When good Intentions fall on deaf ears: sensitive survey data collection & protection
The best way to keep sensitive survey data private is to not collect it in the first place.
Sensitive data doesn’t just mean credit card numbers and transaction histories. When your customers answer surveys, they frequently offer up sensitive data: personal income, contact info, and in some cases even social security numbers, health info or login credentials.
DLP for your Experience Data
Many large organizations rely on Data Loss Prevention (DLP) technology to protect their O-data like sales figures, financial information and HR records. But Qualtrics now offers DLP technology for X-data like feedback from your customers, employees and partners.
The Qualtrics solution actually goes one step beyond DLP though because rather than just ensuring you don’t leak sensitive data, Qualtrics helps you avoid collecting it in the first place unless absolutely necessary.
DLP is data damage control. Qualtrics is data damage prevention.
Study on Rogue Research
Organizations that allow employees to run independent research with unknown survey tools might not even know they’ve collected sensitive data, and be blissfully unaware whether they are in violation of regulatory statutes or not. Well-intentioned policies won’t excuse you from regulation noncompliance.
In a recent Qualtrics study about survey data privacy, 86% of organizations said they have policies about avoid collecting sensitive customer data in surveys, but nearly one quarter of them don’t know how many surveys they send out.
That would be like a parent setting their teen’s curfew at midnight but never actually staying up to see if anyone came home. Just having a rule doesn’t mean it’s being observed. Rules that are respected are rules that are enforced.
Standardizing all surveys onto one platform helps to remedy the problem of owning sensitive data, and more organizations are considering this option to stay in good standing with the law. When an enterprise is standardized on one survey platform instead of many, their survey data is also much more likely to be in harmony with data privacy best practices because there are no pockets of rogue data strewn about among various teams.
If an enterprise doesn’t have visibility into the surveys it sends, it doesn’t have visibility into its standing on data compliance. The stark fact that organizations have policies prohibiting certain types of survey data collection but nearly 1 in 4 of them can’t tell you how many surveys they send out signals a lack of serious enforcement of the policy.
Enterprises can’t protect data they don’t know they collected in unapproved surveys.
Other aspects of the survey were also revealing.
For example, we discovered common behavior patterns that correlate with an organization being at risk of data regulation penalties such as:
Using 3+ different survey platforms:
Having over 500 employees
Has faced regulation penalties in the past
Having accidentally collected prohibited data in surveys
Being unaware of how many different surveys have been created by employees
If any (or all) of these behaviors are common at your organization, you are more likely to be at risk for fine and scrutiny.
Even beyond the obvious compliance risks associated with owning sensitive survey data, the brand risks may be even more concerning. Brands that experience serious data loss have few places to hide as these are sexy stories the media likes to cover at length.
Preventing the Problem of Sensitive Survey Data Collection
Smart organizations are immunizing themselves from admitting harmful feedback data behind the firewall if it isn’t necessary to host. The cost/benefit ratio is out of balance when you don’t when you factor in the risks of regulation penalties, brand damage and stock risks.