Inside SurveyMonkey’s Trust Strategy: Sally-Anne Hinfey on AI, GDPR & the Future of Data Governance

SurveyMonkey, the world’s most popular platform for surveys and forms, recently launched its new Trust Center, a new transparency hub that helps businesses evaluate the company as a trusted partner, strengthen internal accountability, and build lasting customer trust. We chatted with Sally-Anne Hinfey, VP, Legal, to learn more.

1. From your perspective, what are the primary disconnects between claimed GDPR comprehension and actual real-world compliance within organizations?

The disconnect often lies between policy and practice. Many organizations believe they’re compliant because they’ve ticked the right boxes on paper. In reality, true compliance requires strong leadership and strategy, effective program management, comprehensive training and education, continuous monitoring, internal accountability, and diligent vendor oversight. In fact, our research affirms that while 95% of UK businesses say they understand and meet all GDPR requirements, over half have still experienced data-related issues—proof that confidence doesn’t always equal control.

2. Budget constraints and legacy technology are identified as significant barriers to cybersecurity investment. How does your organization navigate these financial and infrastructural challenges to ensure robust data protection in a threat-prone environment?

We take a focused, risk-based approach—prioritizing security investments that deliver the greatest impact given our business’s risk profile and leaning into our existing tools and assets. Rather than trying to do everything at once, we identified the highest-risk areas for our business and layered protections accordingly. It is an iterative approach, not a one-and-done project. It requires a layered and multi-faceted threat prevention and detection program that you are continually reviewing and updating. Steps we took included appointing a strong leadership team for security, strengthening our cloud and zero-trust architecture, implementing rigorous monitoring and incident response processes, and designing access controls that made sense for our business and our customers. Finally, we keep our teams trained and informed. By embedding security and privacy-by-design into our workflows, we avoid costly retrofits later on.

3. How is your organization addressing the unique data privacy and security implications introduced by AI technologies, particularly generative AI? 

We’re actively building guardrails to manage AI responsibly. This includes establishing internal governance policies that are mapped to industry standards as well as regulatory requirements, a working group with responsibility for defining and managing risk, restricting certain high-risk use cases, and providing AI-specific privacy training to employees. Our research states that 70% of UK businesses are already developing or implementing policies to manage AI-related privacy concerns. Thoughtful governance is becoming a baseline. For us, it’s not just about compliance—it’s about using AI in a way that builds trust and creates value.

4. How do you quantify or assess the ROI of robust data protection practices in terms of customer loyalty and market differentiation?

Trust has become a key differentiator, with three-fourths of respondents (75%) from Cisco’s 2024 Consumer Privacy Study admitting they will not purchase from organizations they don't trust with their data. When customers see that we handle their data with care—and can back it up with transparency and credentials—they’re more likely to stick with us and refer others. That kind of loyalty doesn’t just protect revenue, it fuels growth. Our new Trust Center is a perfect example: it makes our commitment visible, helping procurement teams choose us with confidence.

5. What are the key criteria for your organization to verify a vendor's data security and privacy posture?

We look for a clear, documented commitment to privacy—ideally backed by third-party audits, recognized certifications, and transparent practices. But beyond paperwork, we assess how embedded data protection is within a vendor’s culture and operations. Do they train their teams? Can they answer detailed questions about data handling, data retention, and deletion practices? Can they show—not just tell—that they’re trustworthy? Those are the markers that give us confidence.

6. Looking forward, what are your organization's top priorities for future data privacy investments to maintain a competitive edge and ensure long-term compliance?

Looking ahead, our focus is on scalability and resilience. As privacy regulations evolve and AI adoption accelerates, we’re investing in technology that helps us stay ahead, like automated privacy management tools, advanced encryption, zero trust architecture, and stronger vendor risk assessment frameworks. We’re also doubling down on transparency, because as SurveyMonkey research cites, nearly 90% of businesses now insist on clear proof of compliance before partnering. Making that information accessible isn’t just good practice—it’s becoming table stakes.

Get in touch with our MarTech Experts.