What is GDPR?
The General Data Protection Regulation is legislation designed to ensure that all organisations who hold personal data about individuals store and use it in a responsible and legal manner. It came into effect on 25 May 2018. You can read more about GDPR at the Information Commissioner’s website ico.org.uk.
What personal data does Solverboard hold?
When the Platform Manager sets up Solverboard, we collect their name, email address, and organisation name, as well as financial details such as billing address and credit card details.
When an individual signs up as a user to a Solverboard instance, we collect their name and email address so that we can identify them again when they log in. Once they have registered, they are free to add other information about themselves, such as a picture and biographical details.
As users use Solverboard, they create personal data in the form of contributions to the site, specifically comments and other interactions.
Contributions such as Ideas remain the property of the organisation that set up Solverboard, however, users can ask to have their identifying details removed from these Items. (See the Right to Erasure, below.)
Is Solverboard allowed to collect personal data?
The GDPR sets out a number of reasons why organisations are allowed to collect and process personal data - these are known as Lawful Bases. Solverboard collects and processes data under the following lawful bases:
- To fulfil our contractual obligations - as our customer, we need your personal data to provide you with our services
- For our legitimate interests, where they don’t clash with your rights - for example to collect payments due to us under our contract
- To fulfil our legal obligations - for example, we need your email address in order to tell you of changes to our terms and conditions
If Solverboard collects the data, why is my organisation the Data Controller?
According to GDPR, the Data Controller “determines the purposes and means of processing personal data.” By setting up a Solverboard instance, your organisation has made the decision to collect personal data on its invited users for its own business or organisational purposes, and is therefore the Data Controller.
By providing the software, Solverlink (the company that runs Solverboard) processes the data on behalf of your organisation, and is therefore the Data Processor.
What do I or my organisation have to do?
We’ve made it as easy as possible for your organisation to be compliant with GDPR by setting up a Privacy Centre for all users where they can understand and control what happens to their data (see below). As far as we can, we have automated these requests. However, there are a few actions that as Data Controller, you still need to do.
- We recommend that you assign a Privacy Manager to deal with data protection requests and issues. As Platform Owner, you are the default Privacy Manager, but you can assign this to someone else in your organisation in the Settings of your Solverboard instance.
What does the Privacy Manager do?
Some of the changes your users have the right to make to their personal data can be done automatically. Others require us to make manual changes or provide anonymised data such as logs. Users will send these requests to your organisation’s Privacy Manager via the Privacy Centre. The Privacy Manager must collect them and liaise with us to ensure that they are actioned by contacting Solverboard’s Privacy Manager email@example.com.
What kind of changes can users make?
Under GDPR individuals have a specific set of rights regarding their data:
- Right of access - Users have the right to see all personal data we hold about them. They can make this request in the Privacy Centre on their Solverboard profile. We will then provide them with the relevant data logs within one month of the request. As the Privacy Manager, you can request to see all personal data logs we hold for your instance of Solverboard, which we will provide in an anonymised form.
- Right to rectification - Users have the right to change any data about themselves they believe to be incorrect. They can alter most of their data via their Solverboard profiles, and can request other changes by contacting the Privacy Manager via the Privacy Centre.
- Right to erasure - Users can request that all their personal data is removed from Solverboard. Because Solverboard contains interlinked data such as comments, we cannot remove their contributions completely from the platform. Instead we remove all their personal data and anonymise their contributions so they cannot be identified. PLEASE NOTE THIS REQUEST MEANS THEY WILL NO LONGER BE ABLE TO USE SOLVERBOARD. If a user requests to be erased, we ask them for double confirmation and notify their Privacy Manager before removal.
- Right to restrict processing - Users can ask that we do not use their personal data for any purpose. This would normally be a temporary measure while any data issues are resolved, and they do this by contacting the Privacy Manager via the Privacy Centre.
- Right to data portability - Users can request that we supply their personal data in a form that can be used elsewhere. They do this by contacting the Privacy Manager via the Privacy Centre.
- Right to object - Users can object to their data being processed for any purpose. If the purpose is for marketing, this is an absolute right, and Users can opt-out of marketing communications at any time via the Profile. In other cases, we may still need to process their data for legitimate reasons, for example to notify them of new terms and conditions. Users object by contacting the Privacy Manager via the Privacy tab in their Profile.
- Rights related to automated decision making including profiling - at the moment Solverboard does not use personal data in this manner, so this is not included in the Privacy Centre.
Why do you not remove contributions to Solverboard when you erase my data?
Contributions to Solverboard such as Comments, Ideas etc are all interlinked: an idea is posted to a specific goal, other users might comment on it, and so on. If we remove the content of these contributions, many interactions on the platform will cease to make sense for those users still using Solverboard.
Furthermore, removing them completely from our database would create technical inconsistencies that could affect how the platform operates. By removing all identifying data from these contributions, we maintain the integrity of the platform while ensuring that your personal identity is no longer associated with them.
Is personal data secure on Solverboard?
Does Solverboard ever share personal data with other organisations?
No. We will never do this, except where we are compelled to by law.
What happens next?
Who can I talk to for more information?
If you or your users have any queries about how Solverboard helps your organisation be compliant, please don’t hesitate to get in touch: firstname.lastname@example.org.
To find out more about GDPR, please go to the Information Commissioner’s website.