GDPR (and similar legislation around the world) places various obligations on organisations to safeguard the data they collect or process. If you are gathering personal information from data subjects, you need to ensure you do so responsibly, or risk facing the legal and reputational consequences. In this post we explore a few of our features to help you ensure your data collection is GDPR compliant.
Disclaimer: Please note that whilst this post is intended to assist you with improving your GDPR compliance, and outlines some of the technical and organisational measures available, it should not be considered legal advice and you should consult with legal experts to ensure your organisation complies with legislation relevant to your organisation. Please also refer to our GDPR compliance statement.
Before diving into the data protection features available to you when using our tools, its important to re-iterate that, in terms of GDPR, if your organisation is capturing data for its own purposes, you are the data controller. If your organisation is capturing data on behalf of another organisation, they are the data controller and you are a data processor.
Data storage & encryption
It’s considered best practice to store personal data in an encrypted format and on a server that is located in a country that is either governed by GDPR or by legislation compatible with GDPR.
If you use our tools to collect data, it will be stored in our database servers hosted in our AWS Ireland and DigitalOcean Amsterdam data centres. We chose to host exclusively in the EU for improved compliance with GDPR.
Data captured using our mobile app is transferred to our servers via SSL with AES-256 bit symmetric encryption using a 2048 bit RSA signature key, or elliptic curve cryptography (ECC) ensuring data in transit is secure.
Our database utilises Amazon RDS encryption which means the underlying storage of all data captured using our tools is encrypted using the industry standard AES-256 algorithms, as are all automated backups and snapshots (used only for disaster recovery).
Be aware that once you extract data from our platform, it’s up to you to ensure that the data is securely stored in compliance with GDPR.
Ensure you get consent from data subjects to store and process their personal information, including their permission for cross border data transfer. Of course, you’ll need to clearly state how you intend to use any personal information (and always do so in accordance with GDPR and our terms of service).
We recommend that you integrate obtaining consent into your data collection process. Depending on what information you are collecting, what it will be used for, and who you are collecting it from, you can define logic to capture the appropriate consent – or prevent any further data capture if you are unable to secure the necessary consent.
You can record that you have received consent electronically using a signature field or verbally using an audio field. These files are attached to the form and can be accessed should you ever need to prove that you obtained consent from the data subject.
A nice feature you can consider using is the ability to embed a standard consent form template into every other form that needs it. This way, you don’t need to set up the consent fields and logic for each form and can centrally update the consent process should you ever need to. You can also use this approach to separate access to the consent data (which would contain personal information) from the main form’s data (which could exclude all personal information).
Managing who has access to data
Once you have captured the data containing personal information, you need to ensure that it can only be accessed by authorised personnel, who have a legitimate reason to access it. You should take the necessary steps to ensure you have confidentiality and legal agreements in place with anyone who has access to personal information where you are the responsible party.
Our tools provide granular permissions controls. Within a workspace, you can specify who has access to “view” data and you should only grant this to users who need it.
A really useful feature we provide is the ability to mark fields as “sensitive”. Data captured for sensitive fields (which could include personal information) is not visible to normal users – even those who have been given “view” permissions. There is a separate permission that must be explicitly granted should you wish to allow a user to view sensitive data.
Note: the Account Owner and any Administrators on your account will always have full access to view all data stored within the account, including fields marked as sensitive, so ensure these are only senior, trusted individuals within the organisation.
Hiding sensitive data or personal information
Where data needs to be exported for further analysis, you should exclude fields that contain personal information (where this information is not required) so it is not included in the export file. This can be done from the grid by hiding the columns that you don’t want to include.
As a reminder, you can save the column selection as part of a saved report (which you can share internally or externally if you wish) so you don’t have to manually hide the columns every time you want to export data. This is also useful for published reports where you don’t want to display this information externally (note that sensitive fields are always and automatically hidden in reports that have been shared externally).
It’s worth noting that, for users who do not have the permission to view sensitive data, any exports they generate will exclude this data automatically. If you have the right to view sensitive data, you should exclude it from the export/report by hiding the columns from the grid as outlined above.
Keeping track of forms that contain personal information
It’s useful to keep track of forms that capture personal information – so you can locate them easily if you need to. An easy way to do this is to tag the form, for example, using a tag such as contains_pi. You can then quickly filter or search for all forms that have this tag – within a workspace or across the entire account.
Scrubbing sensitive or personal information
After a period of time, you may wish to delete or “scrub” data you have captured to remove all personal information. One way to do this is to use our API. You could create a script that routinely checks how old a form submission is and, after a certain period of time (say 12 months), deletes the data for fields that contain sensitive data or personal information.
It’s worth noting that you should not use the API to “modify” the data – for example to an empty string or anonymised value – because when you modify data, the system logs the previous value for auditing purposes. If you want to remove all traces of the data, you should delete it instead.