Skip to content

Auditing my Surveymonkey account for GDPR

April 27, 2018
tags:

As part of preparing for GDPR I need to be sure that I am not holding on to data unnecessarily, so I have recently undertaken a data audit which involved me deleting all identifying data in project files archived more than six months ago.

However, I have two other places that I hold data.

Mailchimp (which I have addressed already) and Surveymonkey.

When I looked at Surveymonkey I found have 55 surveys in my Surveymonkey account, of which 50 are more than six months old.

My primary concern with Surveymonkey is my contacts lists.  So these are email addresses that I fed into Surveymonkey to enable me to send out tracked links and targeted reminders.  A useful way to do mail-outs without clogging up your own email account, and both totally legit and ethically useful as it means that you can send reminders to non-responders without spamming responders.

But there are two problems with these contacts lists:

  • If you do a mail-out this way, Surveymonkey automatically links responses to contacts, meaning it is through-and-through your results data whether you want it or not. This is great while the survey is open, but unnecessary for analysis.  I have no need to know who said what and when I download the data I never download that bit (i.e. I routinely pseudonymise it).  But it is still there, glaringly identifying, in my Surveymonkey account.  From what I can see, the only way to deal with this is to delete ALL data when you’re done with it.  A shame, it means you can’t refer back to it.  But that is very rarely an issue and if needing it is anticipated then I would have legitimate grounds to keep it longer.
  • Surveymonkey takes the contacts you feed in and stores these in a great big account-level file, away from your surveys. I didn’t know that.  When it struck me that it might do that I had to search for it, and I found 2k contacts in there.  Not good.  I don’t need those.  They need to be deleted.

In addition, I can’t remember the exact content of every survey and there may be some identifying comments in the free text or names / email addresses hiding within if I’ve done a prize draw or recruitment exercise.  I shouldn’t be keeping that stuff.  So I’ve taken the decision to delete all archive data as a precaution. 

GDPR compliance is about mitigating risk for the data subject, and I judge this to be low risk.

But I might as well get it right.

So here’s what I’ve done to audit my Surveymonkey account.  You might like to do the same:

  • Sort all surveys so that the ones from projects that have been closed for six months are in an archive folder.
  • ‘Clear responses’ from each archived survey, deleting the content whilst keeping the survey templates.
  • Close all open collectors for the archived surveys, so that no additional data is collected by accident.
  • Delete all contacts held in the contacts file (via your account, button to the top right).
  • Ongoing, I will need to routinely archive / delete data from projects that have been closed for six months.

I also checked the Surveymonkey regs to see where my data is stored, and the answer is in the USA but within the US/EU privacy shield.  Which so far as I can see is acceptable…. for now.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: