Doing the right thing with data is the bedrock of SurveyGizmo
Protecting personal data has become more important now than ever before.
With massively destructive data breaches hitting companies and even governments on a seemingly regular basis, sophisticated uses of personal data, and our on-demand data-driven way of life -- the ability to process data and keep it private is critical.
This article shares our initial work toward achieving GDPR compliance as of today.
Many of the features within SurveyGizmo can be used to help ensure your own GDPR compliance -- a few of which are highlighted below.
If you ever have any concerns or questions in regard to our use of your data, please don’t hesitate to contact me personally: [firstname.lastname@example.org]
GDPR: What SurveyGizmo is Doing to Prepare
Here at SurveyGizmo, privacy is and will remain a top priority company-wide.
I have been working closely with each department and the executive team to ensure we are not only going to be ready for the May 25 deadline but that we exceed GDPR compliance expectations for years to come.
There are a variety of fundamental GDPR efforts currently taking place here at SurveyGizmo to build the GDPR framework. Below we go into detail about what these efforts entail.
A standard Data Processing Addendum will be available.
To ensure SurveyGizmo is responsibly processing data, our customers will have 24/7/365 access to a standard Data Processing Addendum (DPA) as it becomes available. It can be accessed through our main website, www.surveygizmo.com.
A DPA is a contractual agreement between you and SurveyGizmo -- the subprocessor -- to ensure we are handling and processing your data as directed by you at all times.
All Employees will receive GDPR training.
Company-wide GDPR training will take place before the May 25 deadline, ensuring all Gizmos are familiar with the regulation and our ongoing commitment to protecting data.
A GDPR resource webpage will be available.
We will host a permanent webpage on our main website, www.surveygizmo.com, that will be packed to the brim with current GDPR happenings here at SurveyGizmo, free resources to help you achieve and maintain GDPR compliance, and more.
SurveyGizmo will have a local GDPR representative.
According to GDPR, companies are required to have local representation within the EU. Our local representative will soon be named and will register with the UK ICO.
Our EU Data Center is in Germany.
Our data center in Germany signifies our invested partnership with our European-based clients, and allows us to keep EU data within the EU, eliminating many risks associated with transcontinental data transfers.
Personal data is treated differently by different countries. Having an EU Data Center in Germany ensures that customers who use our www.surveygizmo.eu server will not have their respondent data transferred to the U.S. without their approval.
When we decided to implement an EU location for SurveyGizmo, we wanted a location that took data privacy as seriously as we do. And with some of the strictest data privacy laws in all of the EU, Germany was quickly decided to be the home of our EU Data Center.
We do not reuse, sell, or otherwise share respondent data.
All information collected in surveys belongs solely to the customer, not SurveyGizmo. Under no circumstances do we reuse, sell, or otherwise share respondent data.
SurveyGizmo Product Features that can be Used for GDPR Compliance
Customers can use our platform to help them comply with GDPR requirements.
Thanks to our advanced privacy notice and opt-in consent process, account administrators can easily include all necessary consents within the surveys.
In the event that a customer of SurveyGizmo needs to retrieve the respondents’ consent, this is easily done via the platform through the account administrator.
Survey Consent Opt-In
Permanently delete responses.
Only Account Administrators have the ability to permanently delete data.
Permanently Deleting individual responses is a multi-step process. Before you proceed, it is important to note the differences between Deletion and Permanent Deletion.
- Deletion. When a response is deleted, it is placed in a Deleted view (similar to your computer's trash bin). At this point, the response is not permanently deleted and can be restored.
- Permanent Deletion. Once a response has been deleted, it is placed in the Deleted view. From the Deleted view, the response can then be permanently deleted. Once permanently deleted, a response cannot be recovered - this process is irreversible.
Deleting responses permanently will:
- Delete the supplied responses
- Delete files associated with these responses
- Delete all other data associated with these responses
Important! There is NO recovery method. Once permanently deleted, SurveyGizmo Support will NOT be able to help you restore these responses or associated data.
We recommend that you contact the survey creator or owner of the survey before doing this.
In order to confirm the permanent deletion, you will be asked to enter your SurveyGizmo password (the same password that you log in with).
Permanently delete surveys.
Deleting a survey is a multi-step process. When initially deleted, surveys are placed in the trash (similar to your computer's trash/recycle bin). The surveys can then be permanently deleted from within the trash.
Permanently deleting a survey will permanently delete the following associated items:
- The survey itself
- All responses collected on the survey
- All reports that have been created for the survey (any scheduled reports will no longer be sent)
- All associated files
- All other data associated with the survey
Important! There is NO recovery method. The SurveyGizmo Support team will NOT be able to help you restore the survey or data.
We recommend that you contact the survey creator or owner of the survey before doing this.
Visit the Permanently Delete Surveys documentation for Individual Response permanent deletion steps.
Track respondent email unsubscribe requests.
You can track respondent email unsubscribe requests and import them into other systems to help ensure you’re in compliance with the various applicable regulations.
An unsubscribed contact will not receive further invites from any campaign or surveys in the account. This is true regardless of how the contact was added to a given campaign (e.g. uploaded to the campaign itself versus imported from email lists.)
To unsubscribe a contact within SurveyGizmo, go to the Contacts page of your email campaign, search for contact’s email address and click to edit. On the Contact Info tab change the Subscription status.
Customers can exercise all or any of their individual rights under GDPR.
As a SurveyGizmo customer, you can request any or all of their GDPR individual rights on your data through multiple systems and processes -- via phone, email, or through our main website.
Survey responses can be anonymized.
Survey responses can be anonymized to ensure that submitted information is not connected to a natural person.
To set up a survey with anonymous responses:
- Go to Tools > Response Settings.
- Check the Anonymous Response Options.
Note: The Anonymous Responses setting is locked once your survey records at least one response. This means that if you set your survey to be anonymous and collect any data, you will not be able to disable the anonymous setting.
GDPR Terminology Definitions
For more information on any of these terms or any other official documentation regarding GDPR, visit the website of the Information Commissioner’s Office (ICO): https://ico.org.uk.
The terms provided below are as defined by the ICO.
Under GDPR, consent means offering individuals real choice and control that must be freely given; this means giving people genuine, ongoing choice and control over how businesses use individual's data.
Genuine consent should put individuals in charge and build trust and engagement. This requires a positive opt-in, prohibiting the use of pre-ticked boxes and any other method of default consent.
Under GDPR, individuals are granted the following rights:
The right to be informed. Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.
- The right of access. Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
- The right to rectification. Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Organizations have one calendar month to respond to a request.
- The right to erasure. Individuals have the right to have personal data erased. This right is also known as “the right to be forgotten.” Individuals can make a request for erasure verbally or in writing. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.
- The right to restrict processing. Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, organizations are permitting to store the personal data, but not use it. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.
- The right to data portability. Individuals can obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits.
- The right to object. Individuals have the right to object to: (1) Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority (including profiling); (2) Direct marketing (including profiling);and (3) Data processing for purpose of scientific/historical research and statistics.
- Rights in relation to automated decision and profiling. This right protects individuals if organizations are carrying out solely automated decision-making that has legal or similarly significant effects on them.
Personal data is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Automated individual decision-making
Automated individual decision-making is making a decision solely by automated means without any human involvement.
Profiling is the automated processing of personal data to evaluate certain things about an individual.
A data controller is a person who (either alone or jointly or in common with other persons) determine the purposes for which and the manner in which any personal data are, or are to be processed.
In relation to personal data, a data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
A subprocessor can be engaged by the processor. A subprocessor can process personal data on behalf of the data exporter and is often a third-party.
Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
- Organization, adaptation or alteration of the information or data,
- Retrieval, consultation or use of the information or data,
- Disclosure of the information or data by transmission, dissemination or otherwise making available, or Alignment, combination, blocking, erasure or destruction of the information or data.
Matt Wheeler is the Security and Compliance Manager at SurveyGizmo. At SurveyGizmo, he is leading the company’s GDPR readiness and compliance alongside leadership and Counsel. Matt is a Certified Information Systems Security Professional (CISSP) with over a decade of experience in enterprise assessment, risk management, and technical compliance. He’s worked in a variety of industries and sectors including computer and network security, financial services, government, and insurance. He has a bachelor’s degree in Computer Science from Illinois College.
You can reach Matt by email at email@example.com.