General Data Protection Regulation (GDPR)

compliance_gdpr

Secure processing of personal data is a matter of course

Secure processing of personal data is nothing new for users of Xact by Rambøll. The EU's General Data Protection Regulation, or GDPR, came into force on 25 May 2018. Its implementation means that the data security of EU citizens' personal data is finally being taken seriously. At Xact by Rambøll, however, the security of our respondents' personal data has always been at the forefront of our development of the market's best do-it-yourself questionnaire system.

Ever since Xact was developed as an internal analytic tool for the consulting company Rambøll Management Consulting, we have drawn inspiration from the industry's most secure IT setup. Xact is now the market's most flexible and user-friendly questionnaire system – with Rambøll Management Consulting's collective expertise to back it up.

And with hundreds of customers in both the public and private sectors, we are proud to be the standard setters for how legislation applicable to the processing of personal data should be complied with in our industry.

It's about transparency, the principle of necessity and security

The GDPR sets stringent and much tightened requirements for everyone who processes personal data. The rules are many, but they basically come down to this:

  • You must tell your respondents exactly what you want to use the data you collect about them for, and you may only collect, store, and process data that are necessary to achieve the stated purpose.
  • Your respondents have the right at all times to view their collected personal data, to rectify these data, and in most cases to have them erased.
  • You must make sure that only those employees at your business who are absolutely necessary have access to your respondents' personal data – and that the data cannot be accessed by unauthorized persons.
  • You may only retain and process the data collected as long as is necessary for the stated purpose.

What is GDPR?

The purpose of the EU's General Data Protection Regulation is to protect the personal data of EU citizens, to give the individual citizen better control over personal data and to harmonize data protection rules across the EU. The rules apply to everyone who processes data about EU citizens – in other words, this also includes organizations outside the EU that process data about persons inside the EU.

The regulation tightens the transparency and security requirements for the data subject, while at the same time imposing strict sanctions on organizations that fail to comply with the rules. The EU can now impose fines of up to 4% of a company's worldwide turnover.

GDPR for questionnaire surveys

Questionnaire surveys contain personal data by their nature – it is people we are surveying after all. And in many cases it is necessary to collect sensitive personal data – for example for patient satisfaction surveys. That is why we have focused on making it easy and safe for you to accommodate your respondents' right to secure data processing without compromising your response rates.

 

The data subject's rights

It must always be easy for your respondents to modify or revoke their consent and to have their data erased from your survey.
The new respondent search feature in Xact makes it easy for you to isolate the individual respondent's responses and to modify or delete only these data from your survey.

 

Controlled access

Only those who are absolutely necessary may have access to your respondents' data. Access control in Xact makes it easy to assign certain employees the rights they need at the following levels:

Questionnaire rights (does not include
personal data)

Distribution rights (includes personal data)

Analysis rights (includes personal data)

Reporting rights (may include personal data)

 

 

Documentation of security

You must be able to document your compliance with the GDPR – including your business partners' compliance as well. Since 2017, a data processing agreement has been included with new Xact licenses. Along with the annual audit opinion from PwC, this is your guarantee that we will take your security seriously.

 

Anonymity

Full anonymity is often a prerequisite for your respondents wishing to participate in your survey in the first place – especially when it comes to sensitive information. Xact lets you easily choose whether a response is to be anonymous. You can make the survey anonymous from the beginning if you do not need any personally identifiable data at all. You can also do the following if you no longer need the personally identifiable information, but would like to retain data about responses, for example so that you can monitor a trend over time.

Choose your data processor carefully

Your responsibility

When you collect data for your questionnaire survey, you are the data controller, and Xact is the data processor. A data processor operates according to the data controller's instructions. In other words, you yourself must be able to vouch for the data that you enter into the system. And as the data controller, you are responsible for ensuring that information is obtained legally, and that you only use it for the purpose you notified at the time of collection. If the law is violated somewhere along the line, you are the one responsible. This also means that you must have 100 percent control over your data processor.

Our responsibility

Although it is ultimately your interests that are at stake if the law is not complied with, as the data processor we do everything we can to monitor your data and to make it easy for you to comply with the legislation. Xact provides all the security documentation you need in the form of an ISAE 3000‑II audit opinion from PwC, along with the data processor agreement included with your Xact license.

At the same time, we have developed a number of features that let you have full control over access to your respondents' data.


Quick facts

You must always have consent to collect personal data. But because participating in a questionnaire survey requires a deliberate and active act, participation itself is to be considered as constituting consent. In special cases however – for example, if a survey involves sensitive personal data – we do recommend that you obtain more explicit consent.

Irrespective of the nature of the personal data, GDPR makes it abundantly clear that it must be informed consent. It must be entirely clear to the respondent which personal data he or she is submitting and of course also why. As the data controller/collector of personal data, you are obliged, among other things, to notify the data subject why you need the information in question, what the purpose of collection is, how you store the data, and for how long. You should also state whether you utilize third-party data processors (like Xact). The EU General Data Protection Act also emphasizes that you are required to inform the data subject of his or her rights when obtaining consent – namely the right to view the data collected about him or her, the right to have changes made to the data collected about him or her, and the right to revoke his or her consent and have the data collected about him or her erased from your database and that of your data processor (Xact). At the same time, and in direct connection with the collection of information, you must make it easy for the data subject to exercise these rights by providing the contact information for your company's data controller.

In other words, there is quite a bit information that needs to be easily accessible to the respondent in order to meet the transparency requirements set out in the GDPR. You can choose to gather all of this information on the first page of the survey. You can also choose to settle for an extract of the information on the first page of the survey, and provide a link referring the user to your company's general privacy policy. Here you must also describe such particular circumstances as may be associated with your surveys – including the fact that Xact is the data processor.

The rules governing exactly how informed consent is to be obtained can be interpreted in several ways. But if there is one rule of thumb that can help you comply with GDPR, it's that you need to be 100% transparent about everything having to do with personal data. For this reason, you are far better served if you are completely transparent about what you collect, why, and for how long you store data. At the same time, this gives your credibility a considerable boost – which after all is the most important factor determining the response rate.

No. All respondents' IP addresses are anonymized. Therefore, neither you nor the employees of Xact have access to view or use the IP addresses.

Yes, you can delete all data, including personal data, in all Xact surveys. The GDPR gives data subjects the "right to be forgotten". It must thus be possible to delete all trace of any given survey participant on request. There are a number of ways to handle this:

  • You can delete specific variables in a survey
  • You can delete a particular respondent's response
  • You can delete all data in a survey
  • You can delete the entire survey

Our new respondent search feature, which lets you find specific respondents across all your surveys, makes it easy to find and delete a particular respondent's response.

Remember that it is your responsibility as the data controller to delete all personally identifiable information once the purpose of your collection and retention has been achieved.

Yes, our new GDPR anonymization feature makes it easy to anonymize data in your survey using filters and auto filters. For example, you can use these:

  • Time filter: Here you can anonymize data from a specific time interval
  • Background data filter: Here you can anonymize all background data
  • System data filter: Here you can anonymize phone numbers, for example
  • Filter for text and comment fields in background and/or questionnaire data: Here you can anonymize all open fields both in the database and in the survey itself.

Remember that it is your responsibility as the data controller to anonymize data and to have clear guidelines for this process. For example, data that are not personally identifiable data may suddenly become identifiable when combined.

As a result of GDPR, you may only retain personal data for as long as necessary in order to achieve the purpose of your collection of data. When you no longer require the collected data for your survey, you yourself must thus make sure to delete or anonymize the data. Nor may you retain data, even if you might like to use them for another purpose, such as marketing. In that case, you must ask for specific consent anew. It is your responsibility to delete data in Xact yourself when you will no longer be using them.

If you do not delete the data yourself, Xact will save them for as long as you have an active Xact license. If your license expires, Xact will delete the data you yourself have not deleted. When you or Xact delete(s) your data, the data will be stored for up to three months in our backup system, after which they will be irrevocably deleted.

As a result of GDPR, as a rule the personal data of EU citizens may not be sent outside of the EU or the EEA, or to a country that is not categorized as a safe third country – read more in the Danish Data Protection Agency's guidance (Danish guidance). 

Xact's servers, which serve our customers all over the world, are physically located at the hosting company Fuzion in Aarhus, Denmark. In cases where we use sub-processors, we guarantee that data is not sent to insecure third countries.

Only a few of our employees have access to your data. The employees in question are those involved in the development and operation of Xact. If one of their positions should be terminated, that employee's user access is immediately blocked or discontinued. We maintain a list of authorized employees, including the type of access covered by the authorization.

If you need support, you can use our new support management system to grant access to your personal data to a specific member of Xact support staff. The support system ensures that access is only granted to the requested employee, to the specifically identified personal data in your organization, and for a limited period of time – for example, for one hour.

Yes, Xact makes use of a sub-processor in surveys where questionnaires are distributed via SMS. The current sub-processor for SMS distribution can be found at rambollxact.dk/smsbestilling (Danish website). A sub-processor is only used in connection with SMS distribution.

Respondents have the right to view the personal data that you store about them and to rectify them if they are not correct. As a starting point, respondents also have the right to have their own personal data erased from your surveys and archives.

Yet in some cases the interest in preserving personal data trumps the respondent's right to have his or her data erased. For example, this is the case for certain surveys that contain health data that may be necessary for future treatment.

The new GDPR features in SurveyXact make it easy for you to accommodate respondents' rights.

Remember that it is also your responsibility to rectify or erase personal data in any exported Excel sheets.

If Xact is contacted directly by one of your respondents with regard to the above, we have an efficient and professional procedure in place for handling this. We forward the request to the relevant person in your organization, and at the same time tell the respondent what happens next. According to GDPR, you are required to respond to the respondent's request "without delay, and at the latest, within one month of receipt of the request."

You are required to protect the personal data collected to the best of your ability. For this reason, you are required to reduce access to the absolute minimum. You must only grant the necessary access privileges to the necessary employees. Both the old Xact user management system and the new one make it easy to control access to personal data in a very fine-grained manner. The new user management system lets you assign rights to yourself and your colleagues for each individual survey at the following levels:

  • Questionnaire rights (does not include personal data)
  • Distribution rights (includes personal data)
  • Analysis rights (includes personal data)
  • Reporting rights (may include personal data)

For example, this way you can easily grant certain employees permission to view the results of a survey but without allowing them to view personal data.

It is your responsibility as the data controller to administer your users – including the creation, discontinuation and assignment of rights. They can automate this process by linking your Xact user administration to your Active Directory.

When your company no longer has an active license, Xact makes sure that all user permissions and rights are discontinued.

We offer two add-on services for Xact that can automate the administration of your users in Xact – Single-Sign-on (SSO) and two-factor login. Both of these solutions are described in our add-on folder.

According to the GDPR, you may only collect and store the personal data that are necessary in order to achieve the stated purpose for your collection of the data.
For example, you may not collect telephone numbers if doing so is not necessary in order to achieve your stated purpose.

The data processing agreement between Xact and your organization specifies the purpose and governs which types of personal data you may store. The GDPR uses two categories: General personal information and sensitive personal information. You should treat sensitive personal information with particular care.

  • You can be completely sure of this for several reasons! The five primary reasons are: Xact is an IT system developed and owned by Rambøll. This means that Xact lives up to the strict requirements that Rambøll has undertaken to uphold in terms of being a responsible company, as described on the Rambøll website: https://www.ramboll.com/positions-and-policies 

  • Xact and your organization have entered into a valid data processing agreement in accordance with GDPR

  • Xact has an IT security audit performed by PwC every year. The audit is based on the international standard ISAE 3000‑II.

  • We perform penetration testing on the operating environment, testing whether it is possible to hack into our system

  • As a Xact licensee, your organization is entitled to perform an audit at Xact, allowing you to ascertain that the technical and organizational precautions set out in the data processor agreement and in the appendix are in fact implemented.

A data processing agreement is included when you purchase a Xact license. The data processing agreement is adapted to suit your particular reason for using Xact. This is our mutual contract ensuring that we only do what you instruct us to do in the data processing agreement. 

The data processing agreement is based on the Danish Data Protection Agency's guidelines and is adapted to Xact's setup. Our data processing agreement is also evaluated annually in connection with the audit opinion.

https://www.datatilsynet.dk/Media/C/0/Registreredes%20rettigheder.pdf (Danish guidance)

You are required to respond to a request from a data subject regarding access, rectification, erasure, etc. without undue delay and at the latest within one month of receiving the request.

This question is not really about GDPR, but rather about questionnaire surveys in general. For this reason, it is primarily the Danish Marketing Practices Act that applies in this regard.

Danish Marketing Practices Act – similar and equivalent products

Unsolicited communications by companies to consumers (also referred to as spam) are governed by Section 10 of the Danish Marketing Practices Act. As a starting point, a company must have obtained consent before it may contact the consumers, including by electronic mail (email, SMS messages and multimedia messages). This is the case for both current and past customers.

However, Section 10 (2) of the Danish Marketing Practices Act allows direct marketing of a company's own and equivalent products without consent. Products and services must simply be understood as being equivalent, not as being identical to the product or service originally sold. However, it is a requirement that the customer have provided his/her email address in connection with the purchase. For this purpose, when providing his or her email address, the customer must be notified that his or her email address will be used for subsequent marketing of the company's own and equivalent products/services. The customer must have the opportunity to opt out of further marketing, both when providing his or her email address and subsequently. The possibility of opting out of marketing communications must also be apparent in each subsequent communication, so that each time the customer receives direct marketing, he or she is informed of the possibility of opting out of future marketing.

Market research surveys, customer satisfaction surveys and the like

According to the Danish Consumer Ombudsman, emails and SMSs containing market research surveys, customer satisfaction surveys and the like are not, as a general rule, subject to the above provisions. It is therefore permitted to send these types of emails and SMSs without prior consent. However, this is not the case if the purpose of the survey is to brand or advertise a company's products. In practice, emphasis is placed on the content being completely neutral and not bearing any reference to the company or its products. In a specific case, the Danish Consumer Ombudsman took a position on this issue, emphasizing that the customer satisfaction survey was sent out as a direct continuation of provision of service, that it did not contain any solicitations to purchase, any favorable mention of the product or any other branding of the company. Based on this, it was his assessment that the purpose was not marketing, but to survey customer satisfaction.

However, according to the Danish Consumer Ombudsman, the communication should provide an option to opt out of future customer satisfaction surveys. Even if the communication is not subject to the spam provisions, it may be a violation of the rules governing good marketing practice, cf. Section 3 of the Danish Marketing Practices Act, if the company fails to respect the customer's wish to opt out of future communications.

If the survey is not neutral, it is considered to be marketing, and is therefore subject to Section 10 of the Danish Marketing Practices Act, under which the recipient must have given prior consent, unless the exemption set out in subsection 2 can be invoked.

When you collect data for your surveys, you are the data controller. As a data controller, you are subject to the requirement to keep internal records of the processing of personal data by you and your data processor, and you must be able to show that your processing of personal data complies with the rules.

Records must be in writing and electronic and must only be provided to the Data Inspectorate upon request. It is both the processing of ordinary data (non-sensitive personal data) and special categories of personal data (sensitive personal data) that are subject to the duty.

The list must contain at least:

  • Name and contact information
  • Purpose
  • Categories of registered personal data
  • Categories of recipients at disclosure
  • Transfers to third countries and international organizations
  • Delete Deadlines
  • Technical and organizational measures

Ask our Data Protection Advisor

You are welcome to contact Rambøll Management Consulting's Data Protection Advisor if you have any questions about GDPR or about data security in general.
portrait_IVDS

Ivan Dalsgaard Sørensen

Manager

+45 51 61 78 22

ivds@ramboll.com