The European Union's General Data Protection Regulation (GDPR) is a legal framework around data protection which came into force on 25 May 2018 and applies to any organisation that offers products or services to EU data subjects.
It features some requirements which were new or different from those outlined in previous legislation and/or guidance.
If you want to find the full details of the GDPR, you can read the EU Regulation in full.
You can also read a useful overview from the UK Information Commissioner's Office (ICO) or Australian customers can read some useful guidance from the Office of the Australian Information Commissioner.
Here at Delib we followed the UK ICO's guidance on GDPR ahead of the 2018 deadline to ensure that all of our products are compliant.
All Delib products are designed using Privacy by Design principles, as recommended by the UK ICO, and we're confident we’ll be able to support customers in meeting their GDPR obligations. We're also undertaking a review of privacy legislation with our legal advisors which will cover GDPR – this is mandated under our ISO 27001:2013 certified Information Security Management System (ISMS).
Outline of key GDPR rights
For the below rights, outlined in the GDPR, it is the Data Controller's (i.e. our customer's) responsibility to respond to and comply with requests from data subjects. However needless to say we're happy to assist customers where we can.
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure (or "right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making and profiling
- Article 5 - appropriate security
Right to be informed
"The right to be informed encompasses your obligation to provide 'fair processing information', typically through a privacy notice. It emphasises the need for transparency over how you use personal data."
Citizen Space, Dialogue and Simulator all provide a customer-editable site-wide privacy notice. By default this identifies Delib as a Data Processor and the customer as the Data Controller.
Citizen Space and Dialogue both link to the privacy notice in the footer of every public page. It can be edited to include tailored information for the customer organisation - read how for Citizen Space and read how for Dialogue.
We'd also recommend referencing privacy information at the start of each activity ('point of first communication'), before a data subject has submitted any response, and again at the end. This information could include a link to the privacy notice and any additional contextual information.
Right of access
"Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed, and access to their personal data."
Citizen Space provides an email receipt to every respondent, with a PDF attachment containing all of the information they submitted via the online survey. The email also provides a unique Response ID number which can help admins track down the response. Admins can easily download and re-supply this PDF copy of their response. Before you share any data it's important that admins verify the identity of the individual making the request, to ensure they are who they say they are.
It's our understanding that under the GDPR, your respondents will also have a right of access to any notes or tags that you've added to their data as part of the analysis process. If a respondent requests access to this information, we'd recommend that admins 'Download all responses including analyst fields' from the dashboard, isolate the relevant record(s) in the spreadsheet and send the respondent just their data (again having verified that they are who they say they are).
Dialogue users can access and amend the personal information stored for them i.e. name, email address, postcode and consent to receive emails, by logging in, selecting their username from the top right hand menu, and selecting the tab ‘Profile & Settings’. Alternatively, admins can easily export a spreadsheet of this information for all users.
Dialogue users can also see a record of all the ideas and comments they've posted on a site by logging in, selecting their username from the top right hand menu, and selecting the tab 'My Ideas & Comments'.
Simulator admins can export a spreadsheet of all responses, isolate a given respondent's data and provide it on request. The onus will be on the respondent to provide sufficient information for their response to be identifiable and, as mentioned above, we'd recommend verifying their identity before sharing any data with them.
Right to rectification
In Citizen Space, responses cannot be edited or deleted once submitted. This creates an audit trail and defends against any real or perceived risk of tampering with response data. However, analyst notes and/or analyst-only questions in Citizen Space allow admins to capture requested amends or additions to a response.
Alternatively, depending on the nature of the request, an admin could manually upload a replacement response on behalf of the respondent and move their original response into "removed responses". For 'removed responses' the data is still held but no longer processed (no longer taken into account in analysis and reporting). Citizen Space provides an audit trail of when and why the response was removed from the main dataset.
Dialogue users can edit the personal details registered to their user profile for themselves, but it’s not possible for admins to edit this information. Users can do this by logging in, selecting their username from top right hand menu, and selecting the tab ‘Profile & Settings’. Dialogue users cannot edit their ideas or comments once posted. However, if users contact a customer asking to change something, a site admin can alter posts on their behalf.
Similar to both Citizen Space and Dialogue, Simulator does not give our customers the power to edit responses. However if you receive a request from a respondent, we (Delib) can make changes on your behalf, provided that the respondent is able to provide sufficient information for their response to be identifiable.
Right to erasure (also known as 'right to be forgotten')
"The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing."
Erasure is achievable in all Delib products but relatively complex to manage. For some types of activity, customers such as councils may be acting in the public interest, exercising official authority, and may also be exercising or defending legal claims (judicial review for example), which limit the right to erasure — other activities may not meet these criteria. This is just noting the ICO guidance — Delib cannot provide legal advice on this.
Citizen Space does not give our customers the ability to delete individual responses (though it is possible to delete an entire activity and all of its associated response data). This is by design to protect against mistakes resulting in data loss and to defend against any real or perceived risk of tampering with individual responses.
However if a respondent requests for their data to be 'forgotten', Delib has the power to permanently erase part or all of an individual response on the customer's behalf if given a clear written instruction.
If a Dialogue user requests for their data to be ‘forgotten’, admins can search for their profile in ‘Users’, select the checkbox ‘Remove user’ alongside their name and select ‘Apply changes’ to save the change. This removes all of their personal data (i.e. name, email address, postcode and consent to receive emails) from Dialogue but any ideas or comments they have posted will remain.
Delib has the power to permanently erase an idea or comment on the customer's behalf given a clear written instruction. Where an idea has comments attached to it, we could replace the idea with some holding text so as to meet the erasure request without deleting other users' content from the challenge.
Similarly, for Simulator Delib has the power to permanently erase a response given a clear written instruction. This again is reliant on the respondent who made the request being able to provide sufficient information for their response to be identifiable.
Right to restrict processing
"Under the DPA (Data Protection Act), individuals have a right to 'block' or suppress processing of personal data. The restriction of processing under the GDPR is similar. Where processing is restricted, you are permitted to store the personal data but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future."
Citizen Space gives customer admins the ability to remove responses. This sets a response apart from the dataset so that it is not processed for reporting or analysis, while keeping the response intact as evidence for scrutiny or in case of judicial review. When an admin removes a response they're prompted to provide a reason, creating an audit trail. This field can be used to note when and how the data subject requested that processing of their data be restricted.
Dialogue users can edit the personal details registered to their user profile by logging in, selecting their username from top right hand menu, and selecting the tab ‘Profile & Settings’. This allows them to remove any information they do not want processed themselves.
For Simulator, we (Delib) can 'invalidate' an individual's response (remove it from your dataset) on request. This means that the data is still held but will no longer be processed. This again is reliant on the respondent who made the request being able to provide sufficient information for their response to be identifiable.
Right to data portability
"The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. You must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files."
Citizen Space admins can export individual responses as an .xlsx spreadsheet (a Microsoft Excel Open XML Format Spreadsheet file) to supply on request. It is the responsibility of the customer to verify the identity of the individual making the request before any data is shared.
Dialogue admins can export an .xlsx spreadsheet (a Microsoft Excel Open XML Format Spreadsheet file) of the personal information held for all users, from which they can isolate the record held for an individual and supply it on request. Again, it is the responsibility of the customer to verify the identity of the individual making the request before any data is shared.
Simulator admins can export an .xlsx spreadsheet (a Microsoft Excel Open XML Format Spreadsheet file) of all responses to the exercise, and isolate and provide the data of the respondent in question. As noted above, the onus will be on the respondent to provide sufficient information for their response to be identifiable and we'd recommend verifying their identity before sharing any data with them.
Right to object
"Individuals have the right to object to processing on grounds relating to their particular situation."
This right is complex, as the organisation may be conducting research where the processing of personal data is necessary for the performance of a public interest task and does not therefore have to comply with an objection to the processing. This is just noting the ICO guidance - Delib cannot provide legal advice on this.
In Citizen Space, if you agree to comply with the data subject's objection, you can remove their response from your dataset — see the Right to restrict processing for more details.
If a Simulator respondent objects to their data being processed, their response can either be 'invalidated' (see Right to restrict processing) or deleted (see Right to erasure) as appropriate, depending on the nature of their objection.
Rights related to automated decision making and profiling
"The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA (Data Protection Act)."
Citizen Space, Dialogue and Simulator do not make any automated decisions without human intervention.
If customers choose to use additional automated decision-making tools as part of their analysis of response data, we recommend making respondents aware and asking for their consent. This is just noting the ICO guidance - Delib cannot provide legal advice on this.
This could be done by updating the privacy notice and/or including an explicit opt-in consent question in a Citizen Space online survey activity (see the Right to be informed for more details).
"Article 5 of the GDPR requires that the personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protect against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."
Delib operates an ISMS which is certified to ISO 27001:2013. If you would like more information our Information Security policy documents and Engineering Standards are available on request. Please contact firstname.lastname@example.org to request copies.
Data processing and sub-processors
Delib acts as a data processor for customer data stored in Citizen Space, Dialogue and Simulator sites. For EU customers. sub-processors are used for hosting (Hetzner) and automated mail delivery (Mailgun).