It’s all too easy to create a survey, collect responses, produce reports, and then move on to the next survey. But under the General Data Protection Regulation (GDPR), there’s a spotlight on how long personal data can be kept for.
GDPR and personal data
The GDPR mandates that data should be deleted or anonymized once it is no longer needed for the purpose for which it was collected. This means that when you complete a research project, you should assess how long you need to keep the personal data relating to it, and anonymize or delete that data at the end of that period.
GDPR compliant data retention considerations
To help you comply with the GDPR rules when you are undertaking a survey project, we’ve outlined these data retention considerations:
Review the data you’re currently storing
Take a look at all the personal data that you are currently storing as part of your survey responses; consider whether you still need this data, and whether you can you provide a justification for continuing to store it. You also need to check that you have an appropriate lawful basis to continue storing and processing personal data.
Data retention and destruction policy
If your organization doesn’t already have a clear policy for retaining and deleting personal data then you need to set one up. Set up procedures for staff to follow when collecting, processing and deleting personal data, and create a schedule for retention and destruction.
Ensure you are entitled to process the data
You must have a documented, lawful basis for processing identifiable personal data, which often means you need an individual’s consent to collect and process it.
Tell respondents how long you will store their personal data for
Ensure that your privacy notice contains information regarding data retention and make your privacy notice available at the start of your survey; either in the email invitation or on the first page. This should inform respondents of the purpose of collecting their personal data, how it will be used and how long it will be kept for. Find out about including a privacy notice and a consent question at the beginning of a survey here.
By anonymizing your survey response data you can retain it for a longer period of time. There a number of ways to anonymize your survey data, including a fully anonymous survey where you don’t collect any personally identifiable data, or removing identifiers after data collection. Learn about anonymous surveys here.
Deleting personal data
The most important thing to remember is to delete any personal data you are storing when you no longer need it, and by the date that you have specified to respondents.
It is up to the data controller to maintain, review and delete any personal data you have collected. If you are using Snap and Snap WebHost, find out how to delete data from Snap using this worksheet: Deleting old survey data.
You can find out more about Snap Surveys and GDPR here.