Skip to main content

Is Google Forms GDPR Compliant?

    As far as marketers are concerned, customer experience should always be a key focus.
     
    And really, there’s no better way to find out what people think about your offering - and what else is out there on the market - than from the horse’s mouth.
     
    Survey platforms, like Google Forms, are great tools to this end - allowing you to create online questionnaires to send out to customers.

    This direct customer engagement is great for building trust, pinpointing weaknesses in your business, and increasing revenue.
     
    However, any marketer worth their salt will worry about the impact of Google Forms on their data privacy requirements.
     
    So, does it meet GDPR’s strict standards for data control?

    The answer is maybe; it’s possible -  but it depends on the type of information you collect and how you share it. Google Forms also needs to be set up and used properly.
     
    This article will explain how you can do this.

    Why is GDPR relevant to Google Forms?

    In simple terms, GDPR is concerned with the security of personal data - exactly the kind of information that survey tools exist to collect.
     
    Of course, if you’re only using this software for internal company work which does not collect personal data – and we’ve written before about what is and isn’t considered personal data under GDPR rules – then you’ve got nothing to worry about. 
     
    It’s much more likely, however, that you will be using it to collect personal data from customers. 
     
    As such, you need to ensure that your survey tools and processes comply with GDPR. If not, your company runs the risk of falling foul of data protection authority enforcement. 
     
    For, to use GDPR vernacular, while Google Forms is the “data processor” of information pulled from surveys, your company remains the “data controller” – meaning you would be liable to fines if the data is not properly looked after.

    How to make Google Forms GDPR compliant


    Make certain that personal data is stored in the EU

    If you’ve been following data privacy news stories, you will have seen that Google has come under fire from the European Commission for its practice of storing personal data in the US.
     
    Unfortunately, the US falls short of GDPR standards since its surveillance laws allow the government to access any personal data on demand.
     
    Google Forms itself stores data on different servers around the world. To ensure GDPR compliance, you’ll need to:

    • Subscribe to a business or premium version of Google Workspace
    • Set preferences so that any data is stored within the EU
    • Review data transfer preferences regularly to ensure sustained compliance
    • Include any data transfer information in your privacy notice


    Build Transparency with Customers into your Forms

    Transparency is the cornerstone of GDPR requirements. 

    For surveys, this means that the participants need to be made aware of your company’s purpose for collecting information, as well as what personal data of theirs is being collected and what will happen to it in the future.
     
    Unfortunately, Google Forms’ default settings do not automatically meet GDPR standards for transparency, but this can be achieved relatively simply.
     
    Firstly, you’ll need to include a link on each form to your customer privacy notice, where they will find a section specific to personal data and surveys.
     
    Secondly, you’ll also want to paste a paragraph into each form that clearly explains what your company will do with the collected information. 


    Restrict Access to Authorized People Only

    Google Forms makes it easy to share documents with other people – a handy tool when you’re collaborating with other people on a marketing project.
     
    However, this also means that you are sharing the personal data of people who have filled out these forms – increasing the likelihood of what GDPR considers a “data breach”.
     
    Given this, you’ll need to set up processes in your company so that only authorized people have access to the personal data harvested from Google Forms, and that they respect your company’s code of conduct regarding data protection.


    Establish your Legal Basis for Processing Information

    GDPR requires that your company explicitly justifies the collection of any personal data from surveys – consent is often enough, but Article 6 offers five other scenarios:

    • To meet the contractual obligations with the data subject
    • To meet any legal obligations that you might have
    • To protect the vital interests of the data subject
    • To complete tasks of a public interest
    • To realize the legitimate interests of the data subject

    For the average company in the private sector then, you need to simply make sure that you only collect the personal data you need to provide your customers with what they want.
     
    So, for instance, a footwear retailer would need to know a customer’s shoe size, address, and contact details, but they don’t need to know their race or blood type.
     
    This legal justification is something that you may well already have covered in your privacy notice, so it’s important to verify whether this has been laid out explicitly. If not, you’ll need to include this information in the privacy notice that each of the forms link to.


    Ensure Data Retention is Kept to a Minimum

    GDPR rules are very strict regarding how long you are allowed to hold on to personal information – a company can only store data as long as necessary to fulfill their function.
     
    But by default, any data collected by Google Forms is stored indefinitely unless you set up a retention policy in Google Workspace.
     
    This is an easy and important task to do. Workspace allows you to designate an appropriate data retention period for each Google Form; you can set a deletion date for forms you will be using for a limited period, and a deletion schedule for those that you will be using for an indeterminable period.
     
    Remember also that Google Forms allows you to automatically export data to both Google Sheets and email. This is a very useful function, but this does mean that you can be breaking data privacy laws without even realizing. 

    As such, double check that this function has been turned off.
     

    Choose a Google Forms Alternative

     
    As you can probably tell, GDPR compliance is hardly a priority for Google, though it wouldn’t take long to set it up to meet the letter of the law.
     
    Luckily, marketers do have a range of other survey platforms that they can choose from.
     
    If you’re considering changing software, we’ve researched the top Google Forms competitors and tested them for GDPR-readiness. Read our results here.