Philipp Reinking
Philipp Reinking
  • ·
  • 6 min read

A Guide To Surveys and GDPR

This guide aims to give you quick five-step guidance on how to create an effective but GDPR compliant survey. The following are the steps you should take at a minimum to support the European General Data Protection Regulation rules.

Want a quick summary, jump to the TL;DR.

Identify the personal data you are going to process

If you are creating surveys, the chances are high that you are collecting personal data. We define any information as "personal" that you can later link back to a single person.

Simple, right?

But let me explain the core problem here, which is often overseen by survey creators. If I ask a bunch of people what their favorite color is, some may answer red, green, or blue. This bit of information is nothing I can link back to a single person because there are probably a million people who favor a specific color. So it is not personal data.

If I ask the same bunch of people for their email address, it is, of course, a personal piece of information because it is unique to the person. In this example, the email address is personal data.

The part we are missing so often happens now. As soon as you ask both questions in combination, the favorite color of the person is likewise personal information. Why? Because in surveys, we collect datasets, and we can link any information given in this dataset to the email address we received.

So, when creating a survey, the first thing you should do is find out if you are going to ask anything unique to a person. That may be an email address, a name, phone numbers, or bank details. We should also observe the information we add to the survey's dataset passively as the IP address or data passed through URL parameters (perhaps an ID linked to a person).

If you're doing this, everything in your survey (and in the same dataset) is personal data.

If not, you may stop reading this guide because everything below does not apply to anonymous surveys.

Minimize the data

You might think, the more data you get, the better. Because ultimately, the marketing game is about knowing your customers as well as you can, so you can sell your products more effectively.

And yes, we should know our customers as well as we can, but particularly in the areas that are important to our business. The GDPR itself states:

"The personal data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. - Principles of Data Processing"

The key here is limited to the purposes. Start by thinking about what you're going to do with the data. If you know the goal, it should be easier to cut the things you don't need.

Inform the user about how you will use personal data

Now, you should know what data you're going to collect from your potential participants. But before collecting anything personal, you should inform your users about the purpose of this data collection and get a freely given consent for this specific purpose.

And I know, this sounds a lot like regulatory stuff invented by some data privacy lawyers, but it doesn't mean it must look like it.

In good marketing, being transparent and honest generates trust between you and your users. Stating the purpose of the data processing should be an elemental part of every survey. It gives not only your users security and control above their data, but it also gives you safety before the GDPR.

What's cool about the GDPR, it doesn't force us in a specific form of language where we need to make it sound formal. You can compose a user consent however you like. However, it's essential that you transparently define the purpose of the data processing, and your users can understand the given consent.

To get an idea of how to design a consent, head over to our consent generator.

GDPR Consent Generator
With this generator you can create quickly the required consent texts needed, if you your user submits personal data via a contact form, survey or any other way.

Ensure security measures

If you're collecting personal data through a survey, you become responsible for this data. What does that mean? That means that only the people who need to access it should be able to access the data. All other people are not allowed to do so; thus, you are responsible for implementing security measures to guarantee that prevention.

Some of these measures include pseudonymization and encryption of data. Other steps are organizational things, like who of your employees can access collected data.

If you use a third-party service, you may think that it is not your responsibility to make sure that everything is secure. But that thought is wrong. In GDPR terms, you have the role of a controller, and therefore you are responsible for the data you collect, and so you have to make sure that this data is processed in a secure and compliant way.

…the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation. (Recital 74 GDPR)

Usually, survey tools make it easy to create surveys quickly. But this does not mean that every survey tool works automagically with GPDR compliant measures. In GDPR terms, a third party data processing tool, like a survey tool, is called a processor. The processor must usually guarantee the implementation of the required measures of the GDPR to ensure the protection of the data he collected on your behalf. But how does this work in a real scenario? How can a processor guarantee these measures?

Data Processing Agreements

If you are using a third-party tool like BotReach for processing data, you should make sure that you sign a Data Processing Agreement (DPA). A DPA outlines the rights and obligations for both parties according to the rules set out in the GDPR. This contract is vital for you, mainly because the processor is processing data on your behalf.

Some key take-aways of such a contract are:

  1. Ensures that a processor is only processing personal data on your written instructions.
  2. Provides that a processor implements security measures and handles personal data confidentiality.
  3. Ensures the processor supports you to uphold your obligations under the GDPR

Of course, there is some more to it than the things above. Feel free to read about the details on the official page.

What is a GDPR data processing agreement? -
Whether it’s an email client, a cloud storage service, or website analytics software, you must have a data processing agreement with each of these services to achieve GDPR compliance.

Why I wrote this guide in the first place

I came across many surveys, and almost always, the creators seem to try to take some personal information from me. It may not be intentional, but sometimes it may be. It is easy to ask somebody five simple questions to get them invested, only to ask for an email address to "complete" the survey. This pattern is something that marketers often use because it's easy to implement and effective. But what's the problem with that? Personally, I feel that most surveys are trying to trick people into giving out more personal or sensible data than required. Of course, that is against my belief in good marketing, but also, it is not compliant with the GDPR.

Hopefully, I could show you that it is not difficult at all to set up surveys that follow the rules set in the GDPR. When using BotReach as a survey tool, you can use its tooling to implement a GDPR compliant survey in no time.

Please consider this text as non-legally valid advice. This is just a guide that mirrors the measures we do ourselves to make sure we follow all the rules in the GDPR when doing surveys.


A GDPR compliant survey needs to be designed in a special way. You should first be able to provide all the necessary information on what data you are processing. This accumulation usually happens in setting up the survey and its questions itself. For the second step, you should identify the parts that ask for data to identify an individual. Do not forget to consider the complete dataset the survey will generate, so there may be combined data that could make the person identifiable. It is vital to notice that right before processing personal data, a user must have given his consent to use it. In this consent, you should clarify the exact purpose for what you will use the data.