About Decipher GDPR Compliance
As of May 25, 2018, Decipher is GDPR (General Data Protection Regulation) compliant.
The following sections detail how GDPR compliance affects data storage and use within Decipher. If you have additional questions about Decipher's GDPR compliance, please reach out to your Customer Success Representative or contact Decipher Support.
For additional information regarding FocusVision and GDPR, visit this page.
Note: Due to the variance in how our customers conduct their research, Decipher encourages its customers to seek their own legal advice regarding GDPR compliance.
Users with "Edit Data" permission may edit survey responses at any time using the View/Edit Responses Report. Data modification allows a user to ensure that their survey data meets any privacy requirements and other legal obligations.
For example, if you wanted to change a respondent's name to "Respondent x", you would use the "Edit Data" tool in the Report:
Decipher clients have complete control over what data gets deleted and when. A client user with the appropriate permissions may view, modify, or delete any of the following:
- Responses for a respondent for a given project
- Individual respondents for a given project
- All respondents for a given project
These options allow users to ensure that their survey data meets any privacy requirements and other obligations.
For example, if you wanted to delete response data for a particular respondent that contains Personally Identifiable Information (PII), you would use the "Edit Data" tab in the View/Edit Responses Report:
If you wanted to delete one or more respondent records, you would use the "Advanced" tab in the View/Edit Responses Report:
Data Backup & Retention
Decipher’s data retention policy is optimized to store and retain data only as long as is reasonable.
Click here for more information on how long project-related data is preserved within Decipher.
Survey Fielding Controls
As IP addresses are considered by GDPR guidelines to be personally identifiable information, Decipher has updated its default data collection practice to exclude IP collection. Starting with survey compat 139, Decipher will no longer collect IP address information from respondents.
Should IP collection be required for a specific survey, this functionality can be turned on within the survey's Field Settings menu.
For questions on surveys older than compat 139, or to learn how to determine your survey’s compat level, please reach out to your Customer Success Representative or contact Decipher Support.
Note: Use of the Digital Fingerprinting System requires the collection of respondent IP addresses. If fingerprinting is necessary within a survey, you must enable IP collection to allow it.
Decipher uses a PII flagging system to allow users to dictate what respondent information is seen by others within their survey data.
The PII flagging system consists of a PII level that is assigned to each user based on their Decipher access level (i.e., staff user, supervisor, etc.), and a PII level that is assigned to an individual survey variable. Assigning a PII level to a survey variable ensures that only users with a corresponding PII level see the data for that question. All other users will see a blank value instead.
In this way, adding PII levels to survey variables helps user ensure that their survey data meets any privacy requirements and other obligations.
Right to be Forgotten
Under GDPR requirements, data controllers have the right to request that all data collected on them be either deleted or provided to them. Beyond the data editing functionality available via the View/Edit Responses Report, Decipher has created API tools to making searching for respondents records / data across all projects easier.
If you would like more information regarding these tools, please reach out to your Customer Success Representative or contact Decipher Support.
Q: Do GDPR regulations apply in any way to aggregate data and reports primarily presented in summary form (typically in percent’s or mean scores, etc.), coming from a research buyer who purchases research services from suppliers? Also, do research buyers have a responsibility to ensure their suppliers are GDPR compliant?
A: First, any data that does not qualify as PII, or can’t be connected in any way to PII, would not be subject to GDPR requirements. Second, you are responsible for ensuring that any vendor you use is GDPR ready, if the data in question relates to EU citizens.
Q: What, if any, are the research settings needed to make surveys GDPR-compliant when programming? (i.e. pre-set consent screens or templates to enter controller information, or check for relevant countries to determine if GDPR applies, etc.)
A: Consents addressing the intended data use should be obtained prior to data collection. This consent may be obtained in advance of the survey (collection point) event or immediately prior.
Q: If data properly collected on EU residents is stored in United States, is it still GDPR-compliant?
A: Yes, if the party storing the data is Privacy Shield-certified or have entered model clauses with the client (Data Controller), then transfer of data to the U.S. is allowed.
Q: Do you have a list of items that are considered PII? I have heard that, in some cases, the combination of certain data is needed before it is considered PII, can you provide a full list?
A: PII is considered any information related to a natural person, or “Data Subject”, that can be used to directly or indirectly identify that person or identifiable to a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Q: Some research requires collecting data from minors, 13 years or younger. How does GDPR affect how we go about managing this?
A: Collecting data from minors requires the consent of a parent and that parent to be present while the survey is being administered.
Q: How does FocusVision view and consider personal data that your platform(s) collect or use, such as IP addresses, cookies, mobile identifiers, etc.?
A: FocusVision will identify all PII data collected, apply necessary safeguards and follow GDPR guidance as required.
Q: My company is still uncertain what we need to do to be GDPR ready. Do you have tools that will help me understand specifically what I need to do to be GDPR ready?
A: While all entities involved in market research share the need to protect and manage PII appropriately, FocusVision cannot offer specific guidance outside of our own operations. However, we are actively consolidating general GDPR information that may be useful to our partners and clients and will be sharing this on our designated GDPR page as it becomes available.
Q: How does FocusVision address a Subject Access Request (SARs or DSARs) for access or erasure?
A: Given that FocusVision is typically removed from direct contact with subjects, we anticipate these requests will come directly from the data controller or another processor. If FocusVision is getting any such request, it will be shared with the client for directives and identifying the subject. In either case, we will comply with the requests, per the guidelines.
Q: If a respondent screener tracker uses only initials and no other PII details, and a separate password protected page carries full respondent details, is that considered GDPR-compliant?
A: The document with initials alone would not constitute a risk. However, the existence of the second document with “full respondent details” would automatically make both documents subject to GDPR requirements.
Q: How can users find out more about FocusVision’s GDPR compliance program? Do you have a compliance statement?
A: Yes, it is available on our website we will be sharing this on our designated GDPR page.
Q: Will you be able to share FocusVision archives of EU interviews with companies and clients in the United States?
A: US-based clients may access EU citizen data provided they, and any relevant processors, are GDPR ready.
Q: If viewing an image or video using Decipher technology, but without access to respondent information other than their face/image and the related discussion, is this still considered PII data?
A: A respondent’s image, and in some cases voice if the respondent is a publicly know person, are considered PII.
Q: Is there a kind of GDPR “diploma” proving you are GDPR compliant?
A: No. There is no ruling authority for GDPR, which evaluates and certifies data controllers or processors.