In this article
1: About Forsta Plus Digital Diaries GDPR Compliance
As of May 25th, 2018, Forsta is GDPR (General Data Protection Regulation) compliant. This compliance covers all Forsta products and extends to users of Forsta Plus Digital Diaries software.
The following sections detail how GDPR compliance affects data storage and use within Forsta Plus Digital Diaries. For additional information regarding Forsta and GDPR, visit Forsta’s GDPR page.
Note: Due to the variance in how our customers conduct their research, Forsta Plus Digital Diaries encourages its customers to seek their own legal advice regarding GDPR compliance.
2: Data Modification
An activity submission may be edited by the participant who submitted the response or a researcher within the same project. This allows a user to ensure that their project meets any privacy requirements and other legal obligations.
3: Data Deletion
Under GDPR requirements, participants have the right to request that all data collected on them be either deleted or provided to them.
In Forsta Plus Digital Diaries, Researchers have complete control over what data gets deleted and when. A Researcher has the ability to delete any of the following:
- Individual data points (e.g., custom profile fields, specific text, file attachments, etc.)
- All responses made by a specific participant
- The entirety of a project's contents (by deleting all participants)
These options allow Researchers to ensure that their project meets any privacy requirements and other legal obligations.
For example, if you wanted to modify profile information for a particular participant that contains Personally Identifiable Information (PII), you can edit that user's profile using the Participant Page:
If you wanted to delete one or more participant records (and wipe all of their data permanently), you can do so by removing them from the study. Deleting a participant will remove their responses permanently from the project board.
To permanently delete participants and their associated data, navigate to the Participant page within your study and select the appropriate participant(s) by clicking the checkbox to the left of their screen name(s). Once the participant(s) are selected, click “Delete”. You will be prompted to confirm before all records are deleted. This deletion is irreversible.
4: Data Backup & Retention
Forsta Plus Digital Diaries’s data retention policy is optimized to store and retain data only as long as is reasonable.
4.1: Annual/MRR (license holder) Clients
Retention period is based on contract term: 12 or 24 months
Retention periods can be extended. Contact your Account Manager for details.
Shorter retention periods of 3 or 6 months are also available.
Notification emails are sent 30 days and 7 days before a project is archived.
Projects are automatically archived based on the selected data retention period and the project's finish date (the date the final segment ends).
You can manually remove projects starting three days after the project's finish date (the date the final segment ends). See Project Settings for details.
Projects are deleted 60 days after they are archived. Deleted data cannot be restored.
4.2: Ad-hoc Clients
Standard retention period is 3 months.
Retention periods can be extended. Contact your Account Manager for details.
Notification emails are sent 30 days and 7 days before a project is archived.
Projects are automatically archived based on the selected data retention period and the project's finish date (the date the final segment ends).
You can manually remove projects starting three days after the project's finish date (the date the final segment ends). See Project Settings for details.
Projects are deleted 60 days after they are archived. Deleted data cannot be restored.
5: IP Collection
As IP addresses are considered by GDPR guidelines to be personally identifiable information, Forsta Plus Digital Diaries treats IP addresses carefully. IP addresses are not accessible to any users and they exist within logs that are regularly turned over on a recurring 14-day basis.
If you would like more information regarding these tools, please reach out to your Customer Success Representative or contact Forsta Plus Digital Diaries Support.
6: FAQ’s
What, if any, modifications are needed to make projects GDPR-compliant when creating?
Upon registration, participant users are prompted with a Terms & Conditions and Privacy Policy acceptance prior to entering the platform. While the Privacy Policy is always in place, the Terms & Conditions is controlled by the Researcher on a project to project basis. For additional information on how to add a project Terms & Conditions, see Adding Terms and Conditions.
In the event the researcher team on a project needs to restrict access to user emails, we have two primary options.
- Limit the number of Researcher Roles you place in the study by adding non-moderators as the Observer role.
- In the event no researcher team member should have access to user emails, we offer a feature called Obscure PII. Obscure PII is a feature we can enable on your project which will fully obscure emails, first names, and last names.
If data properly collected on EU residents is stored in the United States, is it still GDPR-compliant?
Yes, if the party storing the data is Privacy Shield-certified or have entered model clauses with the client (Data Controller), then transfer of data to the U.S. is allowed.
I’m confused on which server to create my project? How do I determine if I should use US, EU or AU?
It is recommended that studies in the EU be housed on the EU platform, studies in the Americas be housed on the US platform, and studies in APAC countries be housed on the AU platform.
We understand that many studies include countries all over the world, and we are happy to assist if you require recommendations on how to best support your project. For questions regarding access to one of our three servers or for recommendations on which server to create your project, please reach out to your Customer Success Representative or contact Forsta Plus Digital Diaries Support.
Do you have a list of items that are considered PII? I have heard that, in some cases, the combination of certain data is needed before it is considered PII, can you provide a full list?
PII is considered to be any information related to a natural person, or “Data Subject”, that can be used to directly or indirectly identify that person or that is identifiable to a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
How does Forsta view and consider personal data that your platform(s) collect or use, such as IP addresses, cookies, mobile identifiers, etc.?
Forsta will identify all PII data collected, apply necessary safeguards and follow GDPR guidance as required
My company is still uncertain what we need to do to be GDPR-ready. Do you have tools that will help me understand specifically what I need to do to be GDPR-ready?
While all entities involved in market research share the need to protect and manage PII appropriately, Forsta cannot offer specific guidance outside of our own operations. However, we are actively consolidating general GDPR information that may be useful to our partners and clients and will be sharing this on our GDPR page as it becomes available.
How does Forsta address a Subject Access Request (SARs or DSARs) for access or erasure?
Given that Forsta is typically removed from direct contact with subjects, we anticipate these requests will come directly from the data controller or another processor. If Forsta is getting any such request, it will be shared with the client for directives and identifying the subject. In either case, we will comply with the requests, per the guidelines.
How can users find out more about Forsta’s GDPR compliance program? Do you have a compliance statement?
Yes, it is available on our GDPR page.
Will you be able to share Forsta archives of EU interviews with companies and clients in the United States?
US-based clients may access EU citizen data, provided they, and any relevant processors, are GDPR ready.
If viewing a video using Forsta technology, but without access to participant information other than their face / image and the related discussion, is this still considered PII data?
A participant’s image, and in some cases voice (i.e., if the participant is a publicly known person), are considered PII.
Is there a kind of GDPR “diploma” proving you are GDPR compliant?
No. There is no ruling authority which evaluates and certifies data controllers or processors for GDPR.
When using Forsta Plus Digital Diaries, we (or our supplier) send you PII on research participants through e-mail via excel spreadsheets. Will this process change?
The participant data we receive via email, or otherwise, will be subject to GDPR guidance. As such, it will be stored, managed, and erased accordingly.