What are the legal best practices for UK companies when collecting customer feedback?

11 June 2024

In our data-driven world, businesses have grown increasingly dependent on customer feedback. It is your most direct line to understanding your customers' needs and preferences. However, with the implementation of the General Data Protection Regulation (GDPR), this process has become more complex. Companies now bear the responsibility of ensuring that their data collection practices are in compliance with these stringent requirements. This article will explore the lawful basis for processing personal data, the concept and importance of consent, and the best practices for ensuring GDPR compliance when collecting customer feedback.

Understanding the Lawful Basis for Processing Personal Data

For the uninitiated, the GDPR is a regulation enacted by the European Union to protect the privacy and personal data of its citizens. One of its fundamental tenets is the need for a lawful basis for processing personal data. In simple terms, companies must have a valid reason for collecting and using personal data.

There are six recognized lawful bases under the GDPR: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most companies, the lawful basis for collecting customer feedback would fall under consent or legitimate interests.

Consent is perhaps the most straightforward basis. It is given by the individual to the company, authorizing them to process their personal data for a specific purpose - in this case, the collection of customer feedback.

Legitimate interests, on the other hand, is a bit more nuanced. It can be invoked if you can demonstrate that the data processing is necessary for your legitimate interests, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.

Knowing your lawful basis is only the beginning; it is equally crucial to document it and communicate it clearly to your customers. A clearly-stated privacy notice, for instance, can play a key role in this communication.

The Importance of Consent in Data Collection

Having established the need for a lawful basis, let's delve deeper into the concept of consent. In the context of the GDPR, consent isn't just about ticking boxes. It must be knowingly and freely given, specific, informed, and unambiguous. In other words, your customers need to understand exactly what they're consenting to, and it should be as easy to withdraw consent as it was to give it.

When collecting customer feedback, it is imperative to request and record consent wherever necessary. For instance, if you are a resort seeking feedback post-vacation, you could ask for consent at the time of booking or at check-in. Alternately, online businesses could incorporate consent checkboxes in their feedback forms.

Remember, consent isn't a one-and-done deal. It should be refreshed periodically, especially if you're planning to use the data for a new purpose.

GDPR Compliance in Customer Feedback Collection

In light of these regulations, what do GDPR-compliant feedback collection practices look like?

Transparency forms the cornerstone of GDPR compliance. Make sure your customers understand why you're collecting their feedback, what data you're collecting, how it will be used, and how long it will be stored. This information should be easily accessible, ideally in the form of a privacy notice or policy.

Data minimisation is another crucial principle. Collect only what you need, nothing more, nothing less. For example, if you're conducting a customer satisfaction survey, you don't need to collect data like marital status or number of children unless it's directly relevant to your survey.

Additionally, ensure that you have systems in place to protect the data you collect. The GDPR mandates that companies implement appropriate security measures to prevent data breaches.

The Role of Data Protection Officer in Ensuring Compliance

For many companies, especially those dealing with large quantities of personal data, a Data Protection Officer (DPO) can be invaluable in navigating the GDPR landscape. A DPO's responsibilities include informing and advising the company about their obligations under the GDPR, monitoring compliance, and being the first point of contact for supervisory authorities and individuals whose data is being processed.

If your company doesn't have the resources for a dedicated DPO, there are many consultants and firms who offer DPO services on a contractual basis.

Best Practices for Customer Feedback Collection

With these regulations in mind, let's discuss some best practices for customer feedback collection. First and foremost, be clear and concise with your questions. The goal is to gather insightful responses, so avoid jargon or leading questions.

Next, make sure your feedback collection methods are accessible. Utilise various channels - from emails and surveys to social media and in-person feedback collection. The easier you make it for your customers to provide feedback, the more likely they are to participate.

Finally, act on the feedback you receive. Customers will be more willing to share their thoughts if they see that their feedback is valued and leads to positive changes.

Navigating the GDPR may seem like a daunting task. However, with the right knowledge and practices, you can not only ensure compliance but also build stronger, more trusting relationships with your customers. After all, at its heart, the GDPR is all about respect for individuals and their personal data.

Understanding the Risks of Non-Compliance

Failing to comply with GDPR regulations can result in severe consequences for your business, so understanding the risks is paramount. The potential risks of non-compliance are not only legal but also could harm your reputation and consumer trust.

From a legal perspective, penalties for non-compliance are severe. Companies can be fined up to €20 million or 4% of their global turnover, whichever is higher, for the most serious data breaches or non-compliance. Moreover, in addition to the monetary penalties, businesses may face injunctions that could halt their data processing activities, causing significant operational disruptions.

Reputation and trust are invaluable assets for any business. Non-compliance with GDPR could lead to a loss of consumer trust, which can be extremely damaging. If consumers believe that a business is not taking their privacy seriously or is unable to protect their personal data, they may choose to take their business elsewhere.

In addition, a data breach due to non-compliance can lead to adverse publicity, tarnishing the brand's reputation. Given the importance of social media in today's business environment, negative news can spread rapidly and broadly, making recovery difficult and time-consuming.

In the event of a data breach, GDPR mandates that companies must notify the supervisory authorities within 72 hours, and in certain cases, the individuals affected must also be informed. Such notifications could potentially expose the company to legal action by upset customers or third parties.

Ensuring compliance with GDPR is not just about avoiding penalties, but it's also about safeguarding your business reputation and maintaining customer trust.

Working with Third-Party Service Providers

Businesses often work with third-party service providers who handle personal data on their behalf. Such partnerships can present additional challenges in terms of GDPR compliance.

Under GDPR, businesses are responsible for ensuring that their service providers are compliant as well. The data controller is ultimately responsible for any non-compliance, even if it is caused by a third party. Businesses must ensure their partners understand GDPR requirements and they are adhering to them. This could be achieved by including specific clauses in the contract about data protection responsibilities and obligations.

Furthermore, it's essential to conduct regular audits of your third-party service providers to ensure they are adhering to their obligations under the GDPR. This can help identify any potential issues before they become major problems.

Working with third-party service providers doesn't absolve you of your responsibilities under the GDPR. Careful selection and regular monitoring of your partners can go a long way in ensuring compliance and protecting your business from potential risks.


Navigating the GDPR can seem like a daunting task, but it is crucial for businesses to understand and implement these regulations correctly. Non-compliance can result in severe legal penalties and can damage your reputation and customer trust.

By ensuring you have a lawful basis for processing personal data, obtaining and documenting consent, being transparent with your customers, and minimising data collection, you can ensure compliance with the GDPR. Moreover, by working responsibly with third-party service providers and understanding the risks of non-compliance, you can further safeguard your business.

At its heart, GDPR is about respecting and protecting personal data. By adhering to these regulations, businesses can demonstrate their commitment to data privacy and build stronger, more trusting relationships with their customers. After all, in our data-driven world, customer trust is a valuable commodity that can set your business apart. Remember, GDPR compliance is not just a legal obligation, but an opportunity to show your customers that you value their privacy and are dedicated to protecting their personal data.

Copyright 2024. All Rights Reserved