If your company collects feedback data from European customers, employees or market research participants, you will need to change your approach to data management to ensure GDPR compliance. Here are four steps for your organization to take towards successful GDPR compliance.
1. Understand which data is governed by GDPR
All personal data—information that relates to an identifiable person—is subject to the GDPR. Such data includes names, addresses, birthdays, IP addresses, email addresses, gender identity, phone numbers, religious or political beliefs and more.
If you collect feedback from your customers, employees or research participants and that feedback is clearly attached to their identities, the data needs to comply with GDPR regulations.
2. Know the difference between data subjects, controllers, processors and sub-processors
To ensure compliance, you also need to familiarize yourself with the GDPR lexicon. The GDPR defines four different entities that are involved in the processing of personal feedback data:
- The Respondent: A data subject, as referred to in the GDPR, is the individual whose personal data is processed. In a survey, this refers to the person filling out a survey and giving you their feedback. To collect data from a data subject, companies need to obtain their explicit consent or possess another legal basis for gathering the data.
- The Company: The GDPR’s controller is the company that determines the purpose of collecting personal data (and often leverages its derived insight). For example, when a business collects data on their customers regarding the customer experience, the business is the controller. Controllers must only collect the data they need to collect to pursue their defined purpose; they aren’t allowed to collect data that falls outside the scope of their purpose.
- The Solution Provider: A processor, per the GDPR, is a company that processes personal data on the controller’s behalf. For example, Questback is a processor for its thousands of customers that leverage Questback solutions for employee engagement, voice of the customer and market research. Processors must implement measures to ensure secure processing to attain GDPR compliance.
- The Solution Supplier: The GDPR’s requirements for processors include entities that process personal data on behalf of another processor or solution provider like Questback. These are often referred to as sub-processors. For example, Questback’s hosting provider, the sub-processor, delivers access to secure servers in their data centers to Questback, our customers and their respondents. Draft internal policies and enact organizational measures to ensure compliance
3. Draft internal policies and enact organizational measures to ensure compliance
GDPR compliance starts with implementing internal policies that govern how your company captures and stores customer-specific data. For example, you might tell employees not to send any customer information over your workplace messaging platform (e.g., Slack or Microsoft Teams) because you don’t want those messages to be subject to a breach of data protection and have not vetted that particular processor regarding their GDPR compliance. The onus is on the company (the controller) and solution providers (the processor) to ensure that their partners are GDPR compliant.
Once you’ve determined which kinds of customer data you’re going to collect and how and where it will be stored and analyzed, it’s time to enact technical and organizational measures to ensure compliance:
- Technical measures involve searching for GDPR-compliant solutions that were built with the highest security and data protection standards in mind. (In case you’re wondering, Questback is GDPR compliant and has been preparing our solutions for GDPR since 2015!)
- Organizational measures include defining explicit roles for managing data, training thoroughly your employees on the importance of the GDPR and how to comply with it, and documenting your company’s GDPR policies, among other things.
4. Be diligent—partner with GDPR-compliance providers (It’s a GDPR duty!)
Partnering with providers that have been preparing for the GDPR for several years will not only make compliance easier, GDPR, in fact, imposes this duty on companies! Article 28 of the GDPR stipulates that organizations are responsible for diligently selecting service providers, utilizing only those that provide sufficient guarantees to meeting the GDPR requirements and ensuring the protection of the rights of the data subject. Thus, by partnering with compliant and forward-thinking solution providers, your organization can not only ensure compliance but also reduce risk and gain a few steps on your slower-moving competitors.
Questback, for example, has been focused on the GDPR since February 2015. The company’s data centers, located in Germany, already meet the highest security requirements in Europe. To take security further, Questback is in the process of implementing Binding Corporate Rules.
To comply with the GDPR, Questback’s software offers privacy by design and by default, making it easy for companies to comply with the right to be forgotten and their customer’s potential desire for data portability. Aiding our thousands of customers in their transition to GDPR compliance, Questback’s Privacy Assistant enables customers to collect valid consent from respondents and provide legally required notifications easily and conveniently.
Whether customer experience feedback, employee engagement metrics or market research data, this type of insight is invaluable to organizations as they compete in today’s digital world. Ensuring your organization complies with the GDPR is no easy task. Questback is here to help make your transition as painless as possible.