The introduction of the GDPR and other major data protection laws around the world have changed the landscape of data collection.
As the Data Protection Officer for Shout, I’ve spent a lot of time thinking about how we can continue to drive our compliance standards.
But our development team has been working equally as hard on creating features that enable you to bolster your compliance when using Shout.
Below, I’ll go through the tools you’ll have access to in the app, and the compliance features associated with them.
Shout’s privacy by design
Before we get started with additional features you can enable, I think it’s worth discussing what we have in place to ensure you’re compliant with data protection regulations.
Firstly, all survey responses are anonymous by default.
Our mission is to minimize the amount of respondent data that’s collected without your say so. This will help you build trust with your audience, who can trust that they can’t be identified and will provide more open and honest feedback as a result.
Also, we don’t collect any referral statistics for that same reason (although you can enable this for your surveys). We want to foster an environment where respondents know their data will be protected.
For these same reasons, we don’t record IP addresses. These are masked before they’re even stored on our servers, so respondents will know we’re doing our utmost for their privacy concerns.
This also means that you don’t have to justify why an IP address is being recorded when you’re collecting survey responses.
Finally, Shout is cookieless by default. We don’t store cookies on respondent devices for any purpose of our own. We don’t force Google Analytics tracking cookies on anyone, like our competitors do.
Collecting survey responses
Now, let’s get into the nitty gritty of what we’ve created to enable higher levels of compliance when collecting survey responses.
Separate personally identifiable information (PII) from survey responses
You may find yourself tasked with collecting feedback and personally identifiable information (PII), but not wanting that data to be linked in your survey report.
Well, there’s any easy way you can do this with Shout.
Our Pseudonymization feature allows you to flag questions in your survey that collect types of PII (such as names and email addresses). Then when you start collecting results, any data from questions flagged for PII will be stored in a separate section of your report.
There is no way to link the PII back to the response data, which is essential to ensuring your full compliance when using this feature.
We’ll automatically separate any tracked data collected when sending surveys via email invitation when you Pseudonymize responses.
Set a minimum response threshold
If you plan to separate PII from response data, you could be concerned that you’ll still be able to identify respondents in the beginning.
Well, we’ve made sure to address that to.
With Shout, you’ll be able to set a minimum response threshold for your surveys that only allows you to access results once that quota has been met. This helps preserve the anonymity of respondents.
It’s important to note that this threshold is finalized from the moment your first response is selected. So, some thought will need to go into what your threshold should be.
Managing Contacts
Now we’ve covered the compliance features linked to survey data, let’s go over how you can maximize compliance when managing contacts.
Track Lawful Basis for Processing Data
When you import or collect contacts with Shout, you can create Groups to better organize them based on shared information or the types of campaigns you’ll send.
When you create contact groups, you can assign a lawful basis for processing data for all contacts in that group.
These include:
• Explicit consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests
• No consent
Collect and Record Explicit Consent with Contact Forms
You may know that you can use Shout forms to collect contact information and grow your email list in our integrated CRM.
When doing so, you can connect individual forms to one or more contact groups.
If you’ve selected a contact group marked with the Explicit Consent lawful basis for processing data, we’ll automatically add a consent question below your form.
We’ll then record that consent to the contact’s profile in the CRM.
You can customize the text that is displayed to prospects and respondents when asking for consent.
Handle contact data deletion requests
Under the GDPR, data subjects are able to exercise rights regarding the use of their data.
You can update and correct any personal data via contact profiles at any time.
You can also export contact data in bulk to provide evidence of opt-in dates and other personal information they’ve provided.
When you delete a contact from the CRM, we’ll remove all associated persona data from your lists. We’ll also remove their data from any survey reports (if you enabled tracking).
Teams
Shout Teams enables you to invite your colleague to share the features of your subscription and collaborate on surveys.
But you may be concerned that your survey data is accessible to any and all team users.
Private team user dashboard
Not to worry, all surveys and reports are private by default. You can share surveys (and the associated report) with any and all team users, but you can revoke access at any time.
Admin controls
Admins are users who control the billing for Shout team. These users also take ownership over all data in the team accounts.
They’ll have full control over team users, including the ability to change details, delete accounts, and purge data.
This is perfect for scenarios where an employee leaves your organization, and you don’t want them to access the data (which is owned by you).