← Back to Blog

Navigating Survey Compliance- A Practical Guide

Navigating Survey Compliance- A Practical Guide

Navigating Survey Compliance: A Practical Guide

Imagine meeting someone amazing. A real meet-cute situation: eyes lock across a crowded room, an instant connection, the whole shebang. They ask for your number, and you do the awkward, “I’ll text you so you have it” thing.

You’re hopeful. You’re energized. You knew it was worth coming out tonight. You’re mentally picking out your outfit for that date, thinking about which restaurant sounds best.

Then they say, “OK, great. I’ll send your number over to my friend as well. You know, just in case things don’t work out with us.”

Wait…what?

Too often, that’s what companies do with our data. Sometimes they share our data deliberately, but often it’s done out of ignorance of what’s legally ok and what’s not.

This is specifically important when setting up and running surveys.

Every time you collect customer responses you risk violating data regulations, which could result in scary fines or damage to your brand. This isn’t just an issue for big businesses either. While those multi-million dollar fines are the ones that hit the headlines, small businesses must also comply with data regulations—or face fines that really do some damage.

So far, so stressful, right? But the good news is that this doesn’t have to be complicated. With just a little forethought, you can gather data while staying on the right side of regulations and keeping your customers’ trust.

Data compliance: Where do you start? 

Your business is subject to data privacy regulations if you’re collecting any kind of data. Here are five simple steps to keep you compliant, using solutions like those offered by BetterFeedback.ai to ensure responsible data handling.

1. Know which frameworks and guidelines apply 

This can be confusing because there's a lot of overlap between the different regulations. As a general rule of thumb, though—when in doubt, do more. Here’s a quick breakdown of the regulations most likely to affect your survey data:

GDPR 

What it is

You’ve probably heard of this one, but just in case: The General Data Protection Regulation is a European Union regulation designed to improve European citizens' data security and privacy.

What it specifies

  1. Companies must obtain informed consent when collecting personal data.
  2. People have the right to access and update their personal data or request that companies delete it.
  3. Organizations must implement appropriate security measures to safeguard personal data.

Who it applies to

GDPR is a European regulation, so it applies to you if your business is based in Europe or if you collect any data from European citizens.

What it means for your surveys

While the EU offers extensive resources for you to check your GDPR Compliance, here’s a handy checklist if you want an abbreviated version:

  • Check if you have a reasonable legal basis for processing personal data.

(In terms of surveys, this usually means you have the person’s consent. Make sure you ask for their consent before gathering their personal data. Giving consent must be opt-in, not opt-out—meaning the default option is collecting no personal data.)

  • Only collect personal data relevant and necessary for the specific purpose of your survey.
  • Explain to your respondents exactly how and why you’ll be using their personal data, and ensure you don’t accidentally use it in any other ways.
  • Store and process personal data securely.
  • Keep respondents’ personal data accurate and up to date.
  • Delete individuals’ personal data when you no longer need it.

Reminder: Following these steps is a good start, but there’s a bit more to it. We strongly recommend that you review the EU guidelines for more detail.

ISO 27001 (and 27701) 

What it is

ISO 27001 is an international standard that certifies whether or not your company manages information securely. GDPR doesn’t have a certifying body, so if you want to prove your company is doing data compliance right, this is the certificate you need.

There’s also ISO 27701, which is an add-on to ISO 27001. Where ISO 27001 focuses on data security, 27701 is all about data privacy.

What it specifies

To get ISO 27001 certification, you’ll need to prove you have:

  • Systematically examined your company’s information security risks
  • Put together a comprehensive suite of information security controls
  • Created a data management process to ensure you’ll continue to comply with these security controls over time

Who it applies to

This standard applies to anyone who wants to prove they follow rigorous data security standards.

What it means for your surveys

If you want to reassure respondents that their data is safe, accessible, and compliant with international data security standards, you might want to consider getting both ISO 27001 and 27701 certifications. BetterFeedback.ai prioritizes security with practices aligned to these certifications.

CCPA 

What it is

The CCPA is California’s answer to GDPR. It isn’t relevant to every company, but if there’s a chance you might survey anyone in California, you need to know about it.

What it specifies

The CCPA gives Californians:

  • The right to know what personal information companies are collecting about them and what'll happen with their data
  • The right to delete that information
  • The right to opt out of the sale or sharing of their data
  • The right to correct their data if it’s wrong
  • The right to limit how companies use their data

Who it applies to

Unlike GDPR, which applies to all companies that work with data from the EU, regardless of where they’re based, the CCPA only applies to for-profit companies that do business in California and fit one or more of the following characteristics:

  • Have a gross annual revenue of over $25 million
  • Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
  • Derive 50% or more of their annual revenue from selling California residents’ personal information

What it means for your surveys

If you’re surveying less than 100,000 California residents (or earning less than $25 million), you’re in the clear. However, we’d urge you to err on the side of caution by making sure that you:

  • Always default to ‘opt out’
  • Tell your survey respondents why and how you’re collecting their data
  • Store that data securely and delete it promptly after you analyze it

HIPAA

What it is

HIPAA is the gold standard for medical data compliance in the US.

What it specifies

HIPAA is pretty complex, but its main terms are fairly straightforward:

  1. The Privacy Rule: Companies must keep medical data private and allow people to access and update their protected health information.
  2. The Security Rule: Organizations that store medical data electronically must take the appropriate precautions to secure it.

The Breach Notification: If your company’s data gets hacked, lost, or stolen, you must immediately notify the people involved, the HIPAA Secretary, and on some occasions, the media.

Who it applies to

If you’re in the healthcare sector (or you’re a contractor for a company in the healthcare sector) and deal with medical information from US citizens, then HIPAA applies to you. The term used for a company subject to HIPAA is a “covered entity.” There’s a handy tool on the Centers for Medicare & Medicaid Services website to help you understand if your business is a covered entity that must comply with HIPAA.

HIPAA applies to the medical data of US citizens, meaning that if your company processes medical information about even one US citizen, HIPAA applies, no matter where you’re based (or where said citizen lives).

What it means for your surveys

If you ask for medical information, tread carefully. Ensure all data is anonymized and stored securely. Consider where you analyze your survey data, who has access, and how to protect confidential information. Services like BetterFeedback.ai are designed to help you manage sensitive data appropriately.

If this is all feeling a little overwhelming, you’re not alone. According to the 2023 IT Benchmark Report from compliance software firm Hyperproof, 51% of compliance professionals say they struggle to identify their company’s critical risks. The compliance issues affecting your company depend on your location, industry, and how you want to handle data.

TL;DR? Ask for permission, don’t ask for more data than you need, and seek professional compliance advice if you’re in any doubt whatsoever.

2. Centralize all of your data privacy policies 

So, you’ve considered the regulations that might affect your survey data. However, handling data correctly isn’t enough—you’ll also need to communicate your policies clearly.

A word of caution: Avoid scattering different disclaimers around your website. It’s way too hard to keep track of them all. Instead, publish a centralized privacy policy you can easily maintain and update as data regulations change.

As you can do with BetterFeedback.ai, we recommend to create an easy-to-navigate, central policy hub to communicate all of your policies around data security with your users and customers.

Quick tip: Avoid using legal jargon in your privacy policy. Keep it simple so you don’t frustrate customers or employees. Then, offer a legal version if needed.

3. Be transparent 

It’s a lose-lose situation if you’re secretive about how you use survey data. The common sense rule? Don’t do anything with data that you’d be embarrassed to tell other people. We all understand that companies need user data to run their businesses—we just don’t like feeling exploited.

Be upfront with your customers and survey respondents. At a minimum, you must let them know:

  1. How you’re going to store their data so it’s secure
  2. Exactly what you’re going to do with their answers
  3. How they can modify or delete their data

4. Less is more 

Collect the minimum amount of data you need for your surveys. If in doubt, leave it out! Do you really need their addresses? Do you even need their last names? Don’t collect data because it might be useful later. Only collect the information you need to answer the business questions you’re tackling with each specific survey.

5. Get legal help 

As you might have noticed, compliance is a little tricky—and getting it wrong can be expensive and damaging. If you regularly send out surveys and work with customer data, consider hiring a compliance consultant or creating an in-house compliance department. Regulatory frameworks change too fast to keep up, and new standards arise all the time. Investing in compliance expertise is a great way to prevent painful mistakes down the road.

Data compliance is part of the customer experience 

Today’s customers have come to demand an outstanding experience—and that includes treating their confidential information with the utmost respect. Nothing will ruin the trust you’ve built with your customers faster than being careless with their data.

That’s why we’ve made BetterFeedback.ai so mindful of security and compliance. If you use our platform, you can rest easy—your customers’ data is safe. You can trust our surveys for collecting healthcare data, financial transactions, and everything in between.

By implementing these strategies with BetterFeedback.ai, you not only protect your business but also foster trust and credibility with your audience. After all, in the realm of data, compliance isn't merely a legal necessity; it's a cornerstone of customer experience and lasting business success.