Fuel Cycle's Commitment to GDPR

Fuel Cycle’s Commitment to Privacy

Fuel Cycle is committed to providing its clients with a secure, reliable platform that prioritizes security and safety above all else. Each year, we invest significant resources in enhancing our security capabilities and regularly conduct penetration tests and code scans to meet the requirements of the most demanding organizations. We are both EU-US Privacy Shield and Swiss-US Privacy Shield Certified and have an enduring commitment to handling personal data in alignment with best industry practices.

We’re proud to build products that reconcile the need for data privacy with the need for organizations to continuously learn from their customers. This document is intended to give Fuel Cycle’s customers an overview of new regulations coming into force in the European Union and how Fuel Cycle helps our customers meet these requirements.

GDPR Overview

In 2016, the European Union instituted a new regulation called the General Data Protection Regulation (GDPR). GDPR makes significant changes to the ways companies and organizations collect and manage personal data, especially personally identifiable information (or PII). GDPR places new and substantial requirements on organizations to protect personal data, but it also helps the research and customer insights industry to ensure personal data is managed in a responsible way. Fuel Cycle’s view is that GDPR is likely a positive development for organizations collecting and managing PII.

What is PII?

The European Union has defined personally identifiable information in very broad strokes. PII includes, but is not limited to:

  • IP Address
  • Email Address
  • Name
  • Residential Address
  • Username
  • Any data point or combination of data points that could be used in conjunction to identify an individual

Researchers should take special care in the processing and managing PII to avoid potentially hefty fines and regulations mandated by GDPR. To be clear, collecting or viewing PII is entirely permissible as long as it’s done correctly.

Data Controllers & Processors

GDPR defines two types of entities handling PII in Article 4, called data controllers and data processors.

Data controllers are defined as:

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A data processor is:

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Organizations that license Fuel Cycle (or other tools) for the purpose of collecting customer information are data controllers, whereas Fuel Cycle is a data processor regardless of whether or not your organization utilizes Fuel Cycle’s professional services. Fuel Cycle’s goal as a data processor is to enable our customers – you – to be GDPR compliant while gathering valuable customer insights made possible only by Fuel Cycle.

GDPR has specific requirements that Fuel Cycle helps our clients address through robust software solutions. These requirements include:

  • Informing citizens of the European Union how their data is collected and will be used
  • The right to export personal data
  • The right to be forgotten
  • Accessing PII on the principle of least-privilege access
  • In addition, GDPR also mandates companies make Terms of Use and Privacy Policies easy to understand.

Helping Fuel Cycle Clients Navigate GDPR

As of May 23, 2018, Fuel Cycle Communities have a reserved page located at yourcommunityurl.com/privacy. This page is intended to be a one-stop for all privacy-related information and data management for community members.

The balance of this document is intended to explain how Fuel Cycle enables our customers to meet these requirements.

Explicit User Content

European Union citizens need to be informed how their data is collected and stored – even through the use of common website analytics tools that capture IP addresses. To ensure our customers are always in the right, we have automatically created a trigger when a community member accesses your Fuel Cycle community for the first time from the European Union. We infer location based on the IP address of the user accessing the community.

When we’ve detected an EU-based user, Fuel Cycle automatically displays a modal with information regarding the data collection tools used on Fuel Cycle and how the data are used. Fuel Cycle provides default templates, but the information and text displayed are entirely customizable. The EU detection system and warning modal are configured globally and turned on for all Fuel Cycle licensees.

In addition, users must generally explicitly consent to Terms of Use or Rules of Participation. In other words, users must purposefully check a box to accept Terms. Fuel Cycle provides the ability to configure this setting in Community Settings.

User Data Export

Under GDPR, users should be able to export data they’ve provided to a platform, including algorithmically-defined data like many market research segmentation or typing tools. This new privacy page contains four pages, accessible from any device via a browser.

One of the pages accessible from the new privacy pages includes an option to export all user data. This setting is optional and toggled in the new privacy page setup in community settings. User data export includes all data a community member has provided, including profile fields, survey responses, comments in a discussion board, images, or photos uploaded to the community. The data is exported in a .zip folder containing .csv and image files and may take anywhere from a few minutes to a few hours to complete depending on the volume of member data.

Fuel Cycle takes special care to ensure exported data is only accessed by the member and not a bad actor. After requesting data export, the member is required to enter their community password. Because the export may take some time, the member is notified at the email address associated with their community account that the data file is ready for download. At this point, the member clicks a link provided in the email, again authenticates their account, and is able to download the file.

The Right to Be Forgotten

Another tenet of GDPR is that users should be able to erase their data, effectively eliminating an organization’s ability to access their personal data. GDPR requires that user consent is as easy to revoke as it is to give. So, while Fuel Cycle recognizes the desire to maintain high member numbers, we also believe in complying with the spirit of the regulation and have not made this an overly onerous process, although the platform asks the member to confirm at least twice that they want to erase their account and account data. Like data export, this setting is optional and toggled in the new privacy page setup in community settings.

Members may request account erasure by accessing the dedicated Privacy page and selecting “Your Data.” From there, account erasure is automatically completed when requested. Account erasure is irrevocable. If a member would like to participate in the community again, they will have to re-join the community as if they had never been part of the community before.

On very rare occasions, clients may choose to ban or delete a community member for antisocial behavior. Banning a community member does not revoke their right to either access data they’ve provided or to delete their account. These individuals may access the Privacy page and are able to download or erase their data at this location after they’ve authenticated their account.

Least-privilege Access to PII

GDPR’s principle of least privilege access essentially says personally identifiable information should be accessible to the least number of people possible and those people must have a compelling business need to access this information.

Fuel Cycle provides robust controls to manage access to PII. We automatically designate templated profile fields like email address, IP address, names, username, and street address as PII. Fuel Cycle’s customers can also designate other profile fields as PII and decide which researchers have access to PII.PII access is granted and revoked in the Member Management and Moderator Management sections of your Fuel Cycle community.

A Special Note on Fuel Cycle Exchange Integrations

Fuel Cycle does not send PII via our API to Fuel Cycle Exchange partners. When profiling data is shared via our API, it is linked based on the Fuel Cycle UserID. This pseudonymizes member data and ensures you can integrate with confidence. The exception to this is when Fuel Cycle is connected via API to a system like a Customer Relationship Management platform and a field like an email address is the key value to connect different systems.

Easily Understandable Terms of User & Privacy Policies

GDPR also requires that Terms of Use (or Rule of Participation) and Privacy Policies are easy to understand by the general public. Fuel Cycle provides sample templates for Terms of Use and Privacy Policies, but Fuel Cycle’s licensees are encouraged to use their organization’s documentation.

We updated our Privacy Policy in May 2018. You may access it at fuelcycle.com/privacy.

GDPR Readiness Checklist for Research Communities

  • Consult with your organization’s legal and/or privacy team
  • Review privacy messaging in your community
    • Privacy Acceptance Modal
    • Privacy Overview
    • Privacy Policy
  • Ensure you’re requiring user consent in accordance with your company’s policies
  • Review which moderators and researchers have access to PII
  • Review Terms of Use and Privacy Policies for ease of understanding

If you have general questions about Fuel Cycle’s approach to GDPR and privacy, please feel free to contact your account team who will work with you to gather information.