Here at Dobility, we’ve always taken an approach to data security grounded in the moral obligation to protect privacy and honor confidentiality pledges. For us, that moral obligation was always binding. But with the arrival of the EU’s General Data Protection Regulation (GDPR), this obligation becomes legal as well – at least where the private or sensitive data of EU citizens is concerned. (If you don’t yet know about the GDPR, see our recent post on the subject.)
On May 25, 2018, the GDPR officially begins enforcement, so many of our users have been asking what that means for them, SurveyCTO, and the data they collect with SurveyCTO.
First, here’s what doesn’t change:
- We offer a data-collection platform that allows you to encrypt the data you collect with your own 2048-bit encryption keys. This means that nobody on the Dobility side can read that encrypted data, including support staff, engineering staff, and even server administrators; it also means that, if there were a data breach on the Dobility/server side, encrypted data would be effectively unreadable.
- We offer convenient tools for you to review and export encrypted data with your encryption keys, without requiring that Dobility or any of our servers ever see those keys.
- We offer an EU-based hosting option for all premium and enterprise subscribers. For those users, all SurveyCTO service, databases, and backups reside only in the EU.
- We design our software, server architecture, and internal processes to maximize data protection. This includes steps that extend far beyond industry standards, such as dedicating a separate memory and execution space – and a separate back-end database – to every SurveyCTO subscription.
With arrival of the GDPR, here’s what will change by May 25, 2018:
- Our terms of service will no longer allow the collection of private or sensitive data on EU citizens without a signed Data Processing Agreement (DPA) that complies with GDPR requirements.
- We will have a standard DPA that we are willing to sign, but only for our premium and enterprise subscribers. This means that our free or lower-cost subscription plans won’t offer a GDPR-compliant option for collection of private or sensitive data on EU citizens. (This could change, and we’re trying to keep compliance-related overhead to a minimum. But it just may not be possible to cover the necessary overhead for our lower-cost plans.)
- We will require that all subscriptions covered by a DPA be hosted on our EU infrastructure.
- We will require that all subscriptions covered by a DPA configure encryption keys for all data-collection forms moving forward. This is our first and most critical step toward GDPR compliance: requiring that the existing SurveyCTO encryption option be used by those who collect data on EU citizens. This dramatically limits privacy risks on the Dobility/SurveyCTO/server/cloud side, since private data remains effectively unreadable.
- We will require that subscribers covered by a DPA take more care in choosing which form fields are excepted from encryption coverage (those fields explicitly flagged as “publishable” for the purposes of server-side quality checks or easy publishing to outside systems). Personally-identifiable or sensitive data, as defined by the GDPR, should always remain encrypted within the SurveyCTO system.
We’re doing everything we can to keep compliance costs down, so that we can continue offering an affordable data-collection solution to our EU subscribers. Some GDPR requirements, however, do seem both onerous and expensive, and we are still mapping out our internal compliance roadmap.
For example, it looks like certain types of product or server improvements, moving forward, could require that we secure explicit agreement from every user covered under a DPA – and it sounds a bit nightmarish to have to individually negotiate with dozens or hundreds of different organizations before being able to roll out such improvements. For discrete new features, we could “lock” those features so that users only gain access to them after meeting the necessary legal requirements, but for potential improvements in server hosting infrastructure it’s less clear how to individually opt users in or out. Like every organization that serves EU users with data-related products, we’ll continue working toward compliance and do everything we can to keep the costs manageable.
One key factor in driving compliance costs will be how strongly-encrypted data is classified under the GDPR, particularly for data processors that don’t hold the encryption keys necessary to decrypt that data (like Dobility). For those who have access to the keys, such data is clearly “pseudonymized”: private data is effectively de-identified by encryption, but it can be re-identified by combining the key with the encrypted data. For those who don’t have access to the keys, however, is the data private at all, or effectively anonymized? While there has been some work to carefully interpret the regulations, there is room for interpretation and disagreement; it could be years before there is true clarity (potentially requiring legal battles to play out across different countries).
We’ll keep working on our GDPR compliance between now and May 25 – and moving forward from there. While some of the legal requirements will be costly, we mostly cheer the arrival of a new era in which the bar for data security rises. After all, the moral obligation has always been there.