Unless you have been hiding under a rock you have probably heard of a major new piece of legislation, GDPR which landed on our doorstep on the 25th May 2018. Speaking to many clients & friends there has been such a mixed bag of information on the net which has lead to many headaches, tears and an awful lot of confusion. In this article we will be addressing what GDPR is in a nutshell and how you can exercise your rights and hopefully help you make sense of the parts of it that relate to sending feedback forms to your customers.
The GDPR is a European Union Regulation – effectively, a law applicable across the European Union. It replaces the Data Protection Directive, drawn up when dinosaurs like AOL and MSN still stalked the internet in 1995.
DPD began life in 1970’s it was later implemented in the UK in 1998 through the Data Protection Act. The way personal information was shared in the 90’s compared to today’s tech savvy world was unimaginable. GDPR is an updated version to DPD to match with our technically advanced lives today, helping to protect our rights to privacy. The good news is because you’re already compliant with DPA you already have a head start :-)
- Standardises data protection legislation across the EU.
- No more incompatible parliamentary data acts across the European Union. There will now only be one data protection regulation that will govern across the EU.
- Upgrades the rights individuals have to control their own data.
- Clarifies and improves the rules around transferring data out of the EU.
If we want to look at how GDPR affects feedback surveys, we have to be clear about what feedback surveys are, and are not. Customer feedback is a vital element of any well run first-class business, in order to deliver a first-rate customer service we have to know what our customers are thinking and feeling. Gathering feedback is as much a part of business as trading, sending invoices and purchase orders. Which is different to market research.
The definition of market research by the British Library is ‘Give businesses like yours the luxury of making insight-driven, informed decisions to create a profitable marketing strategy. For those heading into untapped markets or diversifying into a completely new sector, market research helps to mitigate business risks by finding out exactly what your customers want.’
Market research is going to use the data to help benefit your marketing strategy, for example, to call or email your customers insightfully.
The crucial difference is: with customer feedback you’re going to use the data to give your customer an opportunity to tell you their experience of your service and if you’re doing a good job or not. The feedback is used to benefit the customer, to help improve their happiness and not to benefit the companies marketing strategy. If you receive negative feedback you’re going to be able to act or fix any problems, not compile it in a spreadsheet to help strategise.
It is important to recognise that market research & feedback research are not the same thing and you will have different obligations when it comes to GDPR.
- Data Subject - Is the subject of the stored contact details/data. In the case of customer feedback, this is the person who receives a survey, the respondent.
- Controller - Is the organisation interested in the feedback and responsible for the collection of the feedback. This organisation decides on how the data is processed.
- Processor - The party that processes the data on behalf of the controller, in our case: Starred
What are the basics I must know if I am a customer using Starred to collect feedback from May 2018?
- Are you dealing with sensitive data? This can be anything from racial, ethnic, political to health and sexual activity. If you do use sensitive data, there must be a legitimate reason why, and make sure that there is a purpose to having sensitive data in your feedback form.
- Make sure your feedback is customer-centric. Make sure you are asking the right questions at the right time and following up on them.
- Add a Privacy Statement. Be concise, transparent, accessible and mention that you ask for feedback.
- Processors. Make sure all processors are GDPR compliant.
- Lawful Processing. If you’re dealing with sensitive data you need to get explicit consent to ask for feedback.
The GDPR affords more security, transparency and control over all our personal data online. Here at Starred, we handle the processing of personal- and privacy-sensitive data with the utmost care. Here's what we're doing around the new regulation:
- We reviewed our Terms & Conditions and Data Processing Agreement, replacing old law with the new GDPR, including the correct references.
- We have updated the Starred security documentation in more detail about the organisational and technical measures Starred has taken to secure personal data.
- We allow you to make your privacy statement accessible when your Starred survey is shown to your respondent. This way you can be clear about the purpose of the survey and the information that is being processed.
- We reviewed our ‘sub-processors’, like AWS, to make sure they are GDPR-compliant.
Finally, we’ve appointed a Data Protection Officer at Starred, who will look after privacy internally and works by the principle of “privacy by design.”
- Right to be forgotten. You can either ask the controller, in our case the company that sent you a feedback survey to delete your information or you can send a request to the processor in this instance Starred and we will inform the company that sent you a survey to delete you and your information. It is important to note that as a processor, Starred is not allowed to delete your data directly.
- What information do you have on me? If you have received a feedback form from Starred and would like to access your data, you can request this from the company who sent the feedback form to you. Again as a processor, Starred is not allowed to delete your data directly. To view data, a request has to be sent to the controller of the data. That is, the company that uses Starred to collect feedback from their customers, you. Therefore, the alternative option is to authorise Starred to share your request with the company that sent you the feedback form. This company will then need to share your data. To make a request for Starred to directly reach out to the company that sent you the feedback form, who can then give authorisation to action a request to share your information or delete this information.
- Customer privacy statement. When receiving a feedback form through Starred you will be able to see the customer privacy statement of the company that sent you the form. This will also state the reason why you are being contacted for feedback.
- Data Breach. In the unlikely event that there is a data breach, it is the company that sent you the feedback form to you, responsibility to inform you that this has happened.
In case you have any questions regarding the GDPR related to Starred, don’t hesitate to contact us through firstname.lastname@example.org.