Surveys Banner

GDPR compliance is a key consideration when using survey tools. When creating a survey, it is important to identify where there is a risk to participants’ personal data.

There are two factors to consider in relation to your survey’s GDPR compliance.

Is the data truly anonymous? Is it anonymised or pseudonymised?

Anonymised data is data that has been rendered anonymous so that the person is not identifiable. However, simply removing or not asking for personal identifiers such as name, date of birth, etc., does not render personal data fully anonymous. Depending on the data set, it may be possible to identify a person.

Pseudonymised data is personal data that is processed so that a person’s data cannot be attributed to them without additional information, that is kept separately. There is a risk of re-identification of the person if the additional information is combined with the data. As such, pseudonymised data is not truly anonymous, so GDPR applies.

For further information on anonymisation and pseudonymisation, please visit the Data Protection Commission website here

Does the survey tool’s functionality lend itself to complete anonymity?

Does the survey tool use tracking? If so, or if in some other manner, it collects IP addresses, then the survey is not anonymous, as these could be used to identify data subjects. If this is the case, then it means your survey is processing personal data, even if you have decided that the survey will not ask for it directly. This also means the GDPR is invoked.

Does my survey require a DPIA?

Whether your survey requires a DPIA depends on (i) if you have determined that GDPR applies because of the above, and (ii) if you have determined that there is high risk processing involved, such as special category data under Article 9, use of Artificial Intelligence (AI), large-scale data processing, and so on.

We have compiled some resources to help you determine whether you need to complete a DPIA – for further assistance see here and our DPIA Screening Checklist

Additional requirements

If your survey tool uses IP addresses or collects personal data then it is a Data Processor and you will need to have a Data Processing Agreement with the survey tool. You will also need a Privacy Notice for participants, outlining the use of the tool and, in particular, if there are transfers of data outside the EEA. The DPO has a template privacy notice available for this purpose.

We recommend using Microsoft Forms through your University of Galway account as the University’s approved supplier.

Please note: Within MS Forms, the anonymity of responses captured on MS Forms is determined by the setting “who can fill in this form”. See Choose who can fill out a form or quiz - Microsoft Support for more information and ensure you understand this control before proceeding with your survey.

We hope the above is helpful, however please note that this is high level guidance and should you have specific questions you should refer same to dataprotection@universityofgalway.ie 

Further general information on data protection is also available on our website here