Why using questionnaires for data protection is risky
The automated sending of questionnaires using computer tools, applications or platforms carries some risks and is not recommended for:
- Compliance audits
- Data protection audits
- Some risk analysis
- Impact assessments
- Internal investigations
- Other similar actions
So far there has been nothing better like a face-to-face or video conference interview, although many still think that these actions can be automated. The reasons why it‘s not recommended are as follows:
- Explicit detection of administrative offenses
- Explicit detection of crimes
- Explicit detection of anti-competitive practices
- Inadvertent creation of evidence of non-compliance
- The question or the context of a question may be misunderstood due to difficulties in explaining it
- It’s impossible to add background information if needed
- High percentage of wrong answers due to these difficulties
- It’s a challenge to create a climate of trust and conveying that we are allies of the respondant
- Evasive answers
- Unexplained N/A responses
- Inability to value non-verbal language when answering
- Delays in response
- Waste of time in reminders and follow-ups
- Disciplinary action will be required in case of no response
- A questionnaire that already has been sent out cannot be changed afterwards. In that case, a new questionnaire must be sent, although answers to the previous one may already have been received
This short list of reasons is based on the accumulation of negative customer experiences. There are many more reasons that speak against the use of automated questionnaires.
Why not to use a cookie configurator
Another task that involves risks in automation is to use a cookie configurator. Most of them compare the cookies found with a library of identified cookies. If a cookie can’t be identified, the configurator places it in the list of uncategorized cookies. If the company doesn’t categorize them, it can provide the data subject with incomplete information about the processing, which is a serious violation of the GDPR.
In our experience questionaires which are not followed up by experts can lead to a false sense of compliance security.
