The law in the UK relating to data protection will change on 25 May 2018 when the existing Data Protection Act is replaced by the EU-wide General Data Protection Regulation (“GDPR”).
- It applies to “personal data” which broadly means any data that can uniquely identify an individual person
- It applies to data controllers and processors established in the EU, regardless of where they process personal data
- It applies to controllers and processors established outside of the EU if they process the personal data of EU citizens.
Snap Surveys recognises its responsibility to help our clients meet their GDPR obligations when using our software and services. The Information Commissioners’ Office in the UK has called the introduction of GDPR an “evolution in data protection, not a revolution” and our data protection policies are evolving accordingly.
We have always taken data protection and the security of all of your data (whether personal or not) very seriously. Since 2013 we have been certified to ISO 27001, the international standard for best practice for information security management systems. We have been preparing for the GDPR for over a year by building on our ISO and Data Protection Act compliance frameworks.
In the context of our Snap WebHost service, our clients using our service are data controllers and we act as their data processor, only processing their Survey Data in accordance with their instructions.
Our services provide our clients with huge amounts of flexibility when carrying out surveys. Our clients are in full control of the potential categories of respondents, the amount of personal data that they collect, the information they provide to potential respondents, the type of questions asked, what their survey data is used for and who it is shared with, and how long it is retained for. Our clients can even choose to run anonymous surveys, or install Snap WebHost as a product on their own servers, so that they may host their own survey data. In this scenario Snap Surveys acts as a software provider rather than a data processor to its clients, but the functionality within the Snap WebHost software which assists our clients to meet their GDPR obligations remains largely as described below for the Snap WebHost service, while at the same time giving our clients their own control in areas such as where and for how long their data is stored and the security measures that they apply.
As a result, compliance with the GDPR for any given survey run by our clients will depend in large part on the steps and the decisions taken by our clients, and Snap WebHost contains many features and functionality to help our clients meet their obligations under GDPR. For example, our clients can:
- Collect as much or as little personal data as they like, or apply various levels of anonymisation to their surveys
- Provide respondents with fair processing information at the beginning of a survey
- Set a consent question where required, and save a record of that consent
- Export, edit and delete survey data
- Comply with the data subject rights of access, rectification, erasure, restriction, data portability and objection
- Access a range of options as to how and where their survey data is hosted, including the option of a ‘ringfenced UK’ solution
- Have the confidence that their survey data is protected in accordance with our ISO 27001:2013 Information Security Management System
We have set out below some of the key obligations of the GDPR and described how Snap WebHost will assist our clients to meet these requirements.
To further assist our clients, we have produced a number of GDPR worksheets that give detailed guidance on specific topics such as obtaining consent within your surveys and providing opt outs, and anonymisation in surveys. These are available on our website in our Support Hub.
Further information about GDPR is available on the Information Commissioner’s Office website at www.ico.org.uk. Please contact your Snap Surveys Account Manager if you would like further information about Snap WebHost.
|GDPR Requirement||Application to the Snap WebHost service|
|A. Processing of personal data: in summary, any information relating to an identified or identifiable natural person||When using Snap WebHost, you may upload personal data regarding your potential respondents, such as email addresses, and may collect personal data in your survey responses. As the data controller, you may set up your surveys to collect as much or as little personal data as you choose.
It is worth noting that we do not distinguish within our systems between personal and non-personal data. Instead, we treat all data within Snap WebHost as data which is important to you and apply the same high levels of security to all data that you submit to and collect using Snap WebHost (“Survey Data”), and will only process that Survey Data in accordance with your instructions.
The GDPR applies only to personal data. The obligations under the GDPR do not apply to anonymous data. We offer several options to anonymise your surveys, including the option to run anonymous surveys using Snap WebHost. For more information on this, please see https://www.snapsurveys.com/support/worksheets/making-surveys-anonymous/
|B. Principles for data processing: all processing must comply with the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity and confidentiality, and data controllers are accountable for such compliance.||Compliance with the principles is the responsibility of Snap Surveys’ data controller clients who determine what data they collect from respondents (including how much data they gather, and whether they need to collect personal data at all), the purposes for which that data is used and how long they store the data for.
Various features within Snap WebHost assist compliance with these obligations, including:
– the ability to provide potential respondents with fair processing information (including regarding the purposes for processing and data storage periods)
– where consent is required, obtain that at the beginning of the survey (see C below)
– the ability to delete and rectify Survey Data held in WebHost (see F and G below)
– the ability to download Survey Data from a client’s Snap WebHost account to its own systems at any time
– the ability to anonymise data sets
– applying high levels of security to all data held within Snap WebHost, in line with our ISO 27001:2013 certified Information Security Management System.
|C. Controllers must be able to demonstrate a lawful basis for processing personal data, for example consent, the controller’s legitimate interests, or the performance of a public task.||It is for the data controller to determine the basis for processing for any given survey, but consent is likely to be used in many surveys run by Snap Surveys’ clients (particularly where sensitive categories of personal data may be processed).
Relevant information (fair processing information) regarding the survey may be provided in the survey invitation email and/or at the beginning of the survey (see also D below) and, where required, the first page of the survey can be configured to obtain the respondent’s consent to proceed with the survey. Where consent is obtained as a response to a question in the survey this can provide clients with a record of consent and when it was given. For more information on this, please see https://www.snapsurveys.com/support/worksheets/including-consent-question-survey/
Snap WebHost also offers the option to include an opt-out link in the survey invitation email, to enable respondents to opt-out of the survey and of receiving future survey invitations. For more information on this, please see https://www.snapsurveys.com/support/worksheets/including-opt-link-email-invitation-snap-webhost/
|D. Data subject rights: Generally and the right to information||As a general note, responsibility for compliance with the rights of data subjects falls on the data controller. Snap WebHost contains the features described below to assist our clients in complying with these responsibilities directly themselves.
As a data processor, Snap Surveys will not respond directly to any request made to it by a survey respondent in relation to that respondent’s potential rights under the GDPR. Snap Surveys will instead refer the request to its relevant data controller client and will not take any actions without their instructions. Snap Surveys will provide all reasonable assistance to its clients on their request.
|E. Data subject rights: Access||Snap WebHost allows clients to download and export some or all of their survey response data as they see fit. This means that clients may access an individual’s survey response, and provide a copy of that response to the individual.
Clients should bear in mind that this and the other data subject rights apply only to personal data. Where the data is anonymous, the rights do not apply. As mentioned above, Snap Surveys provides several options for data anonymisation.
|F. Data subject rights: Rectification||Our clients are able to amend and update respondent information or survey responses themselves by uploading revised data to Snap WebHost.|
|G. Data subject rights: Erasure (‘right to be forgotten’)||Our clients are able to delete respondent information or survey responses themselves by uploading revised data sets with the relevant information removed. Note that once deleted by our clients, the information remains on Snap Surveys’ servers for 12 + 2 weeks until it is permanently deleted – see N. below.|
|H. Data subject rights: Restriction of processing||It is possible for our clients to achieve this in a number of ways by:
– placing a marker against a given potential respondent to prevent further survey invitations or reminders being sent to that respondent until any restriction is lifted
– in relation to a given survey response, adding a marker to that response to exclude it from reporting, and/or creating a version of the survey response data with that response excluded from further processing until any restriction is lifted.
|I. Data subject rights: Data portability||It seems unlikely that individuals will exercise this right in relation to their survey response data, but if required Snap WebHost allows clients to download and export individual responses in commonly used electronic formats.|
|J. Data subject rights: Objection||Should a respondent object to the processing of their data, our clients can:
– place a marker against that potential respondent to prevent further survey invitations or reminders being sent to them
– in relation to their survey response, add a marker to that response to exclude it from reporting, and/or create a version of the survey response data with that response removed, which can be used for further processing.
|K. Data subject rights: automated individual decision making, including profiling||In Snap Surveys’ view, it is unlikely that these provisions are intended to apply to the services covered by Snap WebHost.|
|L. Data Protection by Design and Default||As mentioned in B. above, our data controller clients can determine how much or how little personal data to collect using Snap WebHost, and can delete the Survey Data held in Snap WebHost.
Clients can also use Snap WebHost to carry out anonymous surveys or can subsequently anonymise their data sets.
All Survey Data is protected in line with our ISO 27001:2013 Information Security Management System.
|M. Use of processors||We act as a data processor to our data controller clients who use our Snap WebHost system.
Data controllers must have agreements in place with their data processors. Our Software License and Services Agreement already contains data processing provisions which address the requirements of the Data Protection Act, and more. Prior to May 2018 we will be issuing a Snap Surveys Data Processing Addendum to include the additional data processing provisions required by the GDPR.
|N. Deletion or return of data at the end of the agreement||Our clients can download and export the Survey Data held in their WebHost account to their own systems at any time, and delete the Survey Data held in their WebHost account at any time. Snap Surveys encourages its clients to review the Survey Data held in their WebHost accounts at regular intervals and not to retain such Survey Data for longer than is necessary.
On closure of a WebHost account, any Survey Data still contained within that account will remain there for 28 days (unless you ask Snap Surveys to delete it sooner), following which it is deleted in accordance with the procedure below.
Once Survey Data is deleted from WebHost, either by our clients, or by Snap Surveys on account closure, it remains on our servers for a further 12 weeks after deletion (which enables us to guard against accidental deletion by clients of their data), then remains in our back-up system for a further 2 weeks, before being permanently deleted.
Although Snap WebHost gives our clients the ability to export and delete their Survey Data themselves, Snap Surveys can also, on request assist our clients with the deletion and return of their Survey Data.
|O. Security of processing||Snap Surveys commitment to data security is evidenced by its ISO 27001:2013 certification. Our data centre providers Rackspace and UKFast are also ISO 27001:2013 certified.
Central to this is our Information Security Management System which protects the confidentiality, integrity and availability of information within our systems. Our ISMS is regularly tested and externally audited each year as a requirement of maintaining our certification.
|P. Data security breaches||In the unlikely event of a data security breach, Snap Surveys has policies and procedures in place to react swiftly to data security breaches (linked to its wider information security incident management processes under its ISO 27001:2013 certification) and to report any security breaches of which we become aware to our data controller clients without undue delay.
Snap Surveys will co-operate with its clients in relation to the investigation, mitigation and remediation of the breach.
|Q. Overseas transfers of personal data are only permitted where there is an adequate level of protection, appropriate safeguards are in place, or under certain derogations.||For clients with Snap WebHost running on Rackspace UK servers, their Survey Data is held on servers in the UK. For technical support reasons, this is accessible by Snap Surveys staff based in both the UK and the US. Our US subsidiary is certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to ensure an adequate level of protection in those circumstances. In rare technical support circumstances and to provide 24/7 cover, support agents working for Rackspace who are based outside of the EEA may access the servers. We have included EU Model Clauses in our contract with Rackspace to apply their protections to any potential transfers of personal data in those circumstances.
For clients with Snap WebHost running on UKFast servers, their Survey Data is held on servers in the UK. This is a wholly “ringfenced UK solution” and Survey Data will not leave the UK, unless as a result of a transfer made by a client.
For clients that require ultimate control over their Survey Data, we offer the option to install Snap WebHost as a product on clients’ own servers which means that the data is hosted on our clients’ own systems. In this arrangement, the client is both data controller and data processor.
A note on Snap Professional
The summary above focuses on our clients’ use of Snap WebHost, as it is when using Snap WebHost that Snap Surveys acts as a data processor to its clients. Snap Surveys also acts as a software provider in supplying its Snap Professional software. As this software is installed on our clients’ computers Snap Surveys does not have access to this data and does not act as a data processor, but Snap Surveys nonetheless remains focussed on providing its clients with software which allows them to comply with their obligations under GDPR.
In relation to their use of Snap Professional many areas remain under our clients’ complete control, such as:
- the system that it is installed on and the levels of security that our clients apply to this system
- the treatment and final deletion of data following its deletion by a user
- the processes for backing-up that data, and
- the location of where the data is stored.
In addition, many of the features and functionality described in relation to Snap WebHost apply equally to Snap Professional, meaning that our clients can:
- Collect as much or as little survey data as they like, or apply various levels of anonymisation to their surveys
- Provide respondents with fair processing information at the beginning of a survey, and set a consent question where required
- Export, edit and delete data held within Snap Professional
- Comply with the rights of access, rectification, erasure, restriction, data portability and objection
Disclaimer: this document is intended to give an overview of how certain features of Snap WebHost may be able assist Snap Surveys’ data controller clients in complying with some of their obligations under the GDPR. It is not intended to be an exhaustive statement of the law and readers should not rely on it as legal advice. The circumstances of each client will vary and you may wish to consult your legal advisers for advice on your own specific circumstances.