Riddle: GDPR compliant quiz maker (General Data Protection Regulation)
Sure, it’s not the most exciting title, but the General Data Protection Regulation (GDPR in short) is a super-important and far-reaching regulation passed by the European Parliament. The goal? To dramatically strengthen the data protection for individuals without the European Union. It will take effect May 25th, 2018 – and we are making sure that the Riddle is a GDPR compliant quiz maker.
Why should you care?
This regulation will affect anyone creating quizzes to engage their audience and gather leads and other data – and the potential fines up €20 million (approx. $23 million USD) apply to everyone involved in the handling of an individual’s personal information.
To protect yourself if you create and embed a quiz, you need to be sure that any quiz maker is fully compliant.
Ouch, right? Don’t worry – we’ve got you covered.
How is Riddle a GDPR compliant quiz maker?
The good news is that Riddle will be a GDPR compliant quiz maker well before the regulation takes effect. We’re big data protection geeks – we already meet these core qualifications for the GDPR:
- No individual or personal data from quiz takers is being stored by Riddle quizzes – unless you are using our current Riddle lead form – and this will be compliant very shortly as well).
- All Riddle servers are EU-based in Germany – and we are not using Google, Amazon or any other non-European cloud provider to store data.
- Riddle will be a German company (by Dec. 2017) – with the snappy name of Riddle Technologies AG.
- No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017.
- No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we will only track aggregate data – never individual quiz taker information.
Upcoming GDPR changes:
- The major improvement we’re deploying next – has to do with our built-in lead generation form, which allows you to collect emails and other user data.
- Currently, we store the data entered into the form along with the quiz data for that lead entry.
- However – we’re actively working on Riddle Lead Generation 2.0, which will be fully GDPR compliant (see below for all the details).
Riddle never stores individual responses to any quiz, personality test, poll or any other type of Riddle content.
We only store aggregate quiz data – with no additional information added.
For example, if 1,000 people take your quiz, we store just the total count of quiz answers and overall results – not the specific responses from each user. For example, we will never store data like: Person A answered the questions for Quiz 11343 in this order.
(Riddle supports this option using our Zapier app, our webhook or our new lead forms – but you will need to store that data outside of Riddle using a tool like DropBox, in a way that is GDPR-compliant.)
Why is a GDPR compliant quiz maker important if you’re not an EU company?
Based outside the EU? You may think that GDPR does not concern you.
However, you may still be liable under the GDPR – unless you are actively preventing any Europeans from visiting the page where you embed the Riddle quiz.
Okay – but what does liable mean?
It’s pretty brutal. You can be fined by the EU for serving a non-GDPR compliant site to Europeans – even if you have no intention to target them.
This is especially true if you are using Riddle or any other quiz maker to collect leads. The fines related to GDPR violations are not trivial either – they can be as high as €20 million or 4% of your worldwide turnover. Learn more about GDPR fines here.
GDPR compliance: what do I need to do?
For now, just sit tight. As an (almost) GDPR compliant quiz maker, we’ve got you mostly covered – and are already actively updating our systems so that they tick all of the GDPR boxes:
- Removed all tracking tools like Google Analytics
- Rebuilding our lead generation tools so that no data is ever stored on our servers (more on that below)
- Creating a data processing agreement. You’ll be able to download, add your company info – then submit to us for signature. We will sign verifying that we are compliant with the GPDR. (Don’t worry – we will notify all customers once our lawyers are done writing this up.)
Data collection via our GDPR compliant quiz maker (lead gen 2.0):
Right – as we mentioned, we are rebuilding our lead collection tools from the ground up.
First, they’re going to awesome – more flexible, powerful, and user-friendly than ever. But even more importantly, they will also be GDPR compliant (hurrah!).
You’ll have two options – and we highly, highly recommend option B!
- Option A: Storing data on our servers (not recommended)
- Want to download quiz data and leads with a CSV or XLS file?
- No problem – however, this means your data will be on our servers. To be compliant with GPDR, we will need to add a mandatory check box to your form. Under the GDPR, your customer will need has needs to confirm that it is OK for the data to be stored with Riddle.
- We are going to honor these requests – and we will delete the data without asking for the quiz creator’s permission.
- This option is not ideal – adding an extra opt-in for your lead generation forms will dramatically reduce conversions.
- (All of this sounds like a pain, right? Check out Option B – our new lead gen forms are much more convenient.)
- Option B: Store leads and data on your systems (highly recommended)
- Riddle’s new lead generation processing features will let you:
- Store leads in your very own Dropbox account
- Send leads to a Google Spreadsheet that you control
- Connect and send leads to a wide range of CRM tools
- Push leads via webhook to a URL of your choice, where you can process them internally
- Send leads to Zapier.com
- Riddle’s new lead generation processing features will let you:
A quick note about GDPR compliance:
Please note – sending leads to a tool or location of your choice does not make you automatically GDPR compliant.
It just ensures that both you and Riddle are compliant as far as the quiz maker part goes – we won’t be storing any personal customer information anymore.
You’ll still need to make sure you’re compliant on your side. Here are some other resources from the UK’s Information Commissioner’s Office.
Background info on the GDPR
So what is all the GDPR about anyways?
Here’s a quick summary of the GDPR in an easy to digest format – with a focus on being a GDPR compliant quiz maker.
(One more pesky legal disclaimer… remember, this is not legal advice, and this article on GDPR is for informational purposes only – we are not accountable for what we say here. It’s entirely possible we missed some stuff or gave you incorrect info for your particular situation. Please, please, please get a lawyer and data protection specialist to work with you to ensure that your company and website is GDPR-compliant. We are doing the same for Riddle.)
Remember the quote from the classic movie Fight Club – “What’s the first rule of Fight Club?”
Remember, the most important rule:
The GPDR applies to ANY organization that collects or processes personal data of EU residents – no matter where it is located.
GPDR: What is considered personal data?
According to the GDPR, personal data is anything that relates to a person’s private, professional or public life, including:
- Email address
- Bank details
- Posts on social network sites
- Medical information
- Computer’s IP address
- (Seriously – IP addresses are now considered personal data – so make sure you have your Google Analytics or other tracking software to not collect these.)
Your responsibilities relating to the GDPR
- You will need to provide your customers with contact information for a data controller and you need to provide a data protection officer.
- EU citizens have the right to request information and ask for the deletion of all data stored about them. You need to make sure that you can comply with these requests.
- You also need to make sure to encrypt or pseudonymize data you store. When you choose a tool to store your lead data outside of Riddle, make sure they are compliant.
Any time someone asks the team at Riddle for details about their information – or for information deletion, we’ll pass the request on to you the quiz creator.
However if you have opted in to store lead data with Riddle (Option A listed above), we will provide the info directly to the end user and delete their data upon request.
- We’re happy to handle requests for your account as part of our customer service.
- But being transparent – if we start getting loads of requests for your account, we will work with you to either get the data onto your servers or work out a reasonable fee to cover our costs to handle these requests.
Sanctions and fines
Okay – so what happens if you’re caught breaching the GDPR?
Check out these outcomes and possible sanctions:
- Written warning in case of a unintentional first offense
- Regular data audits (these will hurt)
- Fine up to 10 million EUR or up to 2% of your annual worldwide turnover (whichever is greater)
- Fine of up to 20 million EUR or up to 4% of your annual worldwide turnover (whichever is greater)
As you can see, the fines are pretty drastic.
Sure – the EU might have a difficult time collecting these if your business is based outside the EU, with no business relationship with any EU-based entity or person.
But is it worth the risk? At the very least, it might put a huge damper on your next romantic trip to Paris if you get arrested when entering the EU.
Any questions about the GDPR and your quiz maker?
Drop us a line at firstname.lastname@example.org – we’re not lawyers, but we super-friendly and can probably help with most questions. 🙂