In roughly one month privacy compliance is about to significantly change as the GDPR will come into fruition on the 25th of May. This regulation is the culmination of four years of efforts in order to update data protection for the foreseeable future. In order to give a better understanding in what these new regulations would mean for our customers, we have tried to explain some basic principles of the GDPR and how it relates to our software. All necessary improvements and changes in order for the EyeQuestion Suite to comply with the GDPR regulations will be present in versions 4.11 and up, which will be released in the second week of May.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Who does the GDPR apply to?
GDPR applies to every business or organization that collects personal data from Union based data subjects. Establishment in the EEA is not necessary to be subject to the terms as specified in the GDPR. Businesses and organizations located outside the EEA that collect personal data from subjects that are located in the EEA need to adhere to the rules as set up by the GDPR. Please do note that union based data subject only applies to data subjects that are located in the Union at the time of collection and thus does not apply to the nationality of the data subject.
Processors & Controllers
Companies may act as a data controller, a data processor or both. The data controller is the party determining what data is to be collected, how this data is to be collected, from whom and its usage. Instructions of the data controller are being executed by the data processor either manually or programatically, in the case of Logic8 BV via our SaaS service.
Data protection principles
Article 5 of the GDPR states the following principles in regards to the processing of personal data :
Processing of personal data should be :
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
ISO 27001 and GDPR
The three essential aspects regarding information security as defined by ISO27001 standards; people, processes and technology are encompassed in ISO 27001 in order to protect your business from both technology-based-risks as well as other, more common threats relating to staff and procedural inefficiencies. Both the GDPR and ISO 27001 mandate a clear accountability for data protection throughout the entire organization by having the need to appoint a senior individual. This individual has a big role in conducting regular risk assessments to identify treats and vulnerabilities throughout the company. Logic8 BV being ISO27001 certified under ISC 146, means that a lot of policies needed to comply to the GDPR are already in place.
What are the main changes under the GDPR and how to they differ from the Data Protection Directive?
Increased Territorial Scope
GDPR will apply to the processing of personal data by controllers and processors in the European Union, regardless of whether the processing takes place in the European Union or not. Controllers or processors not located in the European Union which process personal data of subjects that are located in the European Union will also have to adhere to the GDPR. Activities such as: offering goods or services to citizens of the European Union and the monitoring of behavior that takes place within the European Union. Businesses that are not located in the European Union that process data of EU citizens will have to appoint a representative that is located in the European Union in order to comply with the new regulations.
Penalties
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent
Conditions for consent have been strickened, presenting the request for consent to be set up in an intelligible and easy accessible form. Consent must be clear and distinguisable from other matters with the purpose of data processing being attached to a form using clear and plain language. Withdrawal of consent must be as easy and clear as it is to give it.
Data Subject Rights
The third chapter of the GDPR focuses on the rights of the data subject. An overview of the major changes can be found below.
Breach Notification
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. Notification must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose from the data controller. Additionally, the controller is bound to provide a copy of the personal data in an electronic format free of charge.
Right to be Forgotten
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data when he/she requires this. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.
Data Portability
Data portability consists of the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Privacy by design calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
Data Protection Officers
Under GDPR the DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices. The DPO may be a staff member or an external service provider and contact details must be provided to the relevant DPA. The DPO must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge and must report directly to the highest level of management. He or she must not carry out any other tasks that could results in a conflict of interest.
How will EyeQuestion Software, meet the GDPR requirements?
An overview on how the EyeQuestion Suite is equipped to handle the GDPR requirements is found below. Please click on the bolded part to be redirected to the article. If you have any further questions, please do not hesitate to contact us.
GDPR main purpose (article 1)
The EyeQuestion Suite handles different types of data, depending on the data collection method. This is fully controlled by the data controller. EyeQuestion provides options for totally anonymized data collection in the form of anonymous sessions. Personal data is required if survey invitations need to be sent by e-mail or when the respondent will need to be contacted by telephone. Questions can be flagged by the data controller to indicate whether they include sensitive data. Flagged questions will be anonymised when the user is removed from the database.
Accountability (article 5)
As it relates to the requirement of keeping data “no longer than necessary”, this is the responsibility of the data controller. As the data processor, Logic8 BV will process data solely in accordance with the instructions as presented by the data controller. The deletion of records and datasets can be done by data controllers from their SaaS environment at their own initiative at all time. Logic8 BV is developing features within the EyeQuestion Software Suite enabling the ability to assign a retention period to each survey database.
Consent (article 6,7,13,etc)
Consent is the responsibility for the data controller. If consent has already been obtained that meets GDPR requirements then no new consent is required. Visibility of consent that has already been given, or needs to be given again, is added in the form of a TRUE/FALSE dropdown on each user’s personal page. The user must give consent prior to logging in the software if this option is set up. Right to revert consent by the data subject can be handled by adding your contact details, such as an e-mail address, where he/she can contact you for that purpose.
Processing which does not require identification (article 11)
While personal data is required for some actions (sending out surveys via e-mail, EyeContact panel management), collecting survey data can also be done anonymously using anonymous links from the deploy or allocation page. Data editing capabilities are provided in the EyeQuestion Suite to allow the removal or alteration of data once data collection has been completed. Sensitive questions can be flagged by the project manager so that they will automatically be anonymised when the project is archived or user is removed from the database. Flagging these questions as being sensitive will be the obligation of the data controller. Once data records no longer contain personal data they no longer fall under the GDPR requirements as the data subject is not identifiable.
Transparent information and communication (article 12)
Articles 15-22 of the GDPR relate to the data subject rights in relation to access of their data. The EyeQuestion Suite supports clients in fulfilling these obligations.
Right of access by the data subject (article 15)
Users using the EyeQuestion Suite can, depending on their access level, export data-files using standard data export functionalities already present in the software. Project managers have the option to download personal and sensitive data from each individual user using a single user export button, located in the user admin. If multiple surveys need to be checked and data exported as per request of the data subject please contact as if this can be done efficiently by Logic8 BV.
Right to rectification (article 16)
Data editing is already present in the EyeQuestion Suite with the option to edit user session data (from a project) or personal data (user management).
Right to erasure (right to be forgotten) (article 17)
Data removal is already present in the EyeQuestion Suite with the option to delete project data through the sessions tab or remove personal data using the user management options available in both modules. Sensitive questions can be flagged by the project manager so that they will automatically be anonymised when the project is archived or user is removed from the database. Flagging these questions as being sensitive will be the obligation of the data controller.
Right to restriction of processing (article 18)
Individual sessions can be disabled to prevent them from being processed with the other data.
Right to data portability (article 20)
The EyeQuestion Suite offers a range of exportable files in excel format along with various filter options. Project managers have the option to download personal and sensitive data from each individual user using a single user export button, located in the user admin. Please check art. 12 in regards to the rules and regulation in regards to informing the data subject.
Right to object (article 21)
See points relating to articles 16,17 and 18 in relations to editing and deleting of project and personal data.
Data protection by design and by default (article 25)
This is the responsibility of the data controller. Logic8 BV will contribute with information regarding the technical and organizational measures taken in order to ensure the protection of personal data and overall security of the software and the SaaS service provided.
Use of other processors or subprocessors by Logic8 BV on behalf of the data controller (article 28)
Logic8 BV will inform its clients about the use of sub-processors in relation to the collection and storage of personal data. Sub processors used will meet the requirements of the GDPR (in particular paragraphs 2 & 4 of art. 28). It is not possible for a client to reject the use of a sub-processor as it is part of the provided SaaS service (currently Rackspace).
Removal and return of personal data (article 28)
Returning and deleting the data can be done by the controller themselves as this is a SaaS service. Assistance will be provided by Logic8 BV if necessary. Data will be automatically deleted within 60 business days of expiration of the agreement.
Security information (article 28)
Documents regarding our security can be provided as per request.
Record of processing activities (article 30)
Both the controller and processor need to adhere to this requirement. This can be achieved via a written document.
Security of processing (article 32)
The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate the pseudonymization and encryption of personal data.
Personal data breach (article 33)
The processor will convey the breach to the data controller “without undue delay”. The data controller will need to assess internally what steps are necessary and need notify the supervisory authority competent within 72 hours.
Data Protection Impact Assesment (article 35)
This is the responsibility of the data controller. Logic8 BV will assist if needed and if the request is within reason.
Data Protection Officer (DPO) (artcile 37,38 and 39)
Designation of a Data Protection Officer shall be done by both the controller and the processor.
Transfer of personal data to third countries and cross-border processing (artcile 44)
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization.