Survey School 5: Compliance considerations

Data helps us personalize the customer journey, laser-focus marketing campaigns, inform product roadmaps—it powers businesses.

We need data to keep business moving, but many companies struggle with what they can do with that data, whether they can share it legally, and the implications of being non-compliant with data privacy laws.

Sometimes organizations share data deliberately, but more often than not, it's shared out of ignorance of what's (legally) acceptable and what's not. Surveys are a great way to collect customer data, but if you don't prioritize data privacy, you risk violating data regulations.

When you violate data regulations, you can expect hefty fines, reputational damage, lost customer trust and loyalty, and more. But there's good news—complying with data security and privacy laws doesn't have to be complicated.

With a little planning, you can gather all the data you need while maintaining compliance and customer trust. We'll show you how.

Where to start with data compliance

Whether you use Typeform or another survey builder to collect any kind of data, it's your responsibility to adhere to data privacy regulations. Not sure where to get started? Follow these five steps.

1. Get familiar with privacy and security guidelines and regulations

While many of the data privacy regulations have overlap, you'll need to comply with any and all that are relevant to you. When in doubt, do more. Take a look at the data regulations most likely to impact your survey data.

General Data Protection Regulation (GDPR)

A European Union (EU) regulation, GDPR was designed to increase the data security and privacy of European citizens and give them more control of their data. It regulates how businesses handle EU citizens' personal data.

GDPR includes the following guidelines:

• Companies must obtain informed consent when collecting personal data
  
  
• People have the right to access and update their personal data or request that companies delete it entirely
  
  
• Organizations must implement appropriate security measures to safeguard personal data
  
  

See how we apply GDPR here at Typeform on our website.

GDPR is a European regulation, so it applies to you if your business is based in Europe or if you collect any data from European citizens, even when your business isn't based out of the EU.

What GDPR means for your surveys

While the EU offers extensive resources to check whether you're GDPR-compliant, ‌here’s a quick checklist if you want an abbreviated version:

• Check if you have a reasonable legal basis for processing personal data. With surveys, this typically means you have the survey-taker's consent. Ask for consent before gathering personal data—it must be opt-in, not opt-out.

• Only collect personal data relevant and necessary for the specific purpose of your survey. If you're gathering customer feedback, you don't need their phone number or home address, for example.

• Explain to survey-takers exactly how and why you’ll be using their personal data. Make sure you don’t accidentally use it in any other way.

• Store and process personal data securely.

• Keep your audience’s personal data accurate and up to date.

• Delete an individual’s personal data when you no longer need it.

Pro tip: Following these steps is a good start, but there’s more to it. We strongly recommend reviewing EU guidelines for more detail.

ISO 27001 (and 27701)

ISO 27001 is an international standard that certifies whether your company manages information securely. GDPR doesn’t have a certifying body, so if you want to prove your company's doing data compliance right, this is the certificate you need.

There’s also ISO 27701—an add-on to ISO 27001. Where ISO 27001 focuses on data security, 27701 is all about data privacy.

To achieve ISO 27001 certification, you’ll need to prove you have:

• Systematically examined your company’s information security risks
• Put together a comprehensive suite of information security controls
• Created a data management process to ensure you’ll continue to comply with these security controls over time

Both standards apply to any business or organization that wants to prove it follows rigorous data security standards.

What ISO 27001 and 27701 mean for your surveys

Want to reassure survey-takers that their data is indeed safe, accessible, and compliant with international data security standards? You might want to consider getting both the ISO 27001 and 27701 certifications (we did).

These certifications are really about building trust with your customers and showing them that you're dedicated to data privacy and security.

California Consumer Privacy Act (CCPA)

CCPA is California’s answer to ‌GDPR, but it's not relevant to every business. That being said, if there's even the slightest chance you might survey someone in California, you need to know about CCPA.

CCPA gives Californians the right to:

• Know what personal information companies are collecting about them and what'll happen with their data

• Delete that personal information and data

• Opt out of the sale or sharing of their data

• Correct their data if it’s wrong

• Limit how companies use their data

Unlike GDPR (which applies to all companies that work with data from the EU regardless of where they’re based), CCPA only applies to for-profit companies that do business in California and fit one or more of the following characteristics:

• Have a gross annual revenue of over $25 million

• Buy, sell, or share the personal information of 100,000+ California residents, households, or devices

• Derive 50% or more of their annual revenue from selling California residents’ personal information

What CCPA means for your surveys

If you’re surveying less than 100,000 California residents (or earning less than $25 million), you’re in the clear. But like with anything data privacy or security related, we suggest erring on the side of caution by making sure you:

• Always default to "opt out"
• Tell survey-takers why and how you’re collecting their data
• Store that data securely and delete it promptly after you analyze it

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is the gold standard for medical data compliance in the United States. It sets standards for protecting sensitive health data and information, ensuring it's kept secure and private.

While HIPAA can be overly complex, its main terms are fairly straightforward:

1. The Privacy Rule. Companies must keep medical data private and allow people to access and update their protected health information.‍
2. The Security Rule. Organizations that store medical data electronically must take the appropriate precautions to secure it.‍
3. The Breach Notification. If your company’s data gets hacked, lost, or stolen, you must immediately notify the people involved, the HIPAA Secretary, and sometimes, even the media.

If you’re in the healthcare space (or you’re a contractor for a company working in healthcare) and deal with medical information from US citizens, you must follow HIPAA guidelines.

If you're subject to HIPPA, your company is a "covered entity." Check out this guide from the Centers for Medicare & Medicaid Services to help you understand if your business is a covered entity that must comply with HIPAA.

HIPAA applies to the medical data of US citizens—if your company processes medical information about even one US citizen, HIPAA applies, no matter where you’re based (or where said citizen lives).

What HIPAA means for your surveys

If you ask for medical information, tread carefully. Make sure all data is anonymized and stored securely, and consider where you analyze your survey data, who has access, and how to protect confidential information.

‍See how Typeform helped Modern Health build better mental health programs with HIPAA-compliant forms that helped them better understand their audience.

Working with medical data? You might need to sign a Business Associate Agreement (BAA) for Typeform to process your data (even if you aren’t a medical entity).

Don't worry—Typeform’s data protection standards are HIPAA-compliant, and we provide a BAA for customers on our Enterprise plan.

Pro tip: Ask for permission, don’t ask for more data than you need, and seek professional compliance advice if you’re in any doubt whatsoever.

2. Centralize your data privacy policies

Proper data handling is just the beginning of data privacy and security—you'll also want to communicate your policies in plain language. But instead of scattering different disclaimers all over your site, create a centralized place where you can outline everything.

That place? Your privacy policy. But remember—your privacy policy should be a living document you can update as data regulations change. At Typeform, we use a Typeform (shocker) to create an easy-to-navigate, central policy hub that communicates all of our policies around data security with our customers.

Pro tip: Avoid using legal jargon in your privacy policy. Keep it simple so you don’t frustrate or confuse customers or employees. You can also offer a legal version if needed—that’s what we do.

3. Be transparent

Open, honest communication is always best, especially when it comes to explaining how you use survey data. Be transparent about it and don't do anything with customer data that you'd be embarrassed to tell other people.

Customers know you need their data to run your business, but they don't want to feel exploited. Being transparent, honest, and clear can help ease those fears.

At a minimum, you should let them know:

• How you’re going to store their data so it’s secure
• Exactly what you’re going to do with their answers
• How they can modify or delete their data

Here’s an example from our privacy policy, where we explain what we do with the personal data we collect when someone signs up for Typeform:

4. Take a "less is more" approach

Turns out, there are several reasons to keep your surveys short. Not only are shorter surveys, forms, and quizzes less overwhelming, but when they're less than six questions, they also see higher response rates.

And here's the thing about trying to collect a bunch of data (and all at once)—you get so caught up in knowing every little thing about your customers that you forget to stop and think about whether you really need all the information you're gathering.

Do you need their addresses? Do you even need their last names? Don’t collect data because it might be useful later. Only collect the information you need to answer the business questions you’re tackling with each specific survey.

Pro tip: Try progressive profiling to gradually gather the data you need without overwhelming your customers by asking everything at once.

5. Get legal help

Compliance can be tricky. And worse, if you get it wrong, it can be costly in more ways than one (brand damage, lost trust, and expensive fines). So if you send out surveys on a regular cadence, think about hiring a compliance consultant or building an in-house compliance department.

Regulatory frameworks change too fast for most of us to keep up with, and new standards pop up all the time. Investing in compliance expertise is a great way to prevent troubling mistakes down the road.

What responsibilities do you have as a Typeform user?

At Typeform, we ensure our forms, surveys, quizzes, and polls are all compliant with the regulations we've outlined in this blog. 

But if you sent any kind of form or survey using Typeform, you are responsible for the data you collect. You choose who you send the survey to and what you ask survey-takers.

That means that you need to:

• Get informed consent from survey-takers

• Make sure your audience knows about our Terms of Service and Privacy Policy

• Store the data you collect responsibly

• Let survey-takers know what type of data you'll collect from them (email addresses or names)

• Tell them how you'll use the data once you have it

• Give them a way to get in contact with you if they’d like to ask questions, modify their data, or delete it

• Delete any data promptly if survey-takers ask you to

To get informed consent, try:

• Using a statement question field before you dive into the questions to inform survey-takers about how you’ll use their information

• Adding a legal question field to let people explicitly agree or disagree with how you’ll store and use their data

• Including information on your welcome screen about how you’ll process the data

And if you’re sending your Typeform via email, use your email copy to clarify how you’ll use the data—and make it clear that they’re agreeing to these terms if they complete the embedded survey.

Curious about what we do with our customer and survey data? Here’s the full answer.

How we handle compliance and data security at Typeform

In case it wasn't blatantly obvious, here at Typeform, we're pretty serious about data compliance, security, and privacy. Your data’s confidentiality, integrity, and availability is crucial.

So, to make sure we comply with the toughest regulatory requirements, including those affecting global multi-nationals, we’ve been audited and certified for the following compliance regulations:

• ISO 27001
• ISO 27701
• SCO2
• GDPR
• HIPAA
• PCI
• OWASP
• NIST
• FIPS

Our policies and commitment to full transparency

If you want to get into the weeds, check out our data security and privacy policies here (both in legal jargon and plain English). No time to go that in-depth? Here's a quick overview:

1. When you use a Typeform, the data you collect is yours.

We don’t peek. We also don’t share it with third parties, with two exceptions:

• Amazon Web Services (AWS), our infrastructure provider, stores and manages our data

• Cloudflare, our Content Delivery Network (CDN), allows us to provide our service faster, better, and more securely by helping us cache content, prevent abuse, and provide DNS service and traffic management

All our data is encrypted in transit and at rest, so not even our providers can access it.

2. We handle our customer data with care.

When you give us your data, we’re careful with what we do with it.

• We prevent third-party access to your information by encrypting your data in transit (end-to-end, including within the virtual private cloud at AWS) using secure Transport Layer Security (TLS) cryptographic protocols (TLS 1.2)

• We use Advanced Encryption Standard (AES) with a 256-bit key to encrypt data at rest, including the backups of the information (read more about security here)

• All Typeform employees adhere to strict confidentiality agreements

3. We’re compliant with all the major data security regulations.

We comply with HIPAA, GDPR, and more. Get more details here.

4. We've built a strong data security culture.

We practice what we preach, which is why we’ve created a comprehensive set of information security policies following the ISO 27001 standard. This guides our employees and contractors in making the right security decisions.

Examples include our:

• Robust password policy
• Policies on data protection and classification of information
• Emphasis on security in communications
• Continuity and contingency plans
• Acceptable use policy on workstations and mobile devices
• A strict backup policy

We also have non-disclosure agreements (NDAs) with all employees and contractors and run regular security awareness training courses within the company.

Data compliance is a vital part of a better customer experience

An exceptional customer experience (CX) is no longer just something top brands do—it's what customers demand from every brand. And a great CX includes treating your customers' confidential information with the utmost respect.

Nothing will erode the trust you’ve built with your customers faster than being careless with their data. That’s why we’ve built Typeform around data security and compliance.

If you use our surveys or forms, you can rest easy—your customers’ data is safe. You can trust our surveys for collecting healthcare data, financial transactions, and everything in between.

Want to know more about survey compliance? Check out this full guide about how we do security at Typeform.