Let us start by making the statement that most of you are looking for ie. AceBot.ai is GDPR compliant. Which means, you, our customer, have this box “ticked” and can move forward without worrying about one more thing in life!
Now that we have the basic question covered, let us walk through the “how” process and what GDPR means to you, the end consumer who is answering the survey etc.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a regulation in EU (European Union) law on data protection and privacy of all individuals within the European Union (EU) and European Economic Area (EEA). The GDPR comes into force on May 25, 2018, tightening the rules for businesses on how they collect, store and process EU citizen's personal data. The new regulations will impact organizations worldwide who collect and process personal data of EU citizens. So, if you’re running an employee survey or a consumer survey, you’re likely to be affected. Please refer to this link for details (Wiki GDPR page)
As AceBot is a tool for data collection and surveys (including the equivalent of web-forms), compliance for us is different from the E-commerce and Social sites. Not only do we ensure your privacy is being protected, but we also provide you with checklists and tools to ensure that you’re looking after your customers’ data and GDPR issues as well.
We are dividing GDPR information into 3 different viewpoints:
However, all of them point to the following “principles” that need to be adhered to:
GDPR & AceBot (AceBot’s View)
As AceBot is a tool for data collection and surveys (including the equivalent of web-forms), compliance for us is different from the E-commerce and Social sites. We are publishing a series of info-notes and articles as to how our customers can also comply with GDPR requirements.
AceBot Account / Customer View
If you have an AceBot account and are using AceBot for collecting information (via a survey) then the following paragraphs describe how YOU can exercise your GDPR rights.
GDPR is designed to give you more rights and control over your personal data. When AceBot has information from which you can be directly or indirectly identified, you now have rights over what happens to that data. Here’s how to take advantage of them.
What’s ‘personal data’?
‘Personal data’ could be your name, ID number, location data, an online identifier of yours, or even your physical, physiological, mental, economic, cultural or social identity.
OK, so how do I find out about this data?
When you create an account in AceBot, we ask for certain information and store them. As an AceBot user, you will be collecting certain information from your users, employees or general public. You are responsible for ensuring that you are GDPR compliant with the data so collected. Here is a checklist that we have prepared for you. In summary, you are responsible for and need to provide a mechanism for your users to exercise theirs. The rights included in GDPR are:
AceBot allows you to be able to download all the data collected and the chat conversation history. You should use this facility to provide access to user specific information based on the record identifier that is unique to a survey.
AceBot allows you to be able to download all the data collected and the chat conversation history. You should use this facility to amend a response / data provided by the user if the user so desires (in a formal communication).
AceBot allows you to be able to download all the data collected and the chat conversation history. You should use this facility to delete all data pertaining to an user if such a request is made.
AceBot allows you to be able to download all the data collected and the chat conversation history. The format of this data is in standard CSV (i.e. portable format).
We recommend that you publish a formal complaint process / contact that the user can use in specific cases.
There have also been questions specifically asked about where the data should be stored / kept. Here is an FAQ that answers these questions related to GDPR:
If you are collecting data from users, citizens or employees that reside in EEA then GDPR applies to you, even if you are based in a country outside the EU.
The GDPR's definition of personal data is ‘any information relating to an identified or identifiable natural person’. There is, however, a wide interpretation - it could mean a nickname, an ID number, an IP address or other indirect identification.
GDPR’s revised approach means you must have clear documentation that the audience is happy for you to email them. And remember, you will need to obtain new consent from any current contacts in your database as well.
There will be a duty for all organisations to report certain types of data breaches and, in some cases, inform the individuals affected by the breach as well.
Individuals must have the right to access any personal data that you store about them and this must be provided free of charge.
When asked, you must use “reasonable means” to supply the information. For example, if the request is made electronically, you should provide the information in a commonly used electronic format. For example, AceBot allows you to export all the data in an CSV (comma separated text file format).
Make sure you have a process in place for when an individual asks you to delete their personal data. Would you know where to find the data, who has to give permission to delete it and what internal processes are in place to make sure that it happens?
GDPR has introduced the concept of ‘privacy by design' and by default to encourage organisations to consider data protection throughout the entire life cycle of any process. Organisations will need to implement internal policies and procedures to be compliant.
The majority of data breaches occur because of human error. To make sure staff are aware of their obligations, organisations are encouraged to implement GDPR staff awareness training and provide evidence that they understand the risks.
For many businesses, it will be mandatory to appoint a DPO, for instance if your core activity involves the regular monitoring of individuals on a large scale. You should consider now whether or not you need to appoint a DPO and to make sure they have the required expertise and knowledge.
Acebot, by default provides you all of these rights. If in doubt, please contact our support email address. You can mail us at email@example.com
GDPR Rights For Respondents
If you’ve completed a SURVEY or answered questions / have had a conversation with the AceBot chat process and want to exercise your GDPR rights, then the following are applicable:
The customer / organization that is asking you to fill the survey / answer the question is responsible for looking after the data that you provide.
This article tells you everything you need to know about your data rights as an AceBot respondent.
If you’ve sent your personal data through a AceBot survey, you can reach out to us, give us authorization to provide your contact information to the creator of the AceBot. We’ll then forward your request to them. All you need to share is the AceBot URL, or the name of the creator, so we can identify the creator / creating organisation. If you have a AceBot account and you’ve sent your personal data through someone else’s AceBot chat conversation, you should also follow this process. We can’t guarantee that the creator of the AceBot will accommodate your requests, but we’ll do as much as we can. You can mail us at firstname.lastname@example.org