Survey School 5: Compliance considerations

Imagine meeting someone amazing. A real meet-cute situation: eyes lock across a crowded room, an instant connection, the whole shebang. They ask for your number, and you do the awkward, “I’ll text you so you have it” thing. 

You’re hopeful. You’re energized. You knew it was worth coming out tonight. You’re mentally picking out your outfit for that date, thinking about which restaurant sounds best. 

Then they say, “OK, great. I’ll send your number over to my friend as well. You know, just in case things don’t work out with us.” 

Wait…what? 

Too often, that’s what companies do with our data. Sometimes they share our data deliberately, but often it’s done out of ignorance of what’s legally ok and what’s not. 

This is specifically important when setting up and running surveys. 

Every time you collect customer responses you risk violating data regulations, which could result in scary fines or damage to your brand. This isn’t just an issue for big businesses either. While those multi-million dollar fines are the ones that hit the headlines, small businesses must also comply with data regulations—or face fines that really do some damage. 

So far, so stressful, right? But the good news is that this doesn’t have to be complicated. With just a little forethought, you can gather data while staying on the right side of regulations and keeping your customers’ trust. 

Data compliance: Where do you start? 

Your business is subject to data privacy regulations if you’re collecting any kind of data. Here are five simple steps to keep you compliant.

1. Know which frameworks and guidelines apply 

This can be confusing because there's a lot of overlap between the different regulations. As a general rule of thumb, though—when in doubt, do more. Here’s a quick breakdown of the regulations most likely to affect your survey data: 

GDPR 

What it is

You’ve probably heard of this one, but just in case: The General Data Protection Regulation is a European Union regulation designed to improve European citizens' data security and privacy. 

What it specifies

1. Companies must obtain informed consent when collecting personal data. 

2. People have the right to access and update their personal data or request that companies delete it.  

3. Organizations must implement appropriate security measures to safeguard personal data. 

See how we apply GDPR at Typeform on our website. 

Who it applies to 

GDPR is a European regulation, so it applies to you if your business is based in Europe or if you collect any data from European citizens. 

What it means for your surveys 

While the EU offers extensive resources for you to check your GDPR Compliance, ‌here’s a handy checklist if you want an abbreviated version: 

• Check if you have a reasonable legal basis for processing personal data.

(In terms of surveys, this usually means you have the person’s consent. Make sure you ask for their consent before gathering their personal data. Giving consent must be opt-in, not opt-out—meaning the default option is collecting no personal data.) 

• Only collect personal data relevant and necessary for the specific purpose of your survey. 

• Explain to your respondents exactly how and why you’ll be using their personal data, and ensure you don’t accidentally use it in any other ways. 

• Store and process personal data securely.

• Keep respondents’ personal data accurate and up to date.

• Delete individuals’ personal data when you no longer need it.

Reminder: Following these steps is a good start, but there’s a bit more to it. We strongly recommend that you review the EU guidelines for more detail.  

ISO 27001 (and 27701) 

What it is

ISO 27001 is an international standard that certifies whether or not your company manages information securely. GDPR doesn’t have a certifying body, so if you want to prove your company is doing data compliance right, this is the certificate you need. 

There’s also ISO 27701, which is an add-on to ISO 27001. Where ISO 27001 focuses on data security, 27701 is all about data privacy.  

What it specifies

To get ISO 27001 certification, you’ll need to prove you have: 

• Systematically examined your company’s information security risks 

• Put together a comprehensive suite of information security controls 

• Created a data management process to ensure you’ll continue to comply with these security controls over time 

Who it applies to 

This standard applies to anyone who wants to prove they follow rigorous data security standards. 

What it means for your surveys 

If you want to reassure respondents that their data is safe, accessible, and compliant with international data security standards, you might want to consider getting both ISO 27001 and 27701 certifications. (We did! The documentation to prove it can be found here on request.) 

CCPA 

What it is

The CCPA is California’s answer to ‌GDPR. It isn’t relevant to every company, but if there’s a chance you might survey anyone in California, you need to know about it. 

What it specifies

The CCPA gives Californians:

• The right to know what personal information companies are collecting about them and what'll happen with their data 

• The right to delete that information 

• The right to opt out of the sale or sharing of their data 

• The right to correct their data if it’s wrong 

• The right to limit how companies use their data

Who it applies to 

Unlike GDPR, which applies to all companies that work with data from the EU, regardless of where they’re based, the CCPA only applies to for-profit companies that do business in California and fit one or more of the following characteristics:

• Have a gross annual revenue of over $25 million

• Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices

• Derive 50% or more of their annual revenue from selling California residents’ personal information

What it means for your surveys 

If you’re surveying less than 100,000 California residents (or earning less than $25 million), you’re in the clear. However, we’d urge you to err on the side of caution by making sure that you: 

• Always default to ‘opt out’

• Tell your survey respondents why and how you’re collecting their data

• Store that data securely and delete it promptly after you analyze it

HIPAA

What it is

HIPAA is the gold standard for medical data compliance in the US. 

What it specifies

HIPAA is pretty complex, but its main terms are fairly straightforward:

1. The Privacy Rule: Companies must keep medical data private and allow people to access and update their protected health information. 

2. The Security Rule: Organizations that store medical data electronically must take the appropriate precautions to secure it. 

The Breach Notification: If your company’s data gets hacked, lost, or stolen, you must immediately notify the people involved, the HIPAA Secretary, and on some occasions, the media.

Who it applies to 

If you’re in the healthcare sector (or you’re a contractor for a company in the healthcare sector) and deal with medical information from US citizens, then HIPAA applies to you. The term used for a company subject to HIPAA is a “covered entity.” There’s a handy tool on the Centers for Medicare & Medicaid Services website to help you understand if your business is a covered entity that must comply with HIPAA. 

HIPAA applies to the medical data of US citizens, meaning that if your company processes medical information about even one US citizen, HIPAA applies, no matter where you’re based (or where said citizen lives).

What it means for your surveys 

If you ask for medical information, tread carefully. Ensure all data is anonymized and stored securely. Consider where you analyze your survey data, who has access, and how to protect confidential information. Shameless plug: Typeform can help—our forms are HIPAA compliant. 

If you’re working with any kind of medical info, you might need to sign a Business Associate Agreement (BAA) for Typeform to process your data even if you aren’t a medical entity. Not to worry—Typeform’s data-protection standards are HIPAA compliant, and we currently provide a BAA for customers on our Enterprise plan.

If this is all feeling a little overwhelming, you’re not alone. According to the 2023 IT Benchmark Report from compliance software firm Hyperproof, 51% of compliance professionals say they struggle to identify their company’s critical risks. The compliance issues affecting your company depend on your location, industry, and how you want to handle data. 

TL;DR? Ask for permission, don’t ask for more data than you need, and seek professional compliance advice if you’re in any doubt whatsoever.  

2. Centralize all of your data privacy policies 

So, you’ve considered the regulations that might affect your survey data. However, handling data correctly isn’t enough—you’ll also need to communicate your policies clearly. 

A word of caution: Avoid scattering different disclaimers around your website. It’s way too hard to keep track of them all. Instead, publish a centralized privacy policy you can easily maintain and update as data regulations change.

At Typeform, we use a typeform (we know, total surprise) to create an easy-to-navigate, central policy hub to communicate all of our policies around data security with our users and customers. 

Quick tip: Avoid using legal jargon in your privacy policy. Keep it simple so you don’t frustrate customers or employees. Then, offer a legal version if needed—that’s what we do.

3. Be transparent 

It’s a lose-lose situation if you’re secretive about how you use survey data. The common sense rule? Don’t do anything with data that you’d be embarrassed to tell other people. We all understand that companies need user data to run their businesses—we just don’t like feeling exploited. 

Be upfront with your customers and survey respondents. At a minimum, you must let them know: 

1. How you’re going to store their data so it’s secure

2. Exactly what you’re going to do with their answers 

3. How they can modify or delete their data 

Here’s an example from our privacy policy, where we explain what we do with the personal data we collect when somebody signs up for Typeform: 

What are you doing with all the data, and why do you do it?

• Fulfilling our end of the deal so that you can use our service

• Sending you emails or other communications

• Using your browsing behavior on our sites (see cookie policy) for profiling purposes. This lets us send you better ads or personalized content.

• Signing you in from third parties (social media platforms, etc.)

• Complementing data we have from third parties (requires individual opt-ins) to send you better ads or personalized content

• Investigating things to prevent fraud, spam, phishing, and other no-no activities

• Dissociating you (the person) from you (the profile) to analyze user trends and get better at what we do

• Keeping our business operations running

4. Less is more 

Collect the minimum amount of data you need for your surveys. If in doubt, leave it out! Do you really need their addresses? Do you even need their last names? Don’t collect data because it might be useful later. Only collect the information you need to answer the business questions you’re tackling with each specific survey. 

5. Get legal help 

As you might have noticed, compliance is a little tricky—and getting it wrong can be expensive and damaging. If you regularly send out surveys and work with customer data, consider hiring a compliance consultant or creating an in-house compliance department. Regulatory frameworks change too fast to keep up, and new standards arise all the time. Investing in compliance expertise is a great way to prevent painful mistakes down the road. 

What are your responsibilities if you use Typeform? 

If you send out a survey or form using Typeform, you are responsible for the data you collect. You choose who you send the form to and what you ask them.

That means that you need to: 

1. Obtain informed consent from your respondents 

2. Ensure that your respondents know about our Terms of Service and Privacy Policy

3. Store the data you collect responsibly 

4. Let your respondents know what type of data you will collect from them (email address, name, etc.) 

5. Tell them how you will use the data once you have it

6. Give them a way to get in contact with you if they’d like to ask questions, modify their data, or delete it 

7. Delete any data promptly if your respondents ask

To obtain informed consent, try: 

• Using a Statement question field before you dive into the questions to inform your respondents about how you’ll use their info 

• Adding a Legal question field to let people explicitly agree or disagree with how you’ll store and use their data 

• Including information on your Welcome Screen about how you’ll process the data 

Also, if you’re sending your typeform via email, use your email copy to clarify how you’ll use the data—and make it clear that they’re agreeing to these terms if they complete the embedded survey.  

Curious about what we do with our own customer and survey data? Here’s the full answer. 

How we handle compliance and data security at Typeform

Why we value security

As you can tell, we take data compliance very seriously here at Typeform. Your data’s confidentiality, integrity, and availability are critical. 

To make sure we comply with the toughest regulatory requirements, including those affecting global multinationals, we’ve been audited and certified for the following compliance regulations: 

ISO 27001 

ISO 27701 

SCO2 

GDPR 

HIPAA

PCI 

OWASP

NIST

FIPS

Our policies and dedication to transparency 

If you want to get into the details, you can find a full list of our data security and privacy policies here (both in legal jargon and plain English). 

In broad strokes: 

1. When you use a typeform, the data you collect is yours. 

We don’t peek. We also don’t share it with third parties, with two exceptions: 

• Amazon Web Services (AWS), our infrastructure provider, stores and manages our data

• Cloudflare, our Content Delivery Network or CDN, allows us to provide our service faster, better, and more securely by helping us cache content, prevent abuse, and provide DNS service and traffic management. 

Note: All our data is encrypted in transit and at rest, so not even our providers can access it.

2. We handle our customer data with care. 

When you give us your data, we’re careful about what we do with it.

• We prevent third-party access to your information by encrypting your data in transit (end-to-end, including within the virtual private cloud at AWS) using secure Transport Layer Security (TLS) cryptographic protocols (TLS 1.2). We use Advanced Encryption Standard (AES) with a 256-bit key to encrypt data at rest, including the backups of the information. (Read more about security here.)

• All Typeform employees adhere to strict confidentiality agreements.

3. We’re compliant with all the major data security regulations.  

Full details on that here. 

4. We have a data security culture. 

To ensure we practice what we preach, we’ve created a comprehensive set of information security policies following the ISO 27001 standard. This guides our employees and contractors in making the right security decisions. 

Examples include our: 

• Robust password policy

• Policies on data protection and classification of information 

• Emphasis on security in communications

• Continuity and contingency plans

• Acceptable use policy on workstations and mobile devices 

• Strict backup policy 

We also have non-disclosure agreements (NDAs) with all employees and contractors, and run regular security awareness training courses within the company. 

Data compliance is part of the customer experience 

Today’s customers have come to demand an outstanding experience—and that includes treating their confidential information with the utmost respect. Nothing will ruin the trust you’ve built with your customers faster than being careless with their data. 

That’s why we’ve made Typeform so mindful of security and compliance. If you use our forms, you can rest easy—your customers’ data is safe. You can trust our surveys for collecting healthcare data, financial transactions, and everything in between. 

Want to know more about survey compliance? Here’s your next stop: Enjoy this full guide about how we do security at Typeform.