Are you losing sleep at night thinking about the arrival of GDPR? If so, you’re not alone. There are still many organisations (small and large) that aren’t entirely sure how to prepare themselves for the upcoming changes in data collection regulation, especially as it pertains to digital feedback. But don’t worry, it’s not too late to start!
This article guides you through the basics of GDPR (e.g. what it is and who will be affected), the most critical changes to be aware of in terms of digital feedback collection, why it’s important to comply with these regulations, the consequences if you choose not to and what we’re doing here at Mopinion to get ourselves and our clients ready for the new legislation.
Let’s get started with the basics.
What is GDPR?
The General Data Protection Regulation (commonly referred to as GDPR), is a new European privacy regulation that will go into effect on May 25th, 2018. This regulation will be implemented in all local privacy laws in the EU and EEA region and apply to all businesses which are either selling or storing personal data about EU and EEA citizens. In other words, it will permanently change the way businesses collect, store and use customer data. In return EU and EEA citizens will have more control over their personal data and what is done with it.
What is considered ‘personal data’?
As defined in the GDPR directive,
“Personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.”
Who will GDPR affect?
To simplify this a little, it is mainly ‘controllers’ and ‘processors’ (of data) who will be directly affected by GDPR.
Controllers (e.g. clients of Mopinion) are any business or government entity that determines how data is processed and why.
Processors (e.g. Mopinion) are businesses who perform the (technical side of) data processing on behalf of the controller.
What’s important to recognise is that, according to the new regulation, it doesn’t matter where in the world controllers / processors are located or operating. If they do business with EU companies or collect data from EU citizens, they are just as much obliged to abide by GDPR as those operating in the EU / EEA regions.
Note: while this article will focus solely on digital feedback collection, it’s important to recognise that there is also discussion about what this will mean for session replay and recording tools, especially as these types of tools – as of late- have been frequenting the news as a result of ‘unintentional password collection’. To learn more about these tools and where they may fall short in terms of privacy once GDPR is in place, be sure to check out this article.
What does GDPR mean for feedback data collection?
The million-dollar question for digital-first businesses…How will this new regulation affect the way we currently collect feedback data online? The easiest way to lay this out is by tackling the most critical and talked about subjects / questions.
1. Data Consent / Lawful Processing. This is perhaps one of the biggest changes to come. GDPR states that consent for collecting personal data (along with the purpose for data processing) must be provided in a form that is easily accessible for your customers. Note: consent must be just as easy to withdraw as it is to give.
Good to know: As GDPR is just around the corner, electronic signatures on PDFs are essential if there isn’t any soft copy. You can learn how to add a signature to a PDF file and many more PDF tips and tricks from this How to edit a PDF guide.
Because customer feedback falls under data processing, it must be also processed lawfully. This means (as stated above) you can only collect feedback from a visitor if they give consent. You can, however, argue that collecting feedback is in your legitimate interests, in which case consent isn’t required.
Note: GDPR is very explicit about prohibiting organisations from using the “legitimate interests” clause as an excuse for marketing activities so it’s important to keep these separate! When you plan to use data for purposes such as marketing campaigns, you must inform your customers. Additionally, if you wish to share customer data, customers must first indicate whether they’d like to participate.
Do you deal with sensitive data?
Then you will need explicit consent for collecting feedback.
If not, processing is in your ‘legitimate interests’.
2. Right to Access. The individual whose data you are collecting has every right to confirm what is being done with their personal data. Note: this information must be issued to the individual free-of-charge.
3. Right to Be Forgotten. Individuals can ask controllers to remove their personal data from the system as well as put a halt to processing by third parties. The controller can only protest if the availability of the data is a matter of public interest.
4. Privacy by Design. This encompasses the need for promoting privacy and data protection compliance from the start. This includes data controllers taking both technical and organisational measures to meet regulations. For example, only processing data that is needed for operations.
5. DPOs. Also referred to as Data Protection Officers, DPOs must be appointed. Note: there are some exceptions to this case. The role of the DPO is to ‘keep up on laws and practices around data protection, conduct privacy assessments internally, and ensure that all other matters of compliance pertaining to data are up-to-date.’
Note: This applies to any organisation that processes or stores large amounts of personal data, meaning both processors and controllers – UNLESS the controller ‘fulfills the criteria for mandatory designation’, in which case it is not required for the processor to appoint a DPO.
6. Data Portability. This refers to the right individuals have to switch their data from controller to controller, which means businesses must be able to deliver customer data in a suitable and machine-readable format (e.g. CSV files). The controller must respond to this request within one month.
7. Data Breach. If you suffer a data breach, a notification MUST be sent to the ICO (Information Commissioner’s Office) within 72 hours (once aware of the breach, that is) and the individuals affected by the breach must be notified. Within the notification to the ICO, it’s important to outline the following: the nature of the data that’s been breached, how many people are going to be impacted, what kinds of consequences the breach will have on those impacted, and which actions you’re taking in response to the breach.
A good way to prepare for this is through thorough data mapping. This means controllers and processors of feedback data know what data they have collecting, where it’s being stored, where it originated, who can access it and which risks are involved.
To review Mopinion’s procedure for a data breach, click here.
Tip: Refrain from collecting personal data in feedback responses
It is very possible that your users may submit personal data in the open comment section of your feedback form. Luckily, there are a couple of ways to prevent this from happening. One of which is to divert users to your customer support page via a direct link in the form. Alternatively, you can incorporate a tooltip into your feedback forms that reminds the user not to include personal data. For example, “Please do not include your contact details in this text field”.
Why comply with these strict regulations?
There are several reasons why compliance with GDPR in regards to feedback data collection is so important. For starters, there are various fines one can be subject to for failing to comply. Sources say:
Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.
Additionally, it can be very damaging to the reputation of your brand. If, for example, your business is to be fined for failure to adhere to the regulations, your customers will think that you do not have their interests at heart or value their privacy.
Another reason to comply is the fact that streamlined data protection regulations will lessen the amount of errors made. In other words, fear of mishandling data will result in more structured and organised data storage and processing.
Note: Article 5 of the GDPR states: ‘the controller shall be responsible for, and be able to demonstrate compliance with the principles’. This means that not only must companies comply with the regulation, they must also show that they are in compliance. Many advise that in order to do this, you should keep records of all data-processing decisions.
What are the consequences?
As previously mentioned, the consequences of violating any clauses within GDPR can be detrimental both to a business’ reputation and financially. The specifics of what the consequences will be vary based on several factors including:
- How long the infringement was ongoing
- How many individuals were affected
- The overall level of impact the infringement had
Note: both controllers and processors can be subject to consequences.
What is Mopinion doing to prepare for GDPR?
Mopinion has actively been taking steps to prepare for the GDPR. In close cooperation with our legal team, we plan to publish an addendum to our Privacy statement stating the details on how Mopinion will handle data. This will be available in early April.
As processor, we will ensure / provide the following:
- In terms of data retention, we store data as a long as our client is under contract. For enterprise customers, we adhere to bespoke data processing agreements (DPAs) based on their security policy, wherein data can be removed automatically based on custom time intervals. We will also supply DPAs to customers. This is done using our own template which is available upon request via our Customer Success Team.
- All privacy sensitive data (e.g. contact details in feedback forms, including telephone numbers, email addresses and names) will be encrypted. Additionally any data captured in the input field using our visual feedback feature will be automatically blurred (or masked) once the screenshot is rendered.
- For European clients: we keep all your personal data in Ireland.
- We will organise an additional and professional security assessment to guarantee all personal data is 100% safe.
- An internal mapping of all processed data, in which we document compliance with the above principles and make changes where needed.
Here at Mopinion we take privacy very seriously. We have been working side-by-side with a law firm to make sure everything is in place before GDPR comes knocking on our door. Now, with less than two months to go until this new regulation goes into force, the Mopinion team remains very much confident in the privacy and security measures we have implemented to protect our clients’ data. It has certainly been a challenge but one we were willing to take on for the sake of internet privacy.Kees Wolters, Co-Founder & Managing Partner, Mopinion
Key Takeaways for Companies Using Customer Feedback
Are you collecting customer feedback on your website or mobile app? These are the most important takeaways from this article:
- The privacy landscape is changing quickly so do not delay in taking measures to protect user privacy and meet GDPR requirements.
- Appoint a DPO to handle all compliance matters.
- Process data that is only in your ‘legitimate interests’. In other words, try not to collect data that you don’t need and do not use data collected for marketing purposes (unless you have consent)
- Make sure both you (the Processor) AND your feedback software provider (the Controller) are in compliance with GDPR.
Still feeling pedantic about the new regulation?
Be sure to check out the official General Data Protection Regulation.