January 15, 2019
Recollective: 2018 in Review
Before we kick off new a series of blog posts in 2019, we thought it would be fitting to summarize all that we accomplished in the development of Recollective in 2018.
Very soon, Europe's data protection rules will undergo their biggest changes in two decades. The European General Data Protection Regulation (GDPR), which will come into force on May 25, 2018, will impact how researchers collect and store personal data from European citizens.
If your organization is based in the European Union or you plan to collect data from EU citizens, it is essential that you become familiar with the GDPR. We've prepared a brief outline of GDPR requirements, its impact for Recollective customers and some recommendations.
Not everyone that handles the personal data of European individuals will be treated the same under the GDPR. The law clearly identifies two roles with varying responsibilities:
By this definition, Recollective will be deemed a "processor" and our customers will be deemed the "controllers".
The majority of obligations under the GDPR fall upon the controller but Recollective is responsible to assist our customers in maintaining their compliance, such as notifying our customers of potential data breaches.
Disclaimer: The following document contains some recommendations provided by Recollective. They are our simple suggestions based on our interpretation of the GDPR rules and must not be solely relied upon. You should seek your own professional, independent legal advice to ensure compliance. We accept no liability whatsoever if you are found to be non compliant after following these recommendations.
A key aspect of the GDPR is the attainment of consent that clearly outlines the collection and processing of personal data. This consent must be distinctly separate from consent to other agreements.
Note that in GDPR terminology, each study participant is a "data subject".
Article 4 provides a definition of personal data:
Recital 32 defines consent:
Recollective already supports a "Panelist Agreement" feature (located in Site Administration > Site Setup > Account Settings). This feature allows customers to surface a customized opt-in agreement checkbox that will be required for every user accessing the Recollective site.
We recommend using this feature to create a declaration of consent with clear and plain language. For consent to be informed, panelists should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. We recommend including how long their personal data will be retained.
Recollective plans to expand the ability to define custom panelist agreements. The platform will allow multiple agreements to be defined including a cookie pop-up agreement that appears instantly. It will also allow filtering of panelists based on their consent to custom agreements.
The GDPR also introduces the 'right to be forgotten'. Under this new right, participants of a research study have the right to request erasure of their personal data 'without undue delay'.
Again, personal data broadly means a piece of information that can be used to identify a person. This can be a name, email address, physical address or IP address. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
Panelists have the right to request a copy of their personal data and can also request removal of that data at anytime (opt-out), even ahead of a study's conclusion.
Recollective has two options: a standard multi-tenant deployment and a dedicated site deployment. Both are compliant with the GDPR requirement to permanently delete data a set period after termination of a Recollective service agreement. You'll receive a notification as this process is scheduled to begin and of course, you also have the option to pay for an extended archive during which the data is retained.
The dedicated site deployment has an entirely separate database that stores personal data. The separate database and its backups can be completely wiped upon request (or automatically after closure of the site). Dedicated infrastructure sites are permanently deleted no later than 30 days after the termination of a Recollective service agreement. There are additional costs associated to choosing a dedicated site.
With regards to personal data located outside of Recollective, we recommend customers review the data they are exporting from Recollective, how it's protected and retained. Customers may wish to establish an internal process that systematically removes personal data that has been exported and/or purges data files at regular intervals.
Recollective already provides reporting and transcription options that anonymize the data being exported. We recommend using these functions to store study data offline for an extended period of time.
During the course of a study, in the event that an individual panelist requests their data be removed, simply edit their panelist record in the Site Administration area to remove any personal data. Contact Recollective to then request the removal of the user's IP address and email address from the system logs.
In the future, Recollective will provide tools for the automatic removal of personal data in shared-infrastructure configurations. This will allow customers with GDPR compliance concerns to avoid the extra cost of dedicated site deployments.
When the GDPR comes into force, controllers will have to notify individuals 'without delay' that there has been a breach of their personal data. Where possible, this notification will need to be provided within 72 hours. The GDPR also includes a duty for data processing companies to report breaches to the organization that collected and controls the data they process.
Data exports from a Recollective study that contain personal data must be carefully protected. If there is a data breach of this data (i.e. from a lost laptop), customers must be ready to dispatch a timely notification that a data breach may have taken place.
Recollective actively monitors its infrastructure and will respond to any reports of potential data breaches. If a suspected breach has taken place, we will notify affected customers within 24-48 hours. Although the responsibility for a breach notification falls on the controller, Recollective will assist its customers in any way possible.
The GDPR provisions may not apply in the UK once it exits the European Union (depending on any transition period rules still being negotiated at time of writing). Personal data protection will instead be covered by a new Data Protection Bill. It appears the UK's data protection plans include everything within the GDPR, although there are some minor changes.
We take privacy seriously and have plans to continue improving the platform in this regard that will make it easier for Data Controllers to manage the data stored in Recollective in compliance with GDPR. If you have any questions or concerns, we’re here to help but strongly recommend you keep current with the laws and regulations of your own country and those in which you plan to conduct research to ensure you remain compliant.