Our company is committed to providing its clients with a secure, reliable platform that prioritizes security and safety above all else. Each year, we invest significant resources in enhancing our security capabilities and regularly conduct penetration tests and code scans to meet the requirements of the most demanding organizations.
We’re proud to build products that reconcile the need for data privacy with the need for organizations to continuously learn from their customers. This document is intended to give our customers an overview of new regulations coming into force in the European Union and how our company helps our customers meet these requirements.
In 2016, the European Union instituted a new regulation called the General Data Protection Regulation (GDPR). GDPR makes significant changes to the ways companies and organizations collect and manage personal data, especially personally identifiable information (or PII).
GDPR places new and substantial requirements on organizations to protect personal data, but it also helps the research and customer insights industry to ensure personal data is managed in a responsible way. Our company’s view is that GDPR is likely a positive development for organizations collecting and managing PII.
The European Union has defined personally identifiable information in very broad strokes. PII includes, but is not limited to:
identify an individual
Researchers should take special care in the processing and managing PII to avoid potentially hefty fines and regulations mandated by GDPR. To be clear, collecting or viewing PII is entirely permissible as long as it’s done correctly.
GDPR defines two types of entities handling PII in Article 4, called data controllers and data processors.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Organizations that license our company (or other tools) for the purpose of collecting customer information are data controllers, whereas our company is a data processor regardless of whether or not your organization utilizes our company’s professional services. our company’s goal as a data processor is to enable our customers – you – to be GDPR compliant while
gathering valuable customer insights made possible only by our company.
GDPR has specific requirements that our company helps our clients address through robust
software solutions. These requirements include:
European Union citizens need to be informed how their data is collected and stored – even through the use of common website analytics tools that capture IP addresses. To ensure our customers are always in the right, we have automatically created a trigger when a community member accesses community for the first time from the European Union. We infer location based on the IP address of the user accessing the community.
When we’ve detected an EU-based user, Puresampling automatically displays a modal with information regarding the data collection tools used at Puresampling and how the data are used. Puresampling provides default templates, but the information and text displayed are entirely customizable. The EU detection system and warning modal are configured globally and turned on for all Puresampling licensees.
In addition, users must generally explicitly consent to Terms of Use or Rules of Participation. In other words, users must purposefully check a box to accept Terms. Puresampling provides the ability to configure this setting in Community Settings.
Under GDPR, users should be able to export data they’ve provided to a platform, including algorithmically-defined data like many market research segmentation or typing tools. This new privacy page contains four pages, accessible from any device via a browser.
User data export includes all data a community member has provided, including profile fields, survey responses, comments in a discussion board, images, or photos uploaded to the community. The data is exported in a .zip folder containing .csv and image files and may take anywhere from a few minutes to a few hours to complete depending on the volume of member
data.
Puresampling takes special care to ensure exported data is only accessed by the member and not a bad actor. After requesting data export, the member is required to enter their community password. Because the export may take some time, the member is notified at the email address associated with their community account that the data file is ready for download. At this point, the member clicks a link provided in the email, again authenticates their account, and is able to download the file.
Another tenet of GDPR is that users should be able to erase their data, effectively eliminating an organization’s ability to access their personal data. GDPR requires that user consent is as easy to revoke as it is to give. So, while Puresampling recognizes the desire to maintain high member numbers, we also believe in complying with the spirit of the regulation and have not made this an overly onerous process, although the platform asks the member to confirm at least twice
that they want to erase their account and account data. Account erasure is irrevocable. If a member would like to participate in the community again, they will have to re-join the community as if they had never been part of the community before.
On very rare occasions, clients may choose to ban or delete a community member for antisocial behavior. Banning a community member does not revoke their right to either access data they’ve provided or to delete their account. These individuals may access the Privacy page and are able to download or erase their data at this location after they’ve authenticated their account.
GDPR’s principle of least privilege access essentially says personally identifiable information should be accessible to the least number of people possible and those people must have a compelling business need to access this information.
Our company provides robust controls to manage access to PII. We automatically designate templated profile fields like email address, IP address, names, username, and street address as PII. Our company’s customers can also designate other profile fields as PII and decide which researchers have access to PII.
Our company does not send PII via our API to our company Exchange partners. When profiling data is shared via our API, it is linked based on the our company UserID. This pseudonymizes member data and ensures you can integrate with confidence. The exception to this is when our company is connected via API to a system like a Customer Relationship Management platform and a field like an email address is the key value to connect different systems.
GDPR also requires that Terms of Use (or Rule of Participation) and Privacy Policies are easy to understand by the general public. Our company provides sample templates for Terms of Use and Privacy Policies
o Privacy Acceptance Modal
o Privacy Overview
o Privacy Policy
If you have general questions about our company’s approach to GDPR and privacy, please feel free to contact our sales team request@puresampling.com who will work with you to gather information.