Data privacy and security best practices: How to protect survey data

Data privacy and security are vital in today’s world. Large-scale data breaches make headlines on a consistent basis, putting customer data at risk and costing companies big time, both through the financial hit to clean up the mess and immeasurable damage to their reputations.

Relentless vigilance regarding data security should be top priority for everyone in your organization. It’s essential to do everything possible to keep hackers from compromising customer and organizational data—including survey data—as well as having a rapid response plan in place to limit the damage in the event a breach does occur.

Any type of data could be subject to a breach, which is why making sure your survey data is well protected is essential to maintaining trust with your customers and assuring that the data you collect is accurate and not vulnerable to attacks or leaks.

The battle against hackers is a war without an end, and as security experts often quip that hackers only need to be right once, while data security professionals need to win every day.

Security is not an area in which you want to experiment or take any risks. There are established data security best practices that are constantly being updated and improved on to ward off existing risks while anticipating new ones. When it comes to surveys, you want to be sure that you are ensuring the privacy and security of your survey respondents and adhering to relevant regulations such as HIPAA, GDPR, and CCPA. 

Also, it’s important to keep in mind that ensuring data privacy goes beyond just keeping the bad guys at bay. A company that has a strong commitment to data privacy builds greater trust with customers. When you are conducting surveys, that trust can translate to a greater response rate and respondents sharing more robust insights that provide you with more credible and actionable data.

Deeper Dive: Check out SurveyMonkey’s Data Collection & Privacy Best Practices

Following established privacy practices can help make sure that data stays secure while giving your survey respondents peace of mind that their information will remain safe. This not only provides protection for your company and respondents, but also makes people more likely to complete a survey.

Describe your privacy practices in a survey introduction or in the email inviting people to take your survey. You can also add a hyperlink directly to your privacy notice. You can use skip logic to disqualify respondents who don't agree with your privacy notice or practices.

Data privacy practices should include the following:

For instance, SurveyMonkey’s Privacy Policy describes how we handle your data. The policy was developed in consultation with experts to assure it is comprehensive, transparent, and implements best practices. Computerworld decided to review our privacy practices and commented that we “get the nod” for codifying our privacy practices “into clear online disclosures and commitments” and that we take security measures that they saw “Fortune 500 firms taking.”

Take a deeper look into how SurveyMonkey Handles Your Data

Include a consent form: A consent form gives written permission to another party that they understand the terms of an event or activity that will be performed. Including this as part of a survey protects your company by making it clear to respondents how the information they provide may be used.

Delete data after it’s not needed: Hoarding old and outdated data can lead to trouble by increasing risks that long-forgotten data might be compromised. It’s a best practice to establish clear guidelines that govern how long data will be retained, as well as how it will be properly deleted.

Deeper Dive: Fortify your security efforts with SurveyMonkey’s Privacy for survey creators

Sensitive health information of your customers or patients is private, and HIPAA is a law designed to make sure it stays that way.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that creates national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

If you work in healthcare in any capacity, you need to be HIPAA compliant or run the risk of being audited or fined and losing the trust of your customers or patients. The bottom line: If you are handling protected health information (PHI) you need to be HIPAA compliant.

SurveyMonkey offers a number of options specifically for the healthcare industry, from HIPAA compliant accounts to  healthcare survey templates.

Deeper dive: 3 reasons why organizations need to be vigilant about collected data during COVID-19

GDPR are regulations that govern data protection in the European Union. But you need to care about it even if you’re in Boise, Idaho. That’s because GDPR measures still need to be taken even if a business is not located in Europe.

The General Data Protection Regulation (GDPR) is a regulation that covers data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.

The GDPR's primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation. It applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

The regulation became a model for many laws outside the EU, including the California Consumer Privacy Act (CCPA), adopted in June 2018.

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents.

The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States.

If you have customers or survey respondents who reside in California you need to be aware of this law, and take steps to assure you are in compliance.

CCPA applies to any for-profit business in the world that sells the personal information of more than 50,000 California residents annually, or has an annual gross revenue exceeding $25 million, or derives more than 50 percent of its annual revenue from selling the personal information of California residents.

Additionally, if a company shares common branding (i.e. shared name, service mark or trademark) with another business that is liable under the CCPA, the company will be subject to CCPA compliance as well.

Under the CCPA, California residents (“consumers”) are empowered with the right to opt out of having their data sold to third parties, the right to request disclosure of data already collected, and the right to request deletion of data collected.

Deeper Dive: SurveyMonkey’s Data Security and Compliance

Of course the purpose of conducting a survey is to collect useful data and information about your target audience. Yet, in the process you have to be vigilant about making sure that you are complying with data privacy and security regulations and guidelines to avoid being out of compliance or compromising personal information from survey respondents.

There are several key security issues to focus on when you intend to collect data, including minimizing the amount of personally identifiable information, data encryption, anonymous surveys, and secure access. 

It’s best practice to minimize the amount of personally identifiable information collected for surveys. In simple terms, you want to avoid collecting information that potentially disclose sensitive personal information of respondents including social security numbers, telephone numbers, and email addresses or physical addresses.

You want to be sure that your data doesn’t end up in the hands of unauthorized users. And data encryption is a key line of defense to prevent that from happening.

Encryption is the process through which data is encoded, so keep it hidden from or inaccessible to unauthorized users. Encryption helps protect private information and sensitive data, and can enhance the security of communication between client apps and servers. When your data is encrypted, even if an unauthorized person manages to access it, they will not be able to read the content of the data.

When data is encrypted an encryption algorithm is used to translate (encode) plaintext or readable data into unreadable data or ciphertext. Only the corresponding decryption key can then unscramble ciphertext back into readable plaintext.

Making survey responses anonymous can help improve data privacy because you are not collecting personal information that could potentially be compromised. This lowers the risks to your organization.

A big added benefit of anonymous surveys is that you will likely see increased response rates, and more candid answers from respondents. The promise of anonymity removes some of the more common barriers for survey participants. For instance, if you are conducting a survey of your employees, making the survey anonymous reduces the fear that answers could lead to repercussions from HR, while freeing employees to be more candid and detailed in their responses.  

SurveyMonkey’s Anonymous Responses collector option makes things easy by allowing you to choose whether or not to track and store identifiable respondent information in survey results. SurveyMonkey records respondent IP addresses in backend logs and deletes them after 13 months.

Data security encompasses many aspects of protecting and securing data, from password security to creating secure access to survey data and results, as well as effectively storing and disposing of old data.

When it comes to passwords, it should be common sense by now that you shouldn’t use the word “password” if you want any hope of warding off hackers.

Yet a study of the most common passwords of 2020 found that “password” ranked number four. The most common password? 123456. Not good.

Password security is critical to protecting survey data, and users should be encouraged to use passwords that are unique and unpredictable. There are password management tools that can help make creating unique passwords easy while not requiring users to have a lengthy list of passwords stored in their minds. Two-factor authentication also adds an extra layer of security to keep the hackers at bay.

If you are using SurveyMonkey, it’s important to pick and maintain your password carefully, as it is the key to accessing respondents’ personal information. We recommend:

It’s critical to ensure your data storage system is secure. Best practice is to use a secure data center or Central File Storage and it’s a good idea to be able to have ready visibility into your physical storage location. 

When using SurveyMonkey, all your respondents’ information is securely stored in our SOC 2 accredited data centers that adhere to security and technical best practices. We ensure that collected data is transmitted over a secure HTTPS connection, and user logins are protected via TLS. Data at rest is encrypted using industry standard encryption algorithms and strength.

Of course there are many instances in which you want to share survey data with key business partners throughout your organization. Yet when doing so you want to make sure that sharing is conducted in a secure manner to ward off any breaches or allowing unauthorized users to view what could be sensitive data or personal information of respondents.

Providing secure access is essential to protecting survey data. For starters, it’s key to avoid storing data in siloed locations like laptops, mobile devices, or personal devices that have a higher risk of theft and being compromised. Sharing your login credentials can put respondents’ survey data in the wrong hands. For example, if a colleague you share your account with leaves your company, they can still access the survey responses. They can also give your login credentials to others, increasing the odds that someone uses the data irresponsibly. To let others see your survey and review your responses in a productive and secure way, try one of these two approaches:

SSL (Secure Sockets Layer) is a protocol for establishing authenticated and encrypted links between networked computers for an added layer of security.

When installed on a web server, SSL activates a padlock and the https protocol, and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer, and logins. However, more recently it is becoming the norm when securing browsing of social media sites.

Stay secure!

If you want to make the most of your survey efforts while maintaining the trust and engagement of your customers, then be sure to make privacy and security a top priority. SurveyMonkey can help you improve your data security with key information regarding security and compliance.

Learn more about how SurveyMonkey protects your survey data, and how you can be sure to keep it safe.