How to GDPR-proof your Customer Satisfaction Surveys
In a nutshell…
GDPR isn’t going to go away, but it doesn’t have to be hard. This comprehensive, researched guide will teach you everything you need to know to make sure your surveys are up to scratch.
If you’re doing business in Europe, you’ve probably caught wind of a major new piece of legislation, the GDPR, landing on the 25th May 2018.
And if you spend any time on the internet, you’ve probably been exposed to a wide range of views about how you need to prepare; everything from “ignore it and it’ll go away”, to “pay a consultancy firm a lot of money and it’ll go away”.
We can’t make the GDPR go away, but we can help you make sense of the parts of it that relate to sending feedback forms to your customers. We’ve put together a helpful PDF which summarises everything, and this article gives you the detail you’ll need.
Full GDPR compliance for your entire organisation is a job for your Data Protection Officer, but we’ll help you make sense of the tiny bit of it which relates to sending satisfaction surveys.
This post aims to give you simple, pragmatic advice. Although we have had comment on its content from Elle Todd, Partner and Head of Digital and Data at international law firm CMS London and Joseph Ndep, a GDPR specialist on her Data team, if you feel you need specialist legal advice, please consult a lawyer and not the internet.
What is GDPR?
The GDPR is a European Union Regulation – effectively, a law applicable across the European Union. It replaces the Data Protection Directive, drawn up when dinosaurs like AOL and MSN still stalked the internet in 1995.
The DPD was a EU directive – not quite as strong as a regulation. A directive requires member countries to achieve certain things, but doesn’t say how these things should be achieved. In the UK, the DPD was implemented in 1998 through the Data Protection Act.
Because the way personal information is shared has changed in ways which wouldn’t have been imaginable in 1995, the legislation which governs that information is long-overdue an update. The GDPR is this update. You have to work harder to comply with it than you did the DPA, but because you already comply with the DPA, you’re not starting from scratch.
- Standardises data protection legislation across the EU. Instead of a myriad of slightly-incompatible parliamentary acts based on a directive, one data protection regulation will govern all of the European Union.
- Upgrades the rights individuals (that’s you and I) have around controlling their own data.
- Clarifies and improves the rules around transferring data out of the EU.
It’s hard to argue against any of these objectives. Standardising regulations means it’s easier for businesses in the EU to do business with each other (they already comply with each other’s laws), and it’s easier for non-EU businesses to trade with the EU (they only have one law to comply with, rather than 20 or so).
As both a business, and as individuals, we’re in favour of giving people stronger rights around their own personal data. As a human being, it’s nice to know I’m better-protected, and as a business, we’ve spent eight years advocating that companies treat their customers respectfully, so it’s great to see this approach get better legal backing.
Enforcement of the GDPR occurs at the national level. In the UK, this is done by the ICO – the Information Commissioner’s Office. We’ll refer to a lot of their guidance in this piece, but each EU member state has its own, similar enforcement body.
Wait… If this is European legislation, doesn’t that mean that if the UK leaves the EU, it’ll no longer apply?
The GDPR will apply in the UK from 25th May 2018. So you need to be compliant from that date.
In short, if you’re planning to gamble that the UK’s planned withdrawal from the EU will relieve you of your GDPR obligations, don’t.
Data Protection Law Today
Before we talk about how the GDPR improves on current legislation, let’s get on the same page and introduce some terminology that dates back to the Data Protection Act (1998).
First of all, it’s important to know what data, and personal data mean…
The definition of data itself is pretty technical and couched in a lot of legalese. If you’re feeling pedantic, you can unpick this PDF that the ICO provide, or you can be pragmatic and assume that, yes, your business does deal with data.
Personal data on the other hand is easy to define:
data which relate to a living individual who can be identified:
a) from those data, or
b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
The only ‘gotcha’ here is point b). A list of names and addresses is obviously personal data, but so too is a list of purchases if you also have a list of names and addresses, and a way of matching purchases to those addresses.
Simple enough. There’s also a more specific category of personal data, sensitive personal data, which is essentially any personal data which covers:
- racial or ethnic origin
- political opinions,
- religious beliefs
- trade union membership
- health (physical or mental)
- sexual activity,
Again, pretty simple. Does this apply to your satisfaction surveys? Probably not, unless the nature of your business touches upon any of the above categories. For instance if you deal with a very specific health condition, any customer who completes your survey is clearly indicating they have that condition, so, yes, your feedback forms are sensitive.
Finally, the act defines the word ‘processing’. We’ll spare you the technical, lawyerly definition of ‘processing’, and take the ICO’s advice:
It is difficult to think of anything an organisation might do with data that will not be processing
That’s almost all of the definitions! There are only three more we need to cover before we chat about satisfaction surveys.
- Data subject: that’s you and I, dear reader. Anyone who is the subject of personal data.
- Data controller: Any person who determines how and why personal data will be processed.
- Data processor: Any person who processes personal data on behalf of a data controller.
There’s just a couple of important things to note about these definitions.
When the act refers to persons, it’s talking about legal persons, which includes most businesses. So a controller will be the business you work for, not you.
And though the act defines a controller as someone who determines how and why personal data is processed, the ICO place far more emphasis on why (i.e. the business purpose), than the how.
If you decide you’d like to improve customer satisfaction by collecting feedback, and you engage the world’s greatest customer feedback company to help you, and we suggest a 2-question survey sent immediately after your goods are delivered… The ICO are clear that in this scenario, because you have decided the why (improve customer satisfaction), it’s not important that we help you with some of the details – you’re the controller and we’re your processor.
Of course, it’s normal to be both a processor and a controller for different sets of data. Whilst we’re a processor for all of our clients, we’re also a controller for our own employee, customer and supplier data.
Still with us? That’s all the background covered. Let’s dive into the detail of getting feedback from your customers, and what you need to do.
Customer Feedback vs Market Research vs Marketing
If we want to look at how the GDPR affects satisfaction surveys, we have to be clear about what satisfaction surveys are, and are not.
Done right, customer feedback is a vital part of “business as usual” with your customers. For a well-run business that wants to deliver a first-rate customer service, it’s as legitimate a part of normal trading as issuing purchase orders, invoices, or dispatch confirmations.
This is different to market research.
In the words of the British Library, Market Research is research undertaken to:
Give businesses like yours the luxury of making insight-driven, informed decisions to create a profitable marketing strategy. For those heading into untapped markets or diversifying into a completely new sector, market research helps to mitigate business risks by finding out exactly what your customers want.
In short, it’s research, for your benefit, so you can do better marketing. It might involve mailing or calling your customers, but it might involve other forms of data gathering too. Crucially, when you get the results of your research, you’re going to use it to implement or improve a marketing strategy.
Customer feedback is giving each and every customer a chance to tell you if you’re doing a good job for them. It’s done for your customers’ benefit, so they are happier. When you receive customer feedback, you’re going to act on it and fix any problems arising from it, not compile it into a spreadsheet.
So although you may want to collect data from your customers for both customer feedback and market research, and you’ll have obligations under the GDPR either way, it’s important to recognise they’re not the same thing.
Finally, and hopefully this goes without saying, both feedback and market research are separate activities to direct marketing. (For example, sending email newsletters). This might sound painfully obvious now, but it will become relevant in a moment when we come to talk about consent.
For the purposes of this article, we’re assuming that you use a company like CustomerSure, who provide software and advice to help you deal with customer feedback better. If you’ve chosen to go it alone you should still be able to adapt this advice to suit your circumstances.
We’re not going to walk through the GDPR line by line, because it’s 88 pages long, and you haven’t got all day. We’re just going to guide you through the basics that you must know if you’re collecting feedback after May 2018.
Is your processor compliant?
So, first of all, assuming you are engaging a data processor to improve your feedback process, Article 28 says that:
The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Translation – it’s your responsibility to ensure that your suppliers (processors) operate in a GDPR-compliant way. Basically, you (or your Data Protection Officer) need to vet their privacy and security policies (ours is here) to ensure that they’re up to scratch with the GDPR.
But furthermore, Article 28 also covers the content of the contract with your processors. The GDPR contains a list of conditions that your contract must contain. We won’t list all the conditions here (but you can read Article 28 if you’re interested).
If you have contracts with your existing processors, it’s unlikely that they cover every single thing that the GDPR needs them to, so you’ll need to get new contracts in place prior to May 2018.
What about your processors’ processors?
Often, a processor will rely on other processors to help them with the tasks they do for you. For example, many software companies will store data on cloud servers provided by Amazon, Microsoft or Google. The GDPR is wise to this, and specifically says that your processors must also have GDPR-compatible contracts in place with these “sub-processors”.
To reiterate – you can’t just have a contract with general terms amounting to “we’ll honestly look after your data”, the GDPR mandates very specific clauses. Our hosting partner, Amazon already offers such contracts, and we expect the rest of the market to follow suit.
Transferring Data Outside the EU
The GDPR imposes restrictions on transferring data outside the EU. You can only transfer data to other countries if “appropriate safeguards” are in place.
The EU/US privacy shield is one such safeguard, so at the time of writing, it’s OK to use a processor who stores data with US-based companies, as long as those companies are covered by Privacy Shield. Your processor should be able to tell you where they store their data, and prove it’s either in the EU or covered by an agreement such as Privacy Shield.
The GDPR expands upon the concept of ‘transparency’ greatly.
In a nutshell, you need privacy policies which are:
concise, transparent, intelligible and easily accessible […], using clear and plain language (Article 12)
Drafting these policies will probably be the responsibility of your organisation’s data protection officer, rather than you, so we won’t dwell on them here. But, they must mention your feedback process, and include all the information required by Article 13 of the GDPR.
Data processing principles
The GDPR defines the following 6 principles for processing personal data:
(Remember, ‘processing data’ means ‘doing literally anything with data’)
According to Article 5 of the GDPR, personal data shall be:
- processed lawfully, fairly and transparently;
- collected for specified purposes, and not processed for other purposes;
- "just the right amount" of data for the task at hand – not too much, but enough to do your job accurately;
- accurate and up to date;
- kept no longer than necessary;
- processed securely.
A few of these touch upon your feedback forms. Point a) (collected lawfully) is very important, so we’ll cover it in detail in the next section. Points b) through e) are fairly self explanatory. That leaves point f)
Principle f): Security
Throughout, the GDPR is very clear that security from a ‘data breach’ means security from both theft and loss, but it isn’t specific about the type of security you need to provide.
The ICO, however, are completely clear about this. Security means both encryption and backups. In their words,
The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.
So you should be quizzing your data processors about their backup strategy and how they are using encryption. Remember, that although HTTPS (i.e. the padlock in your web browser’s address bar) is important, it’s not sufficient on its own.
HTTPS will protect data in transmission, but not whilst the data’s being stored. Data must be encrypted when it’s stored too, so you need to check that your processor is using either database, or even better, full-disk encryption on their servers.
Principle a): Lawful Processing
Saving the best principle until last.
The GDPR says you need to process data “lawfully”. Asking for feedback is processing data, so you need to ask for feedback lawfully. But what does that mean?
The GDPR has a detailed explanation of what “lawful processing” is (Article 6, subparagraph 1 if you have trouble sleeping), but we only need to focus on two points from this explanation:
Processing is lawful if…
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
To clarify that, you can use someone’s data to collect feedback if:
- They have said it‘s OK to do so (they’ve given you consent), or
- You can argue convincingly that collecting feedback is in your legitimate interests.
The best basis in the GDPR for checking for feedback is that it’s in your (and your customers’) interests to do so. You both need to know if there have been problems, so you can fix them.
This is why we’ve been so emphatic about putting a lot of distance between your feedback collection and any form of market research or marketing.
And so, the GDPR is very, very explicit at not allowing organisations use the “legitimate interests” clause as an excuse for marketing activities.
Article 21 sets out people’s right to object to processing. It specifically gives people a right to object to processing carried out under the “legitimate interests” clause, and even more specifically, a right to object to marketing activities carried out under this clause.
So if we haven’t made it clear enough already – put a huge firewall between your feedback processes and your marketing activities.
Legal minds bring up the idea of a ‘balancing test’. balance between your ‘legitimate interests’ and the ‘interests or fundamental rights or freedoms’ of the person whose data you’re processing. As long as you make make your customer feedback process as customer-friendly as possible, then no rational person will argue that you fail this balancing test.
However, if you start acting shady, for instance, not responding to feedback, sending annual surveys when when transactional feedback forms would work better, or not asking customer-focused questions, then you’re tiptoeing closer to the line where you’d fail this test. Don’t do it!
The second of the two potential legal grounds you have for collecting feedback is ‘consent’.
Assuming your customer feedback process is very customer-friendly, we don’t recommend that you rely on consent. It will cause you more problems than it solves.
The notion of ‘consent’ exists in current law, but is upgraded under the GDPR. Specifically, consent must now be “unambiguous”, and in the case of sensitive data, “explicit”. This means no dark patterns like pre-ticked checkboxes!
Because you have sound legitimate interests to ask for feedback, consent isn’t required.
The first problem with asking for consent, is that whilst polite, it’s disruptive, especially given:
“When the processing has multiple purposes, consent should be given for all of them” (Recital 32)
Imagine the conversation,
“So what’s your email address?”
“Is it OK if we send invoices to that address?”
“And OK for us to let you know if there’s a problem with your order?”
“And OK for us to give you a dispatch notification?”
“And OK to ask you for feedback?”
The GDPR gives you other grounds for processing data specifically to avoid nonsense like this. In fact, it specifies that:
the request [for consent] must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided (Recital 32)
So, if you’re comfortable that your feedback process is respectful of your customers, don’t feel that you need to obtain consent. Just be sure you’re totally transparent about how and why you’re going to use data in your feedback process, and that you give people the chance to opt-out.
If you decide that in spite of this, you would like to obtain consent, remember the following three points:
- Once you’ve relied on consent, you can’t double-back and switch to one of the other bases for processing. So if someone says “no”, you can’t then decide that you’re going to send a survey anyway because of “legitimate interests”.
- The GDPR says “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. Meaning: you need to keep records of how and when consent was given.
Some people like to automatically publish all their customer feedback as online reviews.
We don’t recommend this, but understand that some people like to do it. If this is you, be warned that this probably doesn’t count as a legitimate interest. It’s marketing.
This means, you’ll have to get consent to use peoples’ comments on your site.
We recommend that rather than complicating your order forms with consent for publishing future feedback in public, you gain consent at the point you actually collect feedback. So, all the processing up to that point is in your legitimate interests, and you’re only asking consent when you move beyond those interests.
The GDPR mentions two very similar, but subtly different forms of consent:
- Unambiguous consent for ordinary, non-sensitive data
- Explicit consent for sensitive data
As your customer feedback is (probably) not sensitive, you only need get unambiguous consent to display it in public. This means there’s absolutely no doubt that the customer understands what you will do with their data. A good example of this would be as follows:
However, there’s a big problem with this approach. If a customer wants to tell you about problems, but doesn’t want their comments to be made public, they can’t use this form! That’s not a great experience.
There’s two approaches you can take here. One is to add two questions, and obtain unambiguous consent as follows:
The other is to shoot for explicit consent instead. Allow people to submit the feedback form regardless, and opt-in to you showing their comments in public, as follows:
Overall, our recommendation is to not bolt your feedback horse to your reviews wagon.
Reviews can be important for some businesses, but treat them as a separate process – it’s not a brilliant customer experience to be asked for a review before you’ve been asked if you’re happy. But if you really want to link them to your feedback process, now you know how to stay legal.
The final thing Article 5 of the GDPR has to say about data processing is that:
the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
Meaning, it’s not enough to be just doing these things, you need to show that you’re doing them.
There is a get-out clause which frees up organisations employing fewer than 250 people from this obligation. But… the get out doesn’t apply if:
the processing is not occasional, or the processing includes special categories of data
You should be checking for feedback regularly, meaning arguably your processing is “not occasional”. So, the get-out clause probably doesn’t apply in this case. You should keep records of all your data-processing decisions.
The GDPR introduces a duty for you to report certain types of data breach – to both the authorities, and to the people affected by the breach.
Reporting to the authorities
Reporting is only required for breaches which will result in a “risk to people’s rights or freedoms”, and will result in,
“discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage”.
So, if you, or the business who helps you with your feedback accidentally deletes a database backup, that’s purely an internal matter.
However, if customers’ private email addresses are exposed, then that’s arguably risky, so you might need to notify the ICO. This is new territory (you didn’t have to notify under the Data Protection Act), so there’s very little precedent here.
Ultimately, the best decision you can make in this area, is to “expect the best, plan for the worst”. If you (and your data processor) have strong, multi-layered security, then a data breach is unlikely. If encryption is used, the impact of any breach will be minimised. And if you have great processes in place which will allow you to detect breaches, you won’t be caught sleeping if the worst happens.
Reporting to your customers
It’s worth noting, in the case of feedback forms, you almost certainly don’t need to notify your customers of a data breach. You only need to do this in the case of a “high risk to rights and freedoms”. It’s difficult to argue that feedback form data is high-risk, unless you’re processing sensitive data, for example if your business is in the health sector.
But, in keeping with the theme of transparency and trust we’ve touched upon a few times, you may want to plan to do this. It will look far worse if your customers discover the breach themselves, without you having notified them.
Will I be fined €20,000,000 if I get this wrong?
This figure of €20,000,000 has grabbed a lot of headlines, but the good news is… You are almost certainly not going to be subjected to this fine. This is the maximum fine for the absolute worst of offences. There’s a lower limit of €10,000,000 for most ‘standard’ offences, but you’re almost certainly not going to be hit with this either.
You’re reading this post. You’re going to follow its advice. You’re committed to doing the right thing. These fines are the ultimate last resort punitive measures for the ‘bad guys’. The ICO has already said fines are a last resort, it will work with businesses to help them get things right.
Are there any other laws which apply here?
The UK, and most other EU states, have laws like PECR, which govern marketing communications to your customers.
If you’re doing the right thing and keeping your customer feedback separate from your marketing, in theory you’re not affected by the marketing aspects of PECR.
Just remember that when you do ask for feedback, be completely transparent that you’re doing so to make customers’ lives better, and you won’t be surprising them by adding them to your e-marketing lists if they reply.
No customer will ever think less of you for being trustworthy and transparent with them.
PECR is also under review by the EU, so whilst it doesn’t touch customer feedback right now, it may one day. We’ll keep you informed if it does!
GDPR isn’t a world apart from existing data protection regulation. If you’re currently compliant with the law, you’re on the path to GDPR compliance but there are some additional things you must do. If you’re not already compliant, you have bigger problems.
Here’s a checklist for what you need to do to stay legal. We’ve also made it available as a downloadable PDF.
If you feel you need support with step two, we can help you with that.
Good luck building a trusting and transparent relationship with your customers, and growing your bottom line from all the great feedback you receive as a result.
If you feel like we’ve missed anything, or you’d like to chat through any of the issues that this post raises, we’d love it if you got in touch.
EU Flag: Yanni Koutsomitis, https://www.flickr.com/photos/ykoutsomitis/6861702519/ Padlock: https://commons.wikimedia.org/wiki/File:Fxemoji_u1F513.svg Mozilla [CC BY 4.0 (http://creativecommons.org/licenses/by/4.0)], via Wikimedia Commons Emoji icons supplied by EmojiOne
Would you like to know the techniques we use to help service teams get great at customer feedback?
We’ve compiled them into a short, practical ebook you can start using in your organisation today. Download it for free now…Get it here