Summary of GDPR
The General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018, and the new regulations will have wide-ranging impacts on organizations that collect and process data in the EU. On the most basic level, the GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
Specifically, the GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer and/or use. It gives data subjects more rights and control over their data by regulating how companies handle and store the personal data they collect.
It is imperative for enterprise companies, in particular, to prepare for these changes as the new regulations come with increased enforcement and failure to comply can lead to greater fines. Even if you have no entity or presence in the EU, the GDPR may still apply to your company.
Privacy & Usabilla
At Usabilla we are committed to the security of your data and protecting the privacy of your clients. Usabilla endeavors to develop its services using the Privacy by Design and Privacy by Default philosophies. This means we consider privacy and personal data protection throughout all parts of our product development lifecycle. Our services are designed to limit personal data collection by default, requiring you as a customer to explicitly enable features that collect more information.
All personal data is stored in AWS Region EU (Ireland), meaning in the European Union. The customer portal and API are also hosted in the same location.
Where possible, Usabilla will perform processing activities and analysis on anonymised or pseudonymised data. This means we will exclude or remove any screenshots, IP addresses, email addresses, free-form (text) responses and any identifiers that link the feedback item to the original item which may contain personal data before processing it.
Since Q2 of 2017, a dedicated team at Usabilla has been working/ investigating to ensure our product is in compliance with the GDPR before the deadline. We have made or are currently making the following changes to our product:
- Storing location data: We made it optional to store the location or IP address of a user when they leave feedback. This option is off by default for all newly created buttons and forms.
- Data retention: We are giving our customers the option to set a data retention period so that any collected data will be removed automatically after the set period.
- Saving form values in Usabilla for Websites: Currently, when a button is created, the form values are saved by default. We are turning this around, providing a safer default setting.
- Safer connections: Full survey URLs in Usabilla for Websites, as well as Usabilla for Email widgets, will be using an encrypted connection (HTTPS) by default.
We are confident that we can deliver these changes in good time so that our product is compliant by May 25th, 2018.
Data Processing Agreement
If you, as a customer, are processing personal data through the Usabilla platform, typically a Data Processing Agreement (DPA) needs to be agreed between your company and Usabilla. We have prepared a standard contract for this purpose, which accurately describes the specific characteristics of our product. If you need a DPA, we strongly urge you to make use of the Usabilla template, since it’s the most efficient option. The template is available through our Customer Success department.
If you have any questions regarding how Usabilla is dealing with the GDPR, please contact your Customer Success Manager.