GDPR in a nutshell

In this article, we will be addressing what GDPR is in a nutshell and how you can exercise your rights and hopefully help you make sense of the parts of it that relate to sending feedback surveys to your customers.

First things first, what is GDPR?

The GDPR is a European Union Regulation – effectively, a law applicable across the European Union. It replaces the Data Protection Directive, drawn up when dinosaurs like AOL and MSN still stalked the internet in 1995.

To sum up GDPR:

  • Standardises data protection legislation across the EU.
  • No more incompatible parliamentary data acts across the European Union. There will now only be one data protection regulation that will govern across the EU.
  • Upgrades the rights individuals have to control their own data.
  • Clarifies and improves the rules around transferring data out of the EU.

So, how does it relate to you sending feedback?

If we want to look at how GDPR affects feedback surveys, we have to be clear about what feedback surveys are, and are not. Candidate and employee feedback is a vital element of any well run first-class business, in order to deliver a first-rate candidate or employee experience we have to know what they are thinking and feeling. Gathering feedback is as much a part of business as trading, sending invoices, and purchase orders, which is different from market research.

What is market research and why is it different from feedback?

The definition of market research by the British Library is ‘Give businesses like yours the luxury of making insight-driven, informed decisions to create a profitable marketing strategy. For those heading into untapped markets or diversifying into a completely new sector, market research helps to mitigate business risks by finding out exactly what your customers want.’

Market research is going to use the data to help benefit your marketing strategy, for example, to call or email your customers insightfully.

The crucial difference is: with feedback you’re going to use the data to give your candidates or employees an opportunity to tell you their experience of your organization and if you’re doing a good job or not. The feedback is used to their benefit, to help improve their happiness and not to benefit the companies marketing strategy. If you receive negative feedback you’re going to be able to act or fix any problems, not compile it in a spreadsheet to help strategize.

It is important to recognise that market research and feedback research are not the same thing and you will have different obligations when it comes to GDPR.

Here are the three main roles for feedback research in the light of GDPR:

  • Data Subject - This is the subject of the stored contact details/data. In the case of candidate or employee feedback, this is the person who receives a survey, the respondent.
  • Controller - Is the organisation interested in the feedback and responsible for the collection of the feedback. This organization decides on how the data is processed.
  • Processor - The party that processes the data on behalf of the controller, in our case: Starred

What are the basics I must know if I am a customer using Starred to collect feedback since May 2018?

There are five main points to consider when ensuring your feedback research is in line with GDPR:

  1. Are you dealing with sensitive data? This can be anything from racial, ethnic, political to health and sexual orientation. Candidate or employee feedback usually processes data that is not regarded as sensitive.
  2. Make sure your feedback is candidate or employee-centric. Make sure you are asking the right questions at the right time and following up on them. It needs to be about improving for them.
  3. Add a Privacy Statement. Be concise, transparent, accessible, and mention that you ask for feedback.
  4. Processors. Make sure all data processors are GDPR compliant.
  5. Lawful Processing. If you’re dealing with sensitive data you need to get explicit consent to ask for feedback.

Does Starred comply with GDPR?

The GDPR affords more security, transparency, and control over all our personal data online. Here at Starred, we handle privacy and the processing of personal data with the utmost care. Here's what we're doing to comply with the regulation:

  • We updated our Terms & Conditions and Data Processing Agreement, they're now dated May 25, 2018.
  • We have up-to-date security documentation in great detail about the organizational and technical measures Starred has taken to secure personal data, and we're ISO 27001 certified.
  • We allow you to make your privacy statement accessible when your survey is shown to your respondents. This way you can be clear about the purpose of the survey and the information that is being processed. You can set the data retention period in Starred just like you promise in your privacy statement. And, finally, in case an individual wants his/her data to be removed from Starred you can simply execute their "right to be forgotten".
  • We reviewed our ‘sub-processors’, like AWS, to make sure they are all GDPR-compliant, Data Protection Agreements and or Standard Contractual Clauses are in place.
  • Finally, we’ve appointed a Data Protection Officer at Starred, who will look after privacy internally and works by the principle of “privacy by design.”

What are the basics I need to know if I am a respondent of a Starred feedback survey:

  1. Right to be forgotten. You can either ask the controller, in our case the company that sent you a feedback survey to delete your information or you can send a request to the processor (Starred) and we will inform the company that sent you a survey to delete you and your information. It is important to note that as a processor, Starred is not allowed to delete your data directly.
  2. What information do you have on me? If you have received a feedback survey from Starred and would like to access your data, you can request this from the company that sent the feedback survey to you. Again as a processor, Starred is not allowed to give access to your data directly. To view data, a request has to be sent to the controller of the data. That is the company that uses Starred to collect feedback.
  3. Customer privacy statement. When receiving a feedback survey through Starred you will be able to see the customer privacy statement of the company that sent you the survey. This will also state the reason why you are being contacted for feedback.
  4. Data Breach. In the unlikely event that there is a data security incident, it is the responsibility of the company that sent you the feedback survey to inform you that this has happened.

In case you have any questions regarding the GDPR related to Starred, don’t hesitate to contact us through [email protected].