Our company is committed to providing its clients with a secure, reliable platform that prioritizes security and safety above all else. Each year, we invest significant resources in enhancing our security capabilities and regularly conduct penetration tests and code scans to meet the requirements of the most demanding organizations.
We’re proud to build products that reconcile the need for data privacy with the need for organizations to continuously learn from their customers. This document is intended to give our customers an overview of new regulations coming into force in the European Union and how our company helps our customers meet these requirements.
In 2016, the European Union instituted a new regulation called the General Data Protection Regulation (GDPR). GDPR makes significant changes to the ways companies and organizations collect and manage personal data, especially personally identifiable information (or PII).
GDPR places new and substantial requirements on organizations to protect personal data, but it also helps the research and customer insights industry to ensure personal data is managed in a responsible way. Our company’s view is that GDPR is likely a positive development for organizations collecting and managing PII.
The European Union has defined personally identifiable information in very broad strokes. PII includes, but is not limited to:
• IP Address
• Email Address
• Name
• Residential Address
• Username
• Any data point or combination of data points that could be used in conjunction to
identify an individual
Researchers should take special care in the processing and managing PII to avoid potentially hefty fines and regulations mandated by GDPR. To be clear, collecting or viewing PII is entirely permissible as long as it’s done correctly.The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Organizations that license our company (or other tools) for the purpose of collecting customer information are data controllers, whereas our company is a data processor regardless of whether or not your organization utilizes our company’s professional services. our company’s goal as a data processor is to enable our customers – you – to be GDPR compliant while
gathering valuable customer insights made possible only by our company.
GDPR has specific requirements that our company helps our clients address through robust
software solutions. These requirements include:
European Union citizens need to be informed how their data is collected and stored – even through the use of common website analytics tools that capture IP addresses. To ensure our customers are always in the right, we have automatically created a trigger when a community member accesses community for the first time from the European Union. We infer location based on the IP address of the user accessing the community.
When we’ve detected an EU-based user, TheFieldData automatically displays a modal with information regarding the data collection tools used at TheFieldData and how the data are used. TheFieldData provides default templates, but the information and text displayed are entirely customizable. The EU detection system and warning modal are configured globally and turned on for all TheFieldData licensees.
In addition, users must generally explicitly consent to Terms of Use or Rules of Participation. In other words, users must purposefully check a box to accept Terms. TheFieldData provides the ability to configure this setting in Community Settings.
Another tenet of GDPR is that users should be able to erase their data, effectively eliminating an organization’s ability to access their personal data. GDPR requires that user consent is as easy to revoke as it is to give. So, while TheFieldData recognizes the desire to maintain high member numbers, we also believe in complying with the spirit of the regulation and have not made this an overly onerous process, although the platform asks the member to confirm at least twice
that they want to erase their account and account data. Account erasure is irrevocable. If a member would like to participate in the community again, they will have to re-join the community as if they had never been part of the community before.
On very rare occasions, clients may choose to ban or delete a community member for antisocial behavior. Banning a community member does not revoke their right to either access data they’ve provided or to delete their account. These individuals may access the Privacy page and are able to download or erase their data at this location after they’ve authenticated their account.
GDPR’s principle of least privilege access essentially says personally identifiable information should be accessible to the least number of people possible and those people must have a compelling business need to access this information.
Our company provides robust controls to manage access to PII. We automatically designate templated profile fields like email address, IP address, names, username, and street address as PII. Our company’s customers can also designate other profile fields as PII and decide which researchers have access to PII.
Our company does not send PII via our API to our company Exchange partners. When profiling data is shared via our API, it is linked based on the our company UserID. This pseudonymizes member data and ensures you can integrate with confidence. The exception to this is when our company is connected via API to a system like a Customer Relationship Management platform and a field like an email address is the key value to connect different systems.
GDPR also requires that Terms of Use (or Rule of Participation) and Privacy Policies are easy to understand by the general public. Our company provides sample templates for Terms of Use and Privacy Policies
o Privacy Acceptance Modal
o Privacy Overview
o Privacy Policy
If you have general questions about our company’s approach to GDPR and privacy, please feel free to contact our sales team request@thefielddata.com who will work with you to gather information.