Last Modified: May 2018
What is GDPR?
If you’re reading this, you probably know, but just like the seatbelt instructions in a Virgin America (RIP) safety video, we have to put this here: The General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law in the European Union (“EU”) that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. The GDPR is effective as of May 25, 2018.
Ethnio GDPR Compliance Summary
Ethnio is fully committed to GDPR compliance, and enabling our customers to comply with GDPR. Ethnio maintains a robust privacy and security program that we continually improve to meet the needs of our customers, and to maintain industry standard data protection among research tool companies. We have consistently reinforced our commitment to privacy and security through our compliance with the EU-US Privacy Shield Framework, and the most recent GDPR compliance changes to our policies and functionality, including breach notification policies, new data expiration controls in your account, and the right to be forgotten for any customer or respondent.
How does GDPR impact Ethnio and its customers?
For both our customers and their respondents as part of using the Ethnio services, the GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use, of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of the GDPR. Additionally, the GDPR defines personal data very broadly, and includes name, email, demographic information, real-time location, online activity, and health information, to name a few.
Ethnio receives millions of data points from all over the world, including data that contains personal data from respondents or your site visitors, app users, or any other platform you use Ethnio Services. This means that both Ethnio and our customers sending us data will need to comply with the requirements of the GDPR.
Ethnio Data Collection
As between Ethnio and our customers, Ethnio is the “data processor” and the customer is the “data controller”, as such terms are defined under the GDPR. The data controller can use Ethnio to collect data from our data subjects (i.e., a customer’s end users) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.
Data Protection Officer (DPO)
Identifying and appointing a Data Protection Officer (DPO), Data Controller, and Data Processor, is all part of GDPR. Ethnio has identified these roles internally, and has measures in place to understand the responsibilities of each of these roles.
If a data breach occurs with the Ethnio service that affects Customer data, how and when will Ethnio notify customers? Great question. If a confirmed data breach occurs of any kind, Ethnio will, without undue delay, notify Customers via email. The time period shall be no greater than 24hrs from confirmation. Information about the breach will also be released as it becomes available, as allowed by GDPR. Ethnio uses updates.ethn.io for instant in-app distribution in addition to email notification.
Company-wide Awareness and Training of Data Protection
All staff at Ethnio, which as a small company means pretty much everyone is in HR, Marketing, Research Recruitment, and IT, should complete appropriate training in-line with the requirements of the regulation.
Automatic Deletion, DSR, and Opt Out via API
For Enterprise customers, Ethnio offers an Access & Erasure API where Enterprise customers can send automated Data Subject Requests (DSR), Erasure requests, and Unsubscribe or Opt Out requests. Generally speaking “data subjects,” are individuals from whom the data has been collected, to control who has their data. Ethnio also provides all customers with the ability to export all screener and incentive data, as well as the ability to delete customer data and setup automatic data collection and deletion.
Comprehensive review of vendors
We know we have an important responsibility when it comes to scrutinizing the vendors we use to help us provide our services to our customers. Part of our readiness plan is making sure our contracts adequately address the security, privacy, and confidentiality of our customers’ data under GDPR; you can be confident that our vendors have undergone a thorough privacy and security review by Ethnio’s legal and security teams. We’ve also ensured your data is stored with an industry leader with a robust security program and appropriate security certifications.
Updated Data Protection Terms
Data Processing Agreement (“DPA”)
Ethnio now offers a Data Processing Addendum (“DPA”) , and an executable version.
Publicly Available Security Information
Ethnio’s security information is detailed in PDFs and help center information. This is a good starting place: https://help.ethn.io/hc/en-us/articles/200202785-Documentation-PDFs
More GDPR Info
If you would like more information or have follow-up questions please reach out to us at firstname.lastname@example.org or visit http://ec.europa.eu/justice/data-protection/reform/index_en.html
GDPR Data Requirements
There doesn’t seem to be a requirement in the GDPR that personal data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the Privacy Shield. Ethnio has self-certified under the EU-US Privacy Shield Framework and will maintain our certification under the Privacy Shield Framework or any replacement framework that may come into force.