Products
Contact Support Additional Learning Monthly Product Updates
Menu

Forsta Surveys Support

All the topics, resources needed for Forsta Surveys.

Forsta Surveys and GDPR

  • Last updated:

Articles in this section

In this article

    1: About Forsta Surveys GDPR Compliance

    As of May 25, 2018, Forsta Surveys is GDPR (General Data Protection Regulation) compliant.

    The following sections detail how GDPR compliance affects data storage and use within Forsta Surveys. If you have additional questions about Forsta Surveys's GDPR compliance, please reach out to your Customer Success Representative or contact Forsta Surveys Support.

    For additional information  regarding Forsta and GDPR, visit this page.

    Note: Due to the variance in how our customers conduct their research, Forsta Surveys encourages its customers to seek their own legal advice regarding GDPR compliance.

    2: Data Modification

    Users with "Edit Data" permission may edit survey responses at any time using the View/Edit Responses Report. Data modification allows a user to ensure that their survey data meets any privacy requirements and other legal obligations.

    For example, if you wanted to change a participant's name to "Participant x", you would use the "Edit Data" tool in the Report:

    dec_gdpr_001.png

    dec_gdpr_002.png

    3: Data Deletion

    Forsta Surveys clients have complete control over what data gets deleted and when. A client user with the appropriate  permissions may view, modify, or delete any of the following:

    • Responses for a participant for a given project
    • Individual participants for a given project
    • All participants for a given project

    These options allow  users to ensure that their survey data meets any privacy requirements and other obligations.

    For example, if you wanted to delete response data for a particular participant that contains Personally Identifiable Information (PII), you would use the "Edit Data" tab in the View/Edit Responses Report:

    dec_gdpr_003.png

    If you wanted to delete one or more participant records, you would use the "Advanced" tab in the View/Edit Responses Report:

    dec_gdpr_004.png

    4: Data Backup & Retention

    Forsta Surveys’s data retention policy is optimized to store and retain data only as long as is reasonable.

    See Data Archival and Deletion for more information on how long project-related data is preserved within Forsta Surveys.

    5: Survey Fielding Controls

    5.1: IP Collection

    As IP addresses are considered by GDPR guidelines to be personally identifiable information, Forsta Surveys has updated its default data collection practice to exclude IP collection. Starting with survey compat 139, Forsta Surveys will no longer collect IP address information from participants.

    Should IP collection be required for a specific survey, this functionality can be turned on within the survey's Field Settings menu.

    dec_GDPR_005.png

    For questions on surveys older than compat 139, or to learn how to determine your survey’s compat level, please reach out to your Customer Success Representative or contact Forsta Surveys Support.

    Note: Use of the Digital Fingerprinting System requires the collection of participant IP addresses. If fingerprinting is necessary within a survey, you must enable IP collection to allow it.

    5.2: Flagging PII

    Forsta Surveys uses a PII flagging system to allow users to dictate what participant information is seen by others within their survey data.

    The PII flagging system consists of a PII level that is assigned to each user based on their Forsta Surveys access level (i.e., staff user, supervisor, etc.), and a PII level that is assigned to an individual survey variable. Assigning a PII level to a survey variable ensures that only users with a corresponding PII level see the data for that question. All other users will see a blank value instead.

    In this way, adding PII levels to survey variables helps user ensure that their survey data meets any privacy requirements and other obligations.

    6: Right to be Forgotten

    Under GDPR requirements, data controllers have the right to request that all data collected on them be either deleted or provided to them. Beyond the data editing functionality available via the View/Edit Responses Report, Forsta Surveys has created API tools to making searching for participants records / data across all projects easier.

    If you would like more information regarding these tools, please reach out to your Customer Success Representative or contact Forsta Surveys Support.  

    7: FAQ’s

    Q: Do GDPR regulations apply in any way to aggregate data and reports primarily presented in summary form (typically in percent’s or mean scores, etc.), coming from a research buyer who purchases research services from suppliers? Also, do research buyers have a responsibility to ensure their suppliers are GDPR compliant?

    A: First, any data that does not qualify as PII, or can’t be connected in any way to PII, would not be subject to GDPR requirements. Second, you are responsible for ensuring that any vendor you use is GDPR ready, if the data in question relates to EU citizens.

    Q: What, if any, are the research settings needed to make surveys GDPR-compliant when programming? (i.e. pre-set consent screens or templates to enter controller information, or check for relevant countries to determine if GDPR applies, etc.)

    A: Consents addressing the intended data use should be obtained prior to data collection. This consent may be obtained in advance of the survey (collection point) event or immediately prior.

    Q: If data properly collected on EU residents is stored in United States, is it still GDPR-compliant?

    A: Yes, if the party storing the data is Privacy Shield-certified or have entered model clauses with the client (Data Controller), then transfer of data to the U.S. is allowed.

    Q: Do you have a list of items that are considered PII? I have heard that, in some cases, the combination of certain data is needed before it is considered PII, can you provide a full list?

    A: PII is considered any information related to a natural person, or “Data Subject”, that can be used to directly or indirectly identify that person or identifiable to a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

    Q: Some research requires collecting data from minors, 13 years or younger. How does GDPR affect how we go about managing this?

    A: Collecting data from minors requires the consent of a parent and that parent to be present while the survey is being administered.

    Q: How does Forsta view and consider personal data that your platform(s) collect or use, such as IP addresses, cookies, mobile identifiers, etc.?

    A: Forsta will identify all PII data collected, apply necessary safeguards and follow GDPR guidance as required.

    Q: My company is still uncertain what we need to do to be GDPR ready. Do you have tools that will help me understand specifically what I need to do to be GDPR ready?

    A: While all entities involved in market research share the need to protect and manage PII appropriately, Forsta cannot offer specific guidance outside of our own operations. However, we are actively consolidating general GDPR information that may be useful to our partners and clients and will be sharing this on our designated GDPR page as it becomes available.

    Q: How does Forsta address a Subject Access Request (SARs or DSARs) for access or erasure?

    A: Given that Forsta is typically removed from direct contact with subjects, we anticipate these requests will come directly from the data controller or another processor. If Forsta is getting any such request, it will be shared with the client for directives and identifying the subject.  In either case, we will comply with the requests, per the guidelines.

    Q: If a participant screener tracker uses only initials and no other PII details, and a separate password protected page carries full participant details, is that considered GDPR-compliant?

    A: The document with initials alone would not constitute a risk. However, the existence of the second document with “full participant details” would automatically make both documents subject to GDPR requirements.

    Q: How can users find out more about Forsta’s GDPR compliance program? Do you have a compliance statement?

    A: Yes, it is available on our website we will be sharing this on our designated GDPR page.

    Q: Will you be able to share Forsta archives of EU interviews with companies and clients in the United States?

    A: US-based clients may access EU citizen data provided they, and any relevant processors, are GDPR ready.

    Q: If viewing an image or video using Forsta Surveys technology, but without access to participant information other than their face/image and the related discussion, is this still considered PII data?

    A: A participant’s image, and in some cases voice if the participant is a publicly know person, are considered PII.

    Q: Is there a kind of GDPR “diploma” proving you are GDPR compliant?

    A: No. There is no ruling authority for GDPR, which evaluates and certifies data controllers or processors.

    Was this article helpful?
    0 out of 0 found this helpful
    Return to top