The General Data Protection Regulation, or GDPR as it’s more commonly known, goes into effect on May 25, 2018. It replaces its predecessor, the Data Protection Directive, in an effort to provide more stringent protection of the personal data of EU residents.
If you do business in Europe, have European employees, or otherwise collect or store information from anyone living in the EU, then you will likely need to comply with the GDPR. For the purposes of this article, if you use Checkbox to import user information or receive survey responses from anyone living in the EU, that data collection and processing is subject to the GDPR. This is true regardless of what country you reside in, where your business is located, or where your Checkbox data is stored.
When it comes to the data collected and stored in your Checkbox Survey account, GDPR compliance is a joint responsibility between you as the account or survey administrator and Checkbox. This article will summarize the requirements of the GDPR and how Checkbox plans to meet its GDPR obligations by the May 25th deadline. It will also list some of the obligations that account or survey administrators have with regard to the storage and protection of personal data in Checkbox.
Disclaimer: This article is not intended as legal advice or to offer a fully inclusive list of all GDPR requirements – if you have any questions about your own responsibilities regarding GDPR, we recommend that you consult with an appropriate legal professional.
GDPR Key Points
The GDPR covers the collection, storage and processing of personal data from anyone living in the EU. Personal data is defined as any information “that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
GDPR compliance is the responsibility of both the data controller (the person or organization responsible for collecting the data) and data processor (the person or organization responsible for processing the data). With regard to your Checkbox Survey account, the data controller is the account or survey administrator (you) and the data processor is Checkbox, along with our data storage and processing partners.
When collecting or processing personal data, data controllers and processors must ensure that data is:
- Collected legally and transparently, with direct consent from the data subject
- Collected and used for a specific, legitimate purpose
- Kept accurate and up to date
- Stored only as long as is necessary
- Appropriately secured, with recovery and breach notification plans in place in the event of a data breach or loss
In addition, data subjects (the persons whose data is being collected or stored) have certain specific rights with regard to their personal data:
- Right of access – the right to access and confirm the accuracy of one’s personal data
- Right to rectification – the right to require that a data controller correct any missing or inaccurate data
- Right to be forgotten – the right to have all of one’s personal data permanently deleted
- Right to restriction of processing – the right to tell a data controller that they can’t use or process one’s data while corrections are being made to it
- Right to be informed – the right to know how one’s data is being used
- Right to data portability – the right to request a copy of all one’s personal data in a readable format
- Right to object – the right to opt out of or object to any unauthorized use of personal data, such as for marketing purposes
- Right to object to automated processing – the right to object to an automated decision that is made using one’s personal data
Your Checkbox Data and GDPR Compliance
As we’ve mentioned, GDPR compliance is a joint responsibility between the party collecting the data (you) and the party storing and processing the data (Checkbox). By May 25th, we plan to be fully compliant when it comes to our duties as a data processor, and also to make it as easy as possible for you to be compliant as a data controller. Below is a summary of the ways in which Checkbox is addressing its GDPR obligations, along with some of the features you can use in order to help ensure that you are GDPR compliant with respect to collecting and storing data in Checkbox. This list is not intended to be a comprehensive checklist of all obligations and we therefore recommend that you seek the advice of a qualified professional to ensure that you are meeting all requirements of the GDPR.
Consent and Notice: Survey Administrators may add an opt-in question to the beginning if their surveys asking respondents to consent to their data being collected and stored. If the respondent does not consent, the Survey Administrator may use Checkbox logic features to disqualify the respondent and skip them to the end of the survey.
Survey administrators are responsible for responding to and managing deletion or “right to be forgotten” requests from their respondents. Survey administrators can permanently delete all responses from a respondent user at any time by deleting that user. Alternatively, survey administrators can delete individual responses in Checkbox, which will ‘soft-delete’ those responses. Survey administrators must then make a request in writing to Checkbox to permanently delete those responses. Survey administrators are responsible for monitoring and deleting any Checkbox data that is exported to any system or storage device outside of Checkbox.
Data Access & Accuracy: Survey administrators are responsible for the accuracy of the data in their Checkbox accounts. If a respondent requests to review their personal data for accuracy, a survey administrator can export the user’s personal details from the User Manager (.csv export feature coming in May). Survey administrators may also export the results of their surveys and submit that data to their respondents for accuracy review. If a respondent requests that data be updated or deleted, the survey administrator can either edit the user’s profile in Checkbox, edit the survey response(s) in Checkbox, or delete the data (as noted above).
Data Portability: Respondents can request their data from a survey administrator and the administrator can provide that data at any time, as noted above. In addition, survey administrators may want to consider adding a Response Details item or an Email Response item to their surveys, which will give the respondent the means to print and/or save their survey response after they submit it. As of May 25th, the Response Details item will include a Print button so that the respondent can easily print their response from the screen or print it to PDF to save a copy. The Response Details item will also include identifiable personal information such as IP address, name, and email, as applicable.
Data Security: Checkbox maintains strict controls over its customer data to ensure the highest levels of security. Checkbox hosted accounts are cloud-hosted with Amazon AWS, which offers best-in-class data security and compliance programs, along with being GDPR-ready. Data is encrypted in transit, backup files are encrypted, and Team and Enterprise clients have the option to encrypt their data at rest. Checkbox management reviews and updates security policies regularly to ensure that all staff are trained on and using appropriate controls when it comes to customer data. For more information on Checkbox’s security policies, please view our Security Overview.
On-premises customers also have the option to encrypt their data in transit and at rest, while maintaining their own internal access controls.
Data Processing Addendum: Checkbox account administrators may request a standard Data Processing Addendum to their Checkbox SLA, which will contain the GDPR model clauses. Enterprise customers may request that Checkbox use their own DPA.
Your Additional Responsibilities
If you are using Checkbox to collect or store any data from EU residents, we highly recommend becoming familiar with all the requirements of GDPR. At a minimum, you will want to take into account the rights of the data subject that we’ve listed above when importing users, sending out surveys, and exporting data to your computer or server. We would also recommend that you make use of the Checkbox features that we’ve listed in the section above, as part of your overall GDPR compliance plan. However, this list is not comprehensive and is not intended as legal advice, so we highly recommend that you seek the advice of a qualified professional in order to ensure that you are meeting all requirements of the GDPR.
If you have any questions about the features that are available on your account or how to enable them, please contact support. You may also email us if you have any general questions on GDPR as it relates to Checkbox or if you’d like to sign a Data Processing Addendum with us.