveys, this means asking for feedback lawfully. The GDPR’s detailed explanation of lawful processing (Article 6, subparagraph 1) boils down to two main points:

  • the data subject has given consent

or

  • Processing is necessary for the legitimate interests of the data controller, except where overridden by the data subject’s rights

In other words, you can collect feedback if customers consent or if it’s in your legitimate interest, like improving services. Just remember, legitimate interests can’t be used as an excuse for marketing activities. Article 21 gives people the right to object to processing, especially for marketing under the legitimate interests clause.

Balancing test

A ‘balancing test’. weighs your legitimate interests against the rights of the data subject. Make your feedback process as customer-friendly as possible to pass this test

If you ignore feedback, or send surveys too infrequently or ask irrelevant questions, you risk failing this test, so keep it straightforward and customer-focused.

When it comes to collecting feedback, one legal ground you can rely on is ‘consent’. But honestly, if your feedback process is already customer-friendly, leaning on consent might cause more headaches than it’s worth.

Under the GDPR, ‘consent’ needs to be “unambiguous” and, for sensitive data, “explicit.” So, no sneaky pre-ticked checkboxes are allowed. But here’s the thing: if you have a legitimate reason for collecting feedback, you don’t need to bother with consent.

Why? Because “When the processing has multiple purposes, consent should be given for all of them” (Recital 32), so asking for consent can be a real hassle. Picture this:

“So what’s your email address?” “Is it OK if we send invoices to that address?” “And OK for us to let you know if there’s a problem with your order?” “And OK for us to give you a dispatch notification?” “And OK to ask you for feedback?”

Good grief, right? The GDPR wants to avoid this kind of nonsense by giving you other legal grounds for processing data. It even states that consent requests must be clear, concise, and not disrupt the service.

So, if your feedback process is respectful and transparent about how you’ll use the data, you don’t need to get consent. Just be upfront about your intentions and give people a chance to opt-out if they want

But, if you still want to go the consent route, keep these points in mind:

  1. For non-sensitive data, you need “unambiguous, affirmative” consent. A straightforward notice like “by submitting this form, you agree that we will process your data in line with our privacy policy” works.
  2. Once you rely on consent, you can’t switch to another basis if someone says no. You can’t decide to send a survey anyway due to whoops, “legitimate interests”, actually.
  3. You must keep records of how and when consent was given.

In the end, making your feedback process GDPR compliant without relying too much on consent can make things smoother and simpler, ensuring your GDPR compliant survey is both effective and hassle-free.

Online Reviews

Some people like to automatically publish all their customer feedback as online reviews. While we don’t recommend this, we get it—some businesses really like to showcase feedback. If that’s you, just know that this probably doesn’t count as a legitimate interest because it’s marketing. This means you’ll need to get consent to use people’s comments on your site.

Five stars, like an online review

Overall, we suggest keeping feedback and reviews separate. Reviews are important, but it’s better to handle them as a different process - asking for a review before you’ve ensured the customer is happy can create a bad experience.

Demonstrating Compliance

The final thing Article 5 of the GDPR has to say about data processing is that: the controller shall be responsible for, and be able to demonstrate, compliance with the principles.

Meaning, it’s not enough to be just doing these things, you need to show that you’re doing them.

There is a get-out clause which frees up organisations employing fewer than 250 people from this obligation. But… the get out doesn’t apply if:

the processing is not occasional, or the processing includes special categories of data

You should be checking for feedback regularly, meaning arguably your processing is “not occasional”. So, the get-out clause probably doesn’t apply in this case. You should keep records of all your data processing decisions.

Will I be fined €20,000,000 if I get this wrong?

This figure of €20,000,000 has grabbed a lot of headlines, but the good news is… You are almost certainly not going to be subjected to this fine. This is the maximum fine for the absolute worst of offences. There’s a lower limit of €10,000,000 for most ‘standard’ offences, but you’re almost certainly not going to be hit with this either.

You’re reading this post. You’re going to follow its advice. You’re committed to doing the right thing. These fines are the ultimate last resort punitive measures for the ‘bad guys’. The ICO has already said fines are a last resort, it will work with businesses to help them get things right.

Are there any other laws which apply here?

Sort of.

The UK, and most other EU states, have laws like PECR, which govern marketing communications to your customers.

If you’re doing the right thing and keeping your customer feedback separate from your marketing, in theory you’re not affected by the marketing aspects of PECR.

When people think of GDPR, they often think of annoying cookie popups on websites. These popups aren’t really a GDPR thing, they’re actually a consequence of the ePrivacy Directive. Remember, you only need these popups if you’re using cookies to track personal data in a way which isn’t in your ‘legitimate interests’, for example if you’re spying on your website visitors, and linking what they do on your site to their social media profiles.

Final Thoughts

Making a GDPR compliant survey doesn’t have to be a headache. Keep it simple, ensure you’re respecting privacy laws, and your customer satisfaction surveys will be compliant and build trust with your client base. Plus, staying on top of GDPR rules not only protects your customers but also keeps your business in the clear. So, relax, follow the guidelines, and watch your feedback process thrive!

Resources to help you stay GDPR compliant

GDPR isn’t a world apart from existing data protection regulation. If you’re currently compliant with the law, you’re on the path to GDPR compliance but there are some additional things you must do. If you’re not already compliant, you have bigger problems.

Here’s a checklist for what you need to do to stay legal:

Summary of all the advice in this article

If you feel you need support, we can help you with that.

We have over 14 years of experience of working closely with our mid-market clients to drive measurable improvements within their business. If you’re thinking about joining them, why not test the water by asking us to assess your current CX maturity? We’ll just need a few minutes of your time to understand your current challenges and objectives.

Chris Stainthorpe
Chris Stainthorpe

Chris is a member of CustomerSure’s founding team. Since 2010, he has worked with our clients to help them put VoC programmes in place that respect the customer and deliver measurable results. The best part of his job is learning something new from every new client.

Read more:

Guide Read How to Win Back Lost Customers

How to Win Back Lost Customers

Learn how to win back customers with tips from 6 top companies. Boost your customer retention and grow your business with our expert guide

Take the first step…

Connect with a CX expert who’ll help determine your current VoC programme maturity level and provide a 3-step action plan to improve.