On another note:

Scale : Last month we worked on a project for a major U.K. retailer and sent around 350,000 invites out to a survey hosted on LS .. to which we got around 20K completes ... and an additional 6K opt outs flagged (not sure if these would have been a delete request if the option was there) so even if there was say 20% of those that took the delete option this would mean 1200 emails to be delt with.

I found this very interesting and we always have questions here in the forum on how it scales. Unfortunately there is very little real life expierence with big sample sizes. Many market research surveys in the adhoc sector are a lot smaller.
Would you mind to share a little showcase about how Limesurvey worked for this project, how you hosted LS and how you guaranteed performance? But that would be something for another trhead. It would be nice if you could share a little bit about your experience with big samples.

If only this was true ....... The workforce for this is me ... and the budget is "Try to save as much cash as possible"

Ups, I understand your concern now even a little better.

holch wrote: it would be good if we can have a brain storming here and create a list of what is necessary to be compliant and then create a feature request.

Happy to start the ball rolling here based on what I know about the legislation ...

It is all about personally identifiable date - Name / Address / Email address etc (it also covers media based data but that's less of a concern here .. photo/ video / audio etc.)

The legislation introduces new rights to an individual ... the main ones that should be looked at for LS are...

The right to erasure : I want you to delete me
The right to restrict processing : I dont want you to do anything with my data
The right to portability : I want to take my data from you and give it to someone
The right to rectification : Some of the info you have on me is wrong and I want it corrected
and The right of access : I want to know what data you hold on me

Here is how I could see features working in LS

The right to erasure : The link to delete as started in this thread ... but would also delete the record from the database
The right to restrict processing: a cookie cutter question on the end screen that gives consent to process the data if it is not checked then that data is not included in any reports or exports
The right to portability : A link in the invite that triggers an export of the token record in CSV format and sends it to the requester (This would also work for the right of access as well)
The right to rectification : The ability to overwrite fields in the token table based on answers in the survey

I feel as though that would cover off most of these rights.

Now for the the other side of things ... Where data and how securely the data is stored ... this depends on your system and implementation of servers etc, however as a safeguard would it be possible to have flags that sit with the token fields (name etc.) that identify those fields as Personal Information (The thing that the GDPR is concerned with) and then at an appropriate time you could remove these fields (say on completion of the survey when they are no longer needed) ... I have never needed any P.I. post collection in a quantitative survey so the information is superfluous to requirement and could easily be stripped out without consequence and help companies mitigate the risk of a data leak.

My thoughts anyway (and I am not a lawyer so my interpretation of what would be needed)

holch wrote: On another note:

Scale : Last month we worked on a project for a major U.K. retailer and sent around 350,000 invites out to a survey hosted on LS .. to which we got around 20K completes ... and an additional 6K opt outs flagged (not sure if these would have been a delete request if the option was there) so even if there was say 20% of those that took the delete option this would mean 1200 emails to be delt with.

I found this very interesting and we always have questions here in the forum on how it scales. Unfortunately there is very little real life expierence with big sample sizes. Many market research surveys in the adhoc sector are a lot smaller.
Would you mind to share a little showcase about how Limesurvey worked for this project, how you hosted LS and how you guaranteed performance? But that would be something for another trhead. It would be nice if you could share a little bit about your experience with big samples.

Would be happy post on a showcase on here about this for others if they found it useful .. just tell me where you would like it and I will do that ...

Great! That is already a very good starting point for discussion.
[quote[The right to restrict processing: a cookie cutter question on the end screen that gives consent to process the data if it is not checked then that data is not included in any reports or exports[/quote]
Wouldn't it make more sense to have this question already at the beginning and just not continue if they do not agree? Why going through all the survey to just say: do not include me in the reports?

holch wrote: Great! That is already a very good starting point for discussion.
[quote[The right to restrict processing: a cookie cutter question on the end screen that gives consent to process the data if it is not checked then that data is not included in any reports or exports

Wouldn't it make more sense to have this question already at the beginning and just not continue if they do not agree? Why going through all the survey to just say: do not include me in the reports?[/quote]

This is where it gets tricky and I know others in the industry face this problem ... we are explicitly not allowed to refuse people the right to give data under the legislation ... i.e. we cannot exclude them ... but we have to offer them the ability to refuse processing where this processing is done on an automated basis (segmentation for example where an algorithm is used)

In our surveys we have started to have explicit consent questions added to the start of the survey ... but they also have to have the opportunity to refuse process so ....

Start - do you agree to share your thoughts etc. - Yes
Take survey and collect data
Normal process - end survey and use data based on consent collected at the start ....
If we started to put in a full explanation of how we will process this data and when at the start then we run the risk of the respondent bailing at that point ...

Our interpretation of the new legislation

Start - do you agree to share your thoughts etc. - Yes
Take survey and collect data
End of survey - Thank you for sharing your insights, this data will be run through a series of processes where we may group you with other like minded individuals for reporting purposes. This is an automatic process where none of your personally identifiable information will be reported out to our clients or any other 3rd party. Do you agree to this processing of your data ... Yes / No

By the time a respondent has gone through the survey and completed it we would expect a minimal refusal rate here so we feel as though this would be the better option.

It is all about transparency and we feel that this would comply to the letter of the regulation in this way.

Hope that makes sense?

holch wrote: The right to restrict processing: a cookie cutter question on the end screen that gives consent to process the data if it is not checked then that data is not included in any reports or exports

I thought that was the purpose of the privacy policy feature which is already implemented in LS 3.X.Y? You cannot continue without consent. The boxes still show the wrong text in 3.5.4.

bugs.limesurvey.org/view.php?id=13456

Nobody has mentioned pseudonymization yet -- would that be an easier approach to solving some of these issues?

phplist wrote: Nobody has mentioned pseudonymization yet -- would that be an easier approach to solving some of these issues?

After the survey has closed then this would be possible with an additional field in the data as an internal reference # but it is not really possible before that time as you would need the actual email address to send out invites / reminders.

It is between the initial invite and close of survey that is important in this aspect as we would generally see request for opt out in the first hours/days of sending the invite email.

We generally keep surveys open for between 7 and 14 days dependent on sample size required and outgo size and we would send a reminder or 2 during this time period so would need the email address to do this.

phplist wrote: Nobody has mentioned pseudonymization yet -- would that be an easier approach to solving some of these issues?

I would expect that you need to do all the work in a manual way. I don't expect any tools inside LimeSurvey in the next months. Roadmap: manual.limesurvey.org/LimeSurvey_roadmap...eased_.28Feb_2018.29

Hi all,

as all of you I was looking into the GDPR regulations, and made a start on a plugin to, for now, allow the automatic viewing/deletion of Token data using a secure link in the invite/reminder mails.

Currently you can add the link to emails using a placeholder (@@@TOKENREMOVE@@@) and the plugin will parse this with a working link. When a user goes to that link he/she can see his token data and optionally remove it.

You can read more about it here:
medium.com/@evently/gdpr-plugin-f7e600219885

and download it here
github.com/evently-nl/LimeGDPR

It will definitely need more option/features to be completly gdpr compliant, but hoping for input from people with more knowledge on that to see if we can come up with a GDPR proof plugin (removal of actual responses for example). And then there's still the database encryption issue.)

I will also try to update another plugin I once wrote, that anonimizes token data after submitting their response: This might get a start on pseudo anonimity while still keeping the consumer friendly 'save data and continue later' with the same link option.

Anyway, looking forward to your input and hopefully it will help more people this week

Cheers,
Stefan