The EU GDPR (“General Data Protection Regulation”) applies to everybody who handles the personal data of European citizens and will supersede the current UK Data Protection Act on May 25th 2018. The legislation gives individuals more rights over what organisations do with their data, and includes strict fines for organisations who fail to comply.
As a Stickyworld customer, by default your organisation collects or uses data from 'Data Subjects'. If these are EU citizens, regardless of whether you are based in a non-EU country, then GDPR will apply to you. Stickyworld customers are ‘Data Controllers’ under the regulations and Stickyworld is a ‘Data Processor’. The GDPR places obligations on Data Controllers to ensure that contracts with Data Processors comply with the GDPR.
This document explains how we have improved our product to meet the the GDPR requirements, improving the experience for Data Subjects, and protecting you as a Data Controller. It also explains a continuing programme of development to reduce the workload for any organiser to comply with the regulations.
It is necessary to be clear and transparent about the justification for any collection and processing of personal data. One justification is consent, but in many cases, another justification, like legitimate interests, will be more appropriate.
Data is collected during different engagement activities in your ‘rooms’. Consent is created for any Data Subject by a registration process. Public visitor comments do not collect any personal data, and this remains a good option for organisations and researchers who do not wish to collect any personal data whatsoever.
Data protection and security must be built in to the collection and use of data about individuals, with privacy impact assessments carried out where appropriate.
We have built Stickyworld to meet modern security standards, and we continue to improve security features. All accounts require encrypted passwords. We have improved security, our business is completing Cyber Essentials, and we are also on a roadmap to meet ISO27001 by December 2018.
Where consent is relied upon as the basis for processing, the request for consent must be given in easy-to-understand plain language and it must be in an easily accessible form, with the purpose for processing attached to that consent.
There is a "Double opt in" registration process for new subscribers on the Stickyworld platform for the central authentication service, and an additional opt in process for registering with every new portal organised by an individual. For each engagement activity, there is an additional subscriber opt-in with the ability to unsubscribe from the activity at any time.
The person whose data you are collecting has the right to obtain confirmation of whether personal data concerning them is being processed, and details such as where it is being processed and for what purposes. This must be provided free of charge and within a one-month timescale, unless the request is repetitive, excessive or unfounded.
There are several features for contacting the organisers via the interfaces, and individual data can be exported in CSV format. Customers can contact Stickyworld for a fuller record of all data transactions for an individual, provided in CSV format.
The Data Subject can insist that the Data Controller erase all personal data about them and stop the processing of it by third parties. The controller may be able to object based on certain principles, such as if there is public interest in the availability of the data.
We have created a new subscriber interface, and there is a button for the subscriber to contact the organisers to request for their data to be deleted.This enables the contact to get in touch with the organiser, and submit a reason for the right to be forgotten. If the organiser then agrees with the request there is a button in the contact record page for the organiser to forget the contact directly. All the personal data is removed from the contact record which then presents the contact as a forgotten contact record.
In the UK, if you become aware of a data breach, such as a loss or theft of personal data, you are required to notify the Information Commissioner’s Office (ICO) within 72 hours. The Data Subject(s) must also be notified without undue delay if it is likely to result in risk to their rights and freedoms. Organisations must, therefore, ensure that all data is securely stored, preferably in best practice systems designed for the purpose.
Stickyworld Ltd is registered with the ICO. In the case of any successful attack or data breach on our systems, we will immediately inform all organisers and admin users both by email and in app messages. If you use our system to download contact data into CSV format, and you suffer loss or breach of your systems giving access to this downloaded data, then you are solely responsible for notifying Data Subjects as we will have no record of this.
Organisers can message Data Subjects directly from the organiser tools. As an admin user you can download contact CSV files from the Contact Lists, selecting the system list All Users, and you can use this to notify Data Subjects of any breach. You can also notify our support team and we can provide you with this file.
Organisations may be required to appoint a DPO - who can either be a contractor, new hire or a member of the organisation's staff. The DPO must act independently and is responsible for ensuring that an organisation is aware of, and complies with, its data protection responsibilities. For example, a DPO must be appointed if your data activities involve regular and systematic monitoring of Data Subjects on a large scale.
In the short term, Chris McDonald has been appointed as the company’s Data Protection Officer. We also ask for Data Protection Officers contact details of our customers and send them relevant information on our system and policies.