The General Data Protection Rules (GDPR), which take effect May 25th, 2018, specify rules by which businesses can collect and process the personal information of EU citizens. The new rules will impact Inquisit Web researchers who use EU citizens as research participants.
Millisecond provides tools enabling researchers to comply with these rules. Millisecond complies with these rules with respect to how it handles its customer's personal data.
The rules introduce the following key changes:
EU citizens will have the right to request that errors in their personal data are corrected, and they can request restrictions in how those data are used. They can also request that such data be permanently deleted.
A business must have the unambiguous consent of EU citizens prior to collecting any personal data. Businesses must also describe how personal data will be used, and provide a means for customers to opt out.
Data processors must implement high level security processes to protect personal data from unauthorized use. As part of this requirement, data processors must conduct a Data Protection Impact Assessment (DPIA) that documents risks and mitigations for protecting personal data. Millisecond has conducted a DPIA for existing products and services and updates its assessment as part of its standard procedures for new products and features.
Frequently Asked Questions
Should I get consent from participants to collect their personal data?
While consent is generally required by IRBs for conducting research, if your participants include EU citizens, consent is legally required in order to collect personal information.
Can I avoid collecting personal information with Inquisit?
Yes, you may create and administer test batteries that do not solicit any information that would personally identify a participant. In addition, you can disable IP address logging for your tests so that IP addresses are not collected.
Can I modify a participant’s data that has been collected from my tests?
If you receive a data modification request, please contact Millisecond for assistance in fulfilling the request. Note that if your tests do not collect personal data, then you are not legally required to fulfill modification requests, nor is it practical to do so since you will have no way of identifying which data belongs to the participant.
Can I delete personal data from a test?
Yes, you can delete any test results for which your account permissions provide access by simply logging into your account, selecting the data tab, navigating to the data file in question, selecting it, and clicking the Delete button.
When I delete personal data, is it permanently deleted?
Deleted data are stored in a virtual trash can for 30 days during which it can be recovered by contacting Millisecond staff. After 30 days, the data are permanently deleted and can no longer be recovered.
How long is personal data retained by Millisecond if I do not delete it?
Data remain accessible from your account for 5 years, after which they are archived and retrievable for a fee.
Does Millisecond ensure that data are accessed by Millisecond employees only as needed?
Millisecond employees do not access or view customer’s data unless specifically requested and by the customer. Typically this would be done in order to resolve a technical support issue. Only qualified employees with a specific need are able to access customer data.
Does Millisecond employ sub-processor that process customer data?
In the event of a data breach, will I be notified?
If Millisecond confirms a data breach for which Millisecond is at fault, customers will be without undue delay, and information about the breach will given as it becomes available. Customers will be kept abreast of the investigation as well as any remedial steps to be taken.
How can I comply with subject access requests and portability?
Customer data is owned by our customers, so customers are responsible for handling any such requests pertaining to data they have collected with Millisecond’s tools. If the participant making the request is an EU citizen, you are legally responsible for fulfilling that request. Towards that end, you can simply download the data files for that participant in any of our supported formats (e.g. CSV, Excel, or tab-delimited) from within your Millisecond account.
How does Millisecond comply with GDPR requirements for encrypting personal data?
All data collected using Millisecond’s online testing tools are encrypted in our data center using the industry standard AES-256 cypher.
If you have questions about Millisecond and GDPR, please email us at firstname.lastname@example.org.