Your Most Wanted Guide to Create a GDPR-Compliant Survey

Blocksurvey blog author
Written by Sarath Shyamson
Mar 10, 2025 · 3 mins read

As a business owner, you should be already aware of GDPR (General Data Protection Regulation). It is important for businesses in the European Union to abide by this data protection regulation. Also, any non-European businesses collecting European citizen’s data are entitled to abide by GDPR. GDPR was enacted in May 2018.

What better way to collect data for your businesses than through surveys & forms? But how do you make sure that the data you collect is GDPR-compliant? This article will be your most-wanted guide to help you create a GDPR-compliant survey.

Come on, let’s start.

guide to create a GDPR compliant survey

  1. Choose GDPR Compliant Survey Platform
  2. Include a Privacy Policy
  3. Get Consent Explicitly
  4. Collect Minimal Data
  5. Obtain Parental Consent
  6. Respect Data Subject’s rights
  7. Train Survey Administrators
  8. Create your first GDPR-Compliant Survey

Choose GDPR Compliant Survey Platform

When your survey platform is GDPR-compliant, it means they have already made efforts to follow data protection practices. The platform must have gone through a strict audit process to receive its GDPR compliance certification. Do you know? BlockSurvey is GDPR-compliant. It is also SOC2 & HIPAA compliant. It is safe to choose a survey platform that is GDPR-compliant like BlockSurvey.

Include a Privacy Policy

As a GDPR practice, being transparent with your customers about how you handle your data is important. What better way to explain this to your customers, than with a Privacy Policy?

Make sure your Policy clearly explains the below.

  • What data is collected?
  • How the data will be used?
  • How long the data will be retained?

Your privacy policy should be placed on your business website. When you create surveys, it is important to provide a link to your policy in the survey-taking screen. Sometimes, to ease things, instead of a link, the policy content will be displayed on the survey screen.

Get Consent Explicitly

It is mandatory to get explicit content from your respondents with the help of a checkbox. You must make sure that the checkbox is not pre-ticked. Allowing respondents to consciously tick and provide consent is important.

Separate consent must be received for each activity you perform with the survey respondent’s (or customer’s) data. You can get separate consent for data handling practice, sending newsletters & so on.

In addition to getting consent, you must also provide the option to opt out of survey taking at any time. Do you know? In BlockSurvey the respondent data is not collected until they press the submit button. This means the customer can opt-out at any time.

So remember to make the best of both worlds, consent & opt out.

Collect Minimal Data

Do not collect any data other than what is required to serve customers. GDPR provides strict guidelines about cautious collection of personally identifiable information (PII).

PII can be any of the following.

  • Name
  • Address
  • Email & so on.

Also, know that non-PII can also sometimes indirectly identify the respondent. For example, consider you collecting the age of the respondent. If only one person from your respondent list is aged between 30 to 35, don’t you think a similar response can easily identify the respondent?

Obtain Parental Consent

GDPR considers not only the privacy and well-being of adults but also non-adults. For any person falling under the age of 16 to take the survey, parental consent is required. The parental consent can be received through a separate survey or email. This ensures that the data of teens & children don’t get misused.

Respect Data Subject’s rights

GDPR is primarily enacted in the best interest of the data subject, that is your customers or respondents. This regulation lists the rights of the data subjects in its article. I have selected 2 important rights below for discussion purposes.

  • Right to information: The data subject has the right to get information at any time on how their data is used.
  • Right to deletion: The data subject has the right to request any time for the deletion of their data.

Keep the data subject’s (survey respondents) best interests in mind when you receive support requests from them. Handle the request with urgency & sensitivity.

Train Survey Administrators

The survey administrator might be technically good at running surveys. How do you ensure they are completely aware of GDPR practices? It is through training. It would be good if they could be trained once annually on the best practices to run GDPR surveys. They should also be aware of all articles mentioned under the GDPR. They can also take the role of a Data Protection Officer, as mandated by GDPR.

Create your first GDPR-Compliant Survey

If you are in quick want to run GDPR-Compliant surveys, you are in the right place: BlockSurvey.

BlockSurvey is end-to-end encrypted. You own your data. Not even BlockSurvey can see your data. It does not run any trackers.  BlockSurvey is privacy-focused by design, and as already mentioned is also GDPR compliant. Our support team will help you create your first GDPR-compliant survey.

Why wait? Signup now and create your GDPR-compliant survey.

Have different ideas? Want to learn more about GDPR before trying BlockSurvey? Visit our GDPR knowledge library.

Your Most Wanted Guide to Create a GDPR-Compliant Survey FAQ

What are the penalties for non-compliance with GDPR?

Businesses that fail to comply with GDPR can face significant penalties, including fines of up to €20 million or 4% of annual global turnover, whichever is higher.

Does GDPR apply to businesses outside of the EU?

Yes, GDPR applies to any business that collects or processes the personal data of individuals in the EU, regardless of whether the business is located inside or outside of the EU.

Can I use data collected before GDPR went into effect?

You may be able to use data collected before GDPR went into effect, but only if you obtained consent in a way that meets the requirements of GDPR. If you did not obtain valid consent, you will need to either obtain consent from the individuals or delete the data.

What are some examples of non-PII data that could indirectly identify a respondent?

In addition to age, other examples of non-PII data that could indirectly identify a respondent include job title, zip code, or even device ID. If you are collecting this type of data, you should be careful to anonymize it or obtain explicit consent from the respondent.

What are the golden rules of GDPR?

Make sure you keep the best interest of data subjects while handling the data. Collect minimal data that serves the purpose of data collection. Do not retain the customer data for a longer period when it is not required.

Like what you see? Share with a friend.

blog author description

Sarath Shyamson

Sarath Shyamson is the customer success person at BlockSurvey and also heads the outreach. He enjoys volunteering for the church choir.

SHARE

Related articles

Explore more