On May 25, 2018, the European Union’s new data privacy and security regulation, the General Data Protection Regulation (GDPR), went into effect. While news of this policy change dominated tech and business headlines for several months prior to its installment, it will take time to fully comprehend its impact on certain industries’ day-to-day operations. HR professionals must understand these rules immediately given their direct responsibility for employee personal data.
GDPR compliance is mandatory. The new regulations equally apply to any business targeting EU customers, accepting EU currency, or even simply having a website with an EU domain suffix. In fact, Forbes reports that most of the personal data belonging to EU data subjects collected over the Internet is collected by U.S. companies without a physical presence in an EU country.
Even as multinational firms work to comply with GDPR as it relates to commerce and marketing, HR has a responsibility to help the organization understand its effects on internal employee processes. One area of compliance that can easily slip under the radar is the employee survey.
A carefully designed and well-implemented employee survey program is a proven way to help your organization grow and improve through your most important asset: your people. GDPR violations can result in fines up to €20 million or 4% of annual global turnover, whichever is higher.
As such, HR practitioners surveying employees within the EU should consider these three things at a minimum: Demographics, Consent, and Processors.
Under GDPR, you may request only the demographic details essential for analysing survey trends, and you must explain why each data point matters. However, assessing legitimacy can be nuanced. The broad definition is anything that can be reasonably justified as helping to identify trends or pressing issues pertinent to company operations or management.
Demographics enable organizations to identify trends across employee groups, revealing patterns that might otherwise remain hidden in aggregate data. Demographics make this possible, allowing the reviewer to accurately understand the numbers and find groups of people who may share an opinion or perspective. For instance, a relatively small data point may not seem significant until you realize that it represents the entire racial minority of your workforce, or the people who have worked at your company for less than five years. Proper demographics are key to understanding one’s organization, allowing leaders to make better informed decisions on any given issue.
Demographic segmentation reveals how specific issues affect different employee groups, from tenure cohorts to geographic locations. While standard cuts (such as gender, tenure, age, and biographical information) will come from the company’s HRIS system, it may be desirable to augment this with self-reported data in order to yield insights. Both attributed and self-reported data will need clear governance regarding what information is shared, stored, and used within the analytics engine to ensure individuals’ confidentiality.
But can you use HRIS data, and how does the GDPR affect your ability to collect additional data? The GDPR applies equally to new data collection and existing stored data, requiring a legitimate business purpose for all.
GDPR makes it vital to conduct the employee survey with a legitimate business intent for each piece of data collected. For this reason, it is important that your team is equipped to ensure all survey data aligns with your survey’s purpose. Furthermore, it is advisable to consult with your company’s legal team prior to new data collection to ensure GDPR compliance and help determine if other national or regional regulations are applicable.
GDPR requires organizations to obtain affirmative consent before collecting personal information and allows individuals to request data modification or deletion. One of the ways the GDPR enforces this is by requiring affirmative consent before personal information is collected and stored. Minimally, companies administering an employee survey should notify their EU employees about the data being collected and how it will be used.
Consent is particularly important when it comes to demographic data used to inform survey results. Not only do GDPR standards require that the storage and use of this information be reevaluated for its need-based legitimacy, but it may also be required to specifically inform employees about its use. In some cases, this information may be subject to the employee’s request for editing, modification, or even deletion. The guidelines around this caveat are particularly complex—not all data is subject to these requests, but in most cases, GDPR requires demonstrable proof of legitimacy for denying such requests.
Moreover, there will often be a need to collect additional demographics, which are not already stored by the company HRIS, in order to effectively process the survey and analyze the results. Examples here might include sexual orientation or religion—demographics that the company would generally not collect and store in their HRIS system, yet would be crucial in understanding the diverse perspectives within a large and multi-faceted organization. Consent for this kind of information will require an affirmative action (e.g. checking a box to indicate consent) which goes beyond implied consent that may be derived from the participant completing the survey.
The consent issue creates three pressing considerations for survey administrators.
Inform: Explain why the survey is being conducted, what data is collected, and how the organisation will use it.
Access & control: Give employees a simple way to view, edit, or delete any personal information they supply.
Explicit action: Record consent through a clear step (for example, checking a box) before asking sensitive demographic questions.
Regional Intricacies: Survey administrators must understand specific consent laws in different regions (e.g., EU vs. California) to ensure wording is "freely given, specific, informed, and unambiguous."
Clear Communication: Participants must be advised exactly how their data is used and whether it is passed back to the company’s HRIS to maintain trust and encourage participation.
Legal Counsel: Organizations should seek professional advice on survey content to ensure the non-mandatory nature of sensitive information is clearly communicated.
Many large multi-national companies choose to use a third-party survey administrator to manage the complexity of their organizational surveys. Doing so can reduce the time required to execute the survey and simplify many things, but it will also require data to be shared between companies. According to the GDPR, employees’ personal data may be transferred to a third-party for processing, but all companies involved will be responsible for the safety and security of this information.
Under GDPR, every organisation in the data chain is accountable for protecting employee information. When selecting a survey vendor, confirm that the provider:
Documents every sub-processor involved in hosting or analysing your data.
Stores all EU employee data on servers located inside the EU.
Restricts regular cross-border data transfers.
Operates private, security-audited infrastructure rather than shared public instances.
Just as storing the data in the EU is essential for GDPR compliance, handling and processing EU employee data outside of the EU can present a breach of GDPR regulations. While the GDPR does allow data to leave the EU, this provision is generally limited to a single data transfer at a point in time; regular, ongoing two-way data transfers are not permitted. For companies with EU-based employees, it is therefore vital to choose a survey administrator with dedicated workforce and infrastructure housed in the EU to guarantee that the data never leaves the EU during the time it is being processed.
One further point of caution here: ask your survey processor if they rely on third-parties for any of the services they render. This can expose areas of potential data breach for which you, as the controller, will be responsible.
Working with an EU-present company brings other advantages besides security and compliance. For example, a European presence means that EU-based companies enjoy prompt service and timely communication due to the geographical proximity of all concerned parties. With dedicated in-country staff, survey projects will be more easily managed along a consistent timeline, with professionals who are accustomed to the local laws and cultural norms.
Anonymity and confidentiality are key concepts of employee surveys. Anonymity and confidentiality depend on the extent to which data can be linked back to the individual – and clear standards must be agreed to in order to maintain trust throughout the survey process.
As a rule, a confidential survey is one in which the identity of an employee is known to the survey provider, but is not directly shared with the surveying organization. An anonymous survey is one in which the identity of survey participants is not known to anyone.
Survey programs that follow GDPR standards see higher participation rates because employees understand how their data will be protected and used.
Following guidelines for minimum number of responses required to generate data reports
Controlling access to demographic details to a limited number of people in an organization
Providing the organization with aggregate results only rather than individual (case-wise) data
Developing a well-thought-out communication plan
Providing auto authentication (single sign on) techniques
Minimizing the number of demographics question employees answer in non-attributed surveys
Organizations that exceed GDPR minimum requirements create listening programs where employees feel confident sharing honest feedback.
Multi-national organizations with EU employees must process survey data within EU borders to comply with GDPR regulations.
Perceptyx has served enterprise customers for over 15 years, maintaining dedicated EU staff and data servers to process European employee data in full GDPR compliance.
In order to better serve clients with a significant European employee contingent, Perceptyx maintains dedicated staff and data server farms in mainland Europe, allowing us to process EU customers’ data within the EU, in full compliance with the GDPR. By locating our staff and servers in mainland EU, we have also preempted possible complications contingent on the future of the UK’s separation from the European Union. The pending changes resulting from Brexit will have no impact on the long-term GDPR compliance of our European clientele.
Perceptyx maintains the following industry-standard certifications:
ISO 27001
SOC 2 Type II
Privacy Shield
In addition to offering the GDPR-compliant guarantees listed above, Perceptyx brings an array of benchmark advantages to data collection and processing. Furthermore, our rigorous data aggregation practices provide an added measure of protection for individual confidentiality. While the Perceptyx analytics system is able to account for each individual participant in order to guarantee accurate splits, our reporting protocol ensures that data splits never reach a threshold so low that an individual’s identity can be deduced by the end user. This maintains trust between the organization and its employees and protects individuals’ confidentiality.
Perceptyx’s EU-based staff will work with your company to ensure not only compliance with these new data privacy laws, but communication consistent with the GDPR’s ultimate objective of individual privacy protection. Rather than simply provide a detailed checklist of issues which companies must figure out how to conform to, we offer you a dedicated consulting staff who can advise on legal issues, serve as employee liaison, support best practices, and ensure GDPR compliance every step of the way.
A GDPR-compliant survey collects only essential personal data, explains the purpose up front, relies on a lawful basis (legitimate interest or explicit consent), stores data securely inside the EEA, and honors every employee’s right to view, correct, or delete their data.
GDPR says personal data must stay private. Companies protect identities by sharing only group-level results and suppressing small groups. Some programs go further and keep surveys fully anonymous, so no identifying details are stored at all.
For data already in your HRIS, you can rely on legitimate interest if you explain how you will use it. For new or sensitive fields—such as disability status—you must get explicit, opt-in consent.
You may collect these details only when you can justify a clear business need and employees opt in. State the purpose, limit access, retain the data only as long as necessary, and keep results strictly aggregated.
The agreement should define roles, name all sub-processors, require EU hosting or lawful transfer measures, outline security certifications, set retention limits, and explain how the vendor will support access, correction, and deletion requests.
No single U.S. law matches GDPR, but state rules like California’s CCPA/CPRA cover some of the same ground. If you run surveys in multiple regions, design your program to meet the strictest rule that applies—often GDPR.