The EU General Data Protection Regulation, or GDPR as it’s more commonly known, goes into effect on May 25, 2018. It replaces its predecessor, the Data Protection Directive (and the implementation laws in the various EU member states), in an effort to provide more streamlined and uniform protection of the personal data of EU residents.
If you do business in Europe, have European employees or customers, or otherwise collect or store information about anyone living in the EU, then GDPR will likely apply to you, either directly or indirectly. For the purposes of this article, if you use Checkbox to import user information or receive survey responses from anyone living in the EU, that data is protected by GDPR, regardless of what country you reside in, where your business is located, or where your Checkbox data is stored.
When it comes to the data collected and stored in your Checkbox Survey account, GDPR compliance is a joint responsibility between you as the account or survey administrator (i.e. the “data controller”) and Checkbox (i.e. the “data processor”). This article will summarize certain requirements of the GDPR and how Checkbox addresses its obligations as a data processor under GDPR. It will also list some of the obligations that account or survey administrators may have with regard to the storage and protection of personal data in Checkbox.
Disclaimer: This article is not intended as legal advice or to offer a fully inclusive list of all GDPR requirements – if you have any questions about your own responsibilities regarding GDPR, we recommend that you consult with an appropriate legal professional.
GDPR Key Points
The GDPR covers the collection, storage and processing of personal data from anyone living in the EU. Personal data is broadly defined as any information relating to an “identified or identifiable” individual. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
GDPR compliance is the responsibility of both the data controller (the person or organization responsible for collecting the data) and data processor (the person or organization responsible for processing the data at the request of the data controller). With regard to your Checkbox Survey account, the data controller is the account or survey administrator (you) and the data processor is Checkbox, along with our data storage and processing partners.
When collecting or processing personal data, data controllers and processors must ensure that data is:
- Collected legally and transparently
- Collected and used for a specific, legitimate purpose
- Kept accurate and up to date
- Stored only as long as is necessary
- Appropriately secured, with recovery and breach notification plans in place in the event of a data breach or loss
In addition, data subjects (the persons whose data is being collected or stored) have certain specific rights that may apply with regard to their personal data:
- Right of access – the right to access and confirm the accuracy of one’s personal data
- Right to rectification – the right to require that a data controller correct any missing or inaccurate data
- Right to be forgotten – the right to have all of one’s personal data permanently deleted
- Right to restriction of processing – the right to tell a data controller that they can’t use or process one’s data while corrections are being made to it
- Right to be informed – the right to know how one’s data is being used
- Right to data portability – the right to request a copy of all one’s personal data in a readable format
- Right to object – the right to opt out of or object to certain uses of personal data, such as for marketing purposes
- Right to object to automated processing – the right to object to an automated decision that is made using one’s personal data
Your Checkbox Data and GDPR Compliance
As we’ve mentioned, GDPR compliance is a joint responsibility between the party collecting the data (you) and the party storing and processing the data (Checkbox). Below is a summary of the ways in which Checkbox is addressing its GDPR obligations, along with some of the features you can use in order to address your GDPR compliance obligations with respect to collecting and storing data in Checkbox. This list is not intended to be a comprehensive checklist of all obligations and we therefore recommend that you seek the advice of a qualified professional to ensure that you are meeting all requirements of the GDPR.
Consent and Notice: GDPR requires a “legal basis” for collection and processing personal data. Our legal basis is “necessity for performance of a contract” – that is, providing service to our clients under our license agreement. Your legal basis may be “consent.” In order to help satisfy the consent requirement, Survey Administrators may add an opt-in question to the beginning of their surveys asking respondents to consent to their data being collected and stored. If the respondent does not consent, the Survey Administrator may use Checkbox logic features to disqualify the respondent and skip them to the end of the survey.
Survey administrators are responsible for responding to and managing deletion or “right to be forgotten” requests from their respondents. Survey administrators can permanently delete all responses from a respondent user at any time by deleting that user. Alternatively, survey administrators can delete individual responses in Checkbox, which will ‘soft-delete’ those responses. Survey administrators must then make a request in writing to Checkbox to permanently delete those responses. Survey administrators are responsible for monitoring and deleting any Checkbox data that is exported to any system or storage device outside of Checkbox.
Data Access & Accuracy: Survey administrators are responsible for the accuracy of the data in their Checkbox accounts. If a respondent requests to review their personal data for accuracy, a survey administrator can export the user’s personal details from the User Manager (.csv export feature available as of version 2018Q2). Survey administrators may also export the results of their surveys and submit that data to their respondents for accuracy review. If a respondent requests that data be updated or deleted, the survey administrator can either edit the user’s profile in Checkbox, edit the survey response(s) in Checkbox, or delete the data (as noted above).
Data Portability: Respondents can request their data from a survey administrator and the administrator can provide that data at any time, as noted above. In addition, survey administrators may want to consider adding a Response Details item or an Email Response item to their surveys, which will give the respondent the means to print and/or save their survey response after they submit it. As of version 2018Q2, the Response Details item includes a Print button so that the respondent can easily print their response from the screen or print it to PDF to save a copy. The Response Details item also includes identifiable personal information such as IP address, name, and email, as applicable.
Data Security: Checkbox maintains strict controls over its customer data to ensure high levels of security. Checkbox hosted accounts are cloud-hosted with Amazon AWS, which offers best-in-class data security and compliance programs, along with being GDPR-ready. Data is encrypted in transit, backup files are encrypted, and Team and Enterprise clients have the option to encrypt their data at rest. Checkbox management reviews and updates security policies regularly to ensure that all staff are trained on and using appropriate controls when it comes to customer data. For more information on Checkbox’s security policies, please view our Security Overview.
On-premises customers also have the option to encrypt their data in transit and at rest, while maintaining their own internal access controls.
Data Processing Addendum: Checkbox account administrators may request a standard Data Processing Addendum to their Checkbox SLA, which will specify our and your data-protection responsibilities and, if applicable, will contain the EU-approved “standard contractual clauses” governing transfer and processing of personal data outside of the EU. Enterprise customers may request that Checkbox review their own DPA.
Your Additional Responsibilities
If you are using Checkbox to collect or store any data from EU residents, we highly recommend becoming familiar with all the requirements of GDPR. At a minimum, you will want to take into account the rights of the data subject that we’ve listed above when importing users, sending out surveys, and exporting data to your computer or server. We would also recommend that you make use of the Checkbox features that we’ve listed above, as part of your overall GDPR compliance plan. However, this list is not comprehensive and is not intended as legal advice, so we highly recommend that you seek the advice of a qualified professional in order to ensure that you are meeting all requirements of the GDPR.
If you have any questions about the features that are available on your account or how to enable them, please contact support. You may also email us if you have any general questions on GDPR as it relates to Checkbox or if you’d like to sign a Data Processing Addendum with us.