How to use Feedback in compliance with GDPR

We’ve all met that person – the one who hogs the limelight, talks incessantly and blatantly disregards your answers.

Here’s a secret: No one likes that person.

But businesses often act in incredibly self-centered ways. And then they can’t really understand why prospects and customers break the relationship and flee to greener pastures.

The antidote to this oversight is a habit of collecting customer feedback.

Feedback – digital or shared in person, opens up a two way conversation. A dialogue that equips you – the brand – to better serve your traffic and your prospects in the era of the Experience Economy.

But I know what you’re thinking.

Feedback covers a lot of ground.

It is personal.

It often involves Personally Identifiable Information (PII). And under the watchful eye of GDPR, isn’t customer feedback more of a hassle than a help?

Customer Feedback in the Era of GDPR: Is it Safe?

The short answer fortunately is YES!

In 2018, it took just four letters to spread fear and panic among companies where collecting customer feedback is concerned: GDPR.

As a result of the General Data Protection Regulation (or GDPR), more and more users ask what they should do to be compliant and safe while collecting feedback.

If you are working with personal data of data subjects in the EU or are located in the EU or have activity in the EU, there are a number of things that you have to take into account.

If you want to see a concrete security case with feedback, you can download our PDF

In this article I’ll try to give you a good head start.

Are your surveys/reviews/forms anonymous or do you use personal data?

  • If you collect feedback anonymously and you do not process personal data, you can disregard the GDPR. But, be careful, the GDPR has an extremely broad view of what personal data is!
  • If you use contacts or ask for an email address, name or any other personal data while collecting feedback, then make sure to read on as the GDPR imposes a number of responsibilities on you.

Types of Customer Feedback Tools You Can Use

Remember that customer feedback is everywhere and can be gathered with many different tools. The sections below cover the most important categories and can save you from being charged with GDPR fines.

First, do you really know how to collect actionable feedback to improve your product/service?

collect actionable feedback

Voice of the Customer Tools (VoC)

Voice of the Customer tools are becoming a top priority among online companies. This is mostly attributed to the fact that these tools have become a critical element in customer experience initiatives. These customer feedback tools make it easy for visitors to communicate about their customer experience directly and avoid interrupting the online journey. They are also great for collecting ‘in-the-moment’ feedback.

Conversion Uplift screenshot
Source: Temper

Survey Tools

An alternative way of collecting customer feedback is via traditional survey tools. Often in the form of a feedback button or email invite, these tools have become quite popular since the emergence of website feedback. Some of these tools are focused on particular niches whereas others hone in on user experience. In the past, these customer feedback tools were well-known for their tendency to include a long list of questions. However, nowadays, they are becoming shorter and shorter – which certainly makes them less of a hassle for respondents.

what is your age
Source: Feedier

Online Review Tools

Online Review Tools are a great way of building up trust among your visitors online. Used quite frequently by digital marketers because of the well-known Google Stars, these tools can have a positive effect on Google Rankings. This type of customer feedback tool influences purchasing behavior seeing as how more than half of customers look at reviews before purchasing a product or service.

User Testing Tools

User Testing Tools involve all aspects of user interaction – whether that is with your company, products and/or services. For many businesses, supplying a good user experience is only achievable by making use of user testing tools. These kinds of customer feedback tools do a good job of measuring these interactions for the user. However, these insights are limited to the amount of page views users are allotted and they often lack in the analysis and action management area.

Visual Feedback Tools

Looking to capture user input on particular web page elements? Then perhaps a visual feedback tool is something you should consider. These customer feedback tools work in many different ways. Some provide the option submit a screenshot. Others involve virtual sticky notes that highlight certain elements on the page such as text, images or buttons. While these provide a lot of support in terms of design, they are somewhat basic in terms of extracting deep customer experience insights.

Source: Usersnap
  • Community Feedback Tools: Also referred to as feedback forums, community feedback is a type of customer feedback tool that is collected via your website or mobile app. It’s then published either in your community or on a public forum. Visitors are usually able to comment on feedback that has been published which often turn into discussions. They can also provide suggestions or notify you of problems they’re experiencing on your website. Thanks to their transparency and social effect, these tools have become quite popular.

Stay GDPR Compliant While Collecting Customer Feedback

Lawful Data Processing

The GDPR says you need to process data “lawfully.”

Asking for feedback is processing data, so you need to ask for feedback lawfully. But what does that mean?

The GDPR has a detailed explanation of what “lawful processing” is (Article 6, subparagraph 1), but we only need to focus on two points from this explanation:

Processing is lawful if…

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes OR
  2. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

To clarify that, you can use someone’s data to collect feedback if:

  1. They have said it‘s OK to do so (they have given you consent), or
  2. You can argue convincingly that collecting feedback is in your legitimate interests.

Legitimate Interests

The best basis in the GDPR for checking for feedback is that it’s in your (and your customers’) interests to do so. If you can prove that this is the case then you are ready to proceed with collecting customer feedback and use it for the purposes you have defined. And how can you prove it? With a balancing test!

This test can balance between your ‘legitimate interests’ and the ‘interests or fundamental rights or freedoms’ of the person whose data you are processing. As long as you make your customer feedback process as customer-friendly as possible, then no rational person will argue that you fail this balancing test.

However, if you start acting shady, for instance: not responding to feedback, sending annual surveys when transactional feedback forms would work better, or not asking customer-focused questions, then you’re tiptoeing closer to the line where you would fail this test. Don’t do it!

Download our Balancing test template from here.

Source: Usabilla


The second of the two potential legal grounds you have for collecting feedback is ‘consent’. Remember these points if you decide to go the consent pathway:

  1. For non-sensitive data, you need “unambiguous, affirmative” consent, not “explicit” consent. So rather than adding a checkbox, you can rely on a completely unmistakable notice along the lines of “by submitting this form you agree that we will process your data in line with our privacy policy”.
  2. Once you’ve relied on consent, you can’t double-back and switch to one of the other bases for processing. So if someone says “no”, you can’t then decide that you’re going to send a survey anyway because of “legitimate interests”.
  3. The GDPR says “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. Meaning: you need to keep records of how and when consent was given.
Customer Sure
Source: Customer Sure

Whichever ground you use, we recommend that you put a huge firewall between your feedback processes and your marketing activities.

This way your customers do not end up receiving promotions and marketing emails just because they submitted a feedback form.

Data Minimisation

The principle of data minimization is essentially the idea that, subject to limited exceptions, an organization should only process the (personal) data it actually needs to achieve its processing purposes.

So what’s the minimum data needed to collect with customer feedback? Do you need to collect every detail of the job title, company size, country, IP, browser, and device ID, to get the feedback you need?


So who defines what data can be collected?

The GDPR does not define these terms. Clearly, though, this will depend on your specific purpose for collecting and using the feedback data. It may also differ from one individual to another.

So, to assess whether you are holding the right amount of personal data while receiving customer feedback, you must first be clear about why you need it. You may need to consider this separately for each individual, or for each group of individuals sharing relevant characteristics.

Source: Ninjaforms

You should also periodically review your processing to check that the personal data you hold is still relevant and adequate for your purpose. Delete anything you no longer need.

Data Subject Rights

So you’ve collected the customer feedback. Did you know that customers can actually stop you from using it for the purposes you have defined? Do you know that they can request to see what personal data you kept with the feedback you have collected?

So, under GDPR the data subjects have rights and you need to respect these.

Source: Zoho

Right to Access

You need to be prepared that your customers can request to see the personal data you store while you collect feedback from them.

Data Subject Access (DSAR) email request
Source: Amit Ashbel

Right to be Forgotten

Any person has the right to contact a company that processes personal data and request that the data relating to him or her be erased.

The data is to be erased in the following cases:

  • The data is no longer needed for the purposes for which it was collected
  • The processing is based on the individual’s consent and he or she withdraws it
  • The processing is carried out for direct marketing and the individual objects to the data being processed
  • The personal data has been processed unlawfully
  • Erasure is required in order to fulfill a legal obligation

Data Retention

It has been a longstanding principle of GDPR that data should be held for “no longer than is necessary.”

The GDPR does not specify exact data retention timescales. Given that, what do you do with customer feedback data?

Do not panic! There are a few key principles that you should take into account:

  1. First, get a data retention programme. Customer feedback and data in general. Some firms may neglect or postpone a data retention programme due to its complexity. That’s not a good solution, because keeping data forever is legally indefensible. If you encounter a data security event or a data subject rights request (e.g. a subject access request), you’ll have a lot more impacted data, and the risks, expenses, and bad profile of responding to the incident or request will be much higher. Recognize you need a data retention programme and start immediately.
  2. Second, if you need to retain some feedback data for particularly lengthy periods of time (e.g. product improvement or machine learning), then consider anonymizing the data first. Remember that data protection laws – and so the requirement to retain data for “no longer than is necessary” – apply only to personal data. Data which is not personal falls outside of data protection law and so, in principle, can be retained indefinitely.
  3. Finally, make sure you have at least some concrete justifications (see legitimate interests above) for why you keep data for the periods you do, rather than a vague “because it might be useful someday” type argument.

Privacy by Design

Privacy by Design is a term originally coined by the former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian and is encapsulated in its seven foundational principles.

  1. Privacy must be proactive, not reactive, and must anticipate privacy issues before they reach the user. Privacy must also be preventative, not remedial.
  2. It must be the default setting. The user should not have to take actions to secure their privacy, and consent for data sharing should not be assumed.
  3. Privacy must be embedded into design. It must be a core function of the product or service, not an add-on.
  4. Privacy must be positive sum and should avoid dichotomies. For example, PbD sees an achievable balance between privacy and security, not a zero-sum game of privacy or security.
  5. Privacy must offer end-to-end lifecycle protection of user data. This means engaging in proper data minimization,  retention and deletion processes.
  6. Privacy standards must be visible, transparent, open, documented and independently verifiable. Your processes, in other words, must stand up to external scrutiny.
  7. Privacy must be user-centric. This means giving users granular privacy options, maximized privacy defaults, detailed privacy information notices, user-friendly options and clear notification of changes.

While designing your forms/surveys to collect customer feedback you need to take into account the above 7 principles.

Are Your Data Processors and Suppliers Compliant?

Let’s assume you are engaging a data processor to design and maintain your feedback process, GDPR (Article 28) says that:

The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

That means that it’s your own responsibility to ensure that your suppliers (processors) operate in a GDPR-compliant way.

Basically, you (or your Data Protection Officer) need to check their privacy and security policies to ensure that they are up to scratch with the GDPR. These are the points that need to be checked in your supplier’s policies:

What they collect and how

Try to identify what type of personal data your supplier is collecting and how. Is it respondents email, name, or IP address? Is it simply by asking questions, or are they collecting data automatically (for example geo-location or IP address)?

Why they collect

Their privacy policy must clarify the reasons for collecting personal data.

How will they use the data

This is super important to let your customers know how they are going to use their personal data. Are they going to share it with third parties?

How long will they keep data

This is basically the data retention principle.

How secure is the data in their possession

Their privacy policy must also explain what security measurements are applied when they collect, export, share, and store personal data.

Clarify data subject rights

The GDPR clearly defines individuals rights for their own data. Your suppliers must also make sure to reflect these rights in their privacy policy.

Who to contact

Every organization that is collecting data from EU citizens must have a Data Protection officer. The DPO is a person in the organization who can represent the organization with respect to data and privacy issues. Including the DPO’s contact information in their privacy policy would be great.

Source: Qualys

But furthermore, Article 28 also covers the content of the contract with your processors.

The GDPR contains a list of conditions that your contract must contain and usually contracts do not have such an extensive list of conditions.

To overcome this, select a supplier that already has in place a Data Processing Agreement (DPA) that include further clauses on how they are going to process personal data.

Data Security

Throughout, the GDPR is very clear that security from a ‘data breach’ means security from both theft and loss, but it isn’t specific about the type of security you need to provide.

In our understanding, security means both encryption and backups.

So you should be quizzing your data processors about their backup strategy and how they are using encryption.

Remember, that although HTTPS (i.e. the padlock in your web browser’s address bar) is important, it’s not sufficient on its own.

HTTPS will protect data in transmission, but not whilst the data is being stored. Data must be encrypted when it’s stored too, so you need to check that your processor is using either database, or even better, full-disk encryption on their servers.

What Needs To Be Done To Enjoy and Get Most out of Customer Feedback?

To comply with the regulations, you should undertake training and make the following changes to your systems:

  • Design your customer feedback forms with the Privacy by Design principle
  • Anonymize data
  • Pick the right data processors
  • Improve housekeeping functionality to delete personal data that is no longer required.
  • Use secure file transfer for transmission of data
  • Add functionality to identify & delete personal data in case of ‘Right to be forgotten’ request
  • Add standards, processes and procedures
  • Update contracts and agreements to include GDPR data protection and agreed data retention periods
  • Update privacy and data protection policies
  • Identify and delete all data that is no longer required as part of an ongoing process
  • Improve policies to prevent a data breach

About Dionysia Kontotasiou

The Head of Privacy and Support at Convert, Dionysia likes to spend her days chilling on the beach, heading customer support and making pizza, in that order.

Make the most out of Business Experience today

Read more about Feedier