Riddle: a GDPR compliant quiz maker (General Data Protection Regulation)
Sure, it’s not the most exciting title, but the General Data Protection Regulation (GDPR in short) is a super-important and far-reaching regulation passed by the European Parliament. The goal? To dramatically strengthen the data protection for individuals without the European Union. It will take effect May 25th, 2018 – and we are making sure that the Riddle is a GDPR compliant quiz maker.
Why should you care?
This regulation will affect anyone creating quizzes to engage their audience and gather leads and other data – and the potential fines up €20 million (approx. $23 million USD) apply to everyone involved in the handling of an individual’s personal information.
To protect yourself if you create and embed a quiz, you need to be sure that any quiz maker is fully compliant.
Ouch, right? Don’t worry – we’ve got you covered.
How is Riddle a GDPR compliant quiz maker?
The good news is that Riddle is GDPR compliant quiz maker – well before the regulation takes effect. We’re big data protection geeks – we already meet these core qualifications for the GDPR:
- No individual or personal data from quiz takers is being stored by Riddle quizzes – unless you are using our current Riddle lead form, in which case you are also covered as the data is stored in your own private webspace, not accessible by anyone but you and hosted in a secure Frankfurt, Germany data center.
- When you use Riddle to build your quiz you are creating your content in your own private webspace and your quiz takers data is stored in your private space. No one else has access to that data. This means, you are fully responsible for how you use Riddle. Our toolkit provides you with everything you need to keep your quizzes compliant with GDPR, but if you are based outside of Europe and have no European visitors on your sites, you might not need all these warnings and messages, so we are giving you the option to not show them.
- All Riddle servers are EU-based in Germany – and we are not using Google, Amazon or any other non-European cloud provider to store data. Our data center is ISO 27001 certified (see below for more info on our data center certifications).
- Riddle is a German company – with the snappy name of Riddle Technologies AG.
- No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017.
- No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we will only track aggregate data – never individual quiz taker information.
Upcoming GDPR changes:
- the one thing we still need to create is a data processing agreement, which you need to sign if you need us to access your account and your data to help you out with technical support. We will have that ready for you soon.
Riddle never stores individual responses to any quiz, personality test, poll or any other type of Riddle content.
We only store aggregate quiz data – with no additional information added.
For example, if 1,000 people take your quiz, we store just the total count of quiz answers and overall results – not the specific responses from each user. For example, we will never store data like: Person A answered the questions for Quiz 11343 in this order.
(Riddle supports this option using our Zapier app, our webhook or our new lead forms – but you will need to store that data outside of Riddle using a tool like DropBox, in a way that is GDPR-compliant.)
Here is a screenshot from our database showing how Riddle data is stored. The various ID’s (uid, riddleid, leadid) have no link to any data from quiz takers.
- UID is the ID of the registered Riddle user who created the Riddle
- riddleid is the ID of the Riddle
- leadid is a bit misnamed nowadays. It is a legacy ID from when Riddle was a very different tool. Now it is just a unique ID in the Riddle Database Table.
Why is a GDPR compliant quiz maker important if you’re not an EU company?
Based outside the EU? You may think that GDPR does not concern you.
However, you may still be liable under the GDPR – unless you are actively preventing any Europeans from visiting the page where you embed the Riddle quiz.
Okay – but what does liable mean?
It’s pretty brutal. You can be fined by the EU for serving a non-GDPR compliant site to Europeans – even if you have no intention to target them.
This is especially true if you are using Riddle or any other quiz maker to collect leads. The fines related to GDPR violations are not trivial either – they can be as high as €20 million or 4% of your worldwide turnover. Learn more about GDPR fines here.
GDPR compliance: what do I need to do?
For now, just sit tight. As a GDPR compliant quiz maker, we’ve got you covered
- Our Riddle embeds contain absolutely no tracking tools like Google Analytics or Facebook Pixels.
- For Lead Generation data storage we offer 2 great options – storing on our servers or sending data to a tool of your choice
- Creating a data processing agreement. You’ll be able to download, add your company info – then submit to us for signature. We will sign verifying that we are compliant with the GDPR. (Don’t worry – we will notify all customers once our lawyers are done writing this up.) – that is the only part that is missing, but hey, if you have a data processing agreement you want us to sign, send it our way to firstname.lastname@example.org – if you have no crazy clauses in there, we are happy to use yours until ours is ready 🙂
Data collection via our GDPR compliant quiz maker (lead gen 2.0):
Right – as we mentioned, we are rebuilding our lead collection tools from the ground up.
First, they’re going to awesome – more flexible, powerful, and user-friendly than ever. But even more importantly, they will also be GDPR compliant (hurrah!).
You’ll have two options – and we highly, highly recommend option B!
- Option A: Storing data on our servers in Germany.
- Want to download quiz data and leads with a CSV or XLS file?
- No problem – however, this means your data will be on our servers but in a “walled garden” in your own account. Only you control who has access to this data. If you need the Riddle support to access your account to help you with problems, we will be offering a Data Processing Agreement for this particular purpose that you can sign, prior to giving us access. To be compliant with GPPR, you should add a message to your form, informing the users where you are storing their data. We provide you with the technical means to add this message, but we leave it up to you to display it or not.
- Option B: Store leads and data on your systems
- Riddle’s new lead generation processing features will let you:
- Store leads in your very own Dropbox account
- Send leads to a Google Spreadsheet that you control
- Connect and send leads to a wide range of CRM tools with our build in connectors.
- Push leads via webhook to a URL of your choice, where you can process them internally
- Send leads to Zapier.com
- Riddle’s new lead generation processing features will let you:
A quick note about GDPR compliance:
Please note – sending leads to a tool or location of your choice does not make you automatically GDPR compliant.
It just ensures that both you and Riddle are compliant as far as the quiz maker part goes – we won’t be storing any personal customer information anymore.
You’ll still need to make sure you’re compliant on your side. Here are some other resources from the UK’s Information Commissioner’s Office.
Background info on the GDPR
So what is all the GDPR about anyways?
Here’s a quick summary of the GDPR in an easy to digest format – with a focus on being a GDPR compliant quiz maker.
(One more pesky legal disclaimer… remember, this is not legal advice, and this article on GDPR is for informational purposes only – we are not accountable for what we say here. It’s entirely possible we missed some stuff or gave you incorrect info for your particular situation. Please, please, please get a lawyer and data protection specialist to work with you to ensure that your company and website is GDPR-compliant. We are doing the same for Riddle.)
Remember the quote from the classic movie Fight Club – “What’s the first rule of Fight Club?”
Remember, the most important rule:
The GDPR applies to ANY organization that collects or processes personal data of EU residents – no matter where it is located.
GDPR: What is considered personal data?
According to the GDPR, personal data is anything that relates to a person’s private, professional or public life, including:
- Email address
- Bank details
- Posts on social network sites
- Medical information
- Computer’s IP address
- (Seriously – IP addresses are now considered personal data – so make sure you have your Google Analytics or other tracking software to not collect these.)
Your responsibilities relating to the GDPR
- You will need to provide your customers with contact information for a data controller and you need to provide a data protection officer.
- EU citizens have the right to request information and ask for the deletion of all data stored about them. You need to make sure that you can comply with these requests.
- You also need to make sure to encrypt or pseudonymize data you store. When you choose a tool to store your lead data outside of Riddle, make sure they are compliant.
Any time someone asks the team at Riddle for details about their information – or for information deletion, we’ll pass the request on to you the quiz creator.
However if you have opted in to store lead data with Riddle (Option A listed above), we will provide the info directly to the end user and delete their data upon request.
- We’re happy to handle requests for your account as part of our customer service.
- But being transparent – if we start getting loads of requests for your account, we will work with you to either get the data onto your servers or work out a reasonable fee to cover our costs to handle these requests.
Sanctions and fines
Okay – so what happens if you’re caught breaching the GDPR?
Check out these outcomes and possible sanctions:
- Written warning in case of a unintentional first offense
- Regular data audits (these will hurt)
- Fine up to 10 million EUR or up to 2% of your annual worldwide turnover (whichever is greater)
- Fine of up to 20 million EUR or up to 4% of your annual worldwide turnover (whichever is greater)
As you can see, the fines are pretty drastic.
Sure – the EU might have a difficult time collecting these if your business is based outside the EU, with no business relationship with any EU-based entity or person.
But is it worth the risk? At the very least, it might put a huge damper on your next romantic trip to Paris if you get arrested when entering the EU.
Any questions about the GDPR and your quiz maker?
Drop us a line at email@example.com – we’re not lawyers, but we super-friendly and can probably help with most questions. 🙂
Our data center certifications
Our data center is certified as follows:
- ISO 9001:2016 and ISO/IEC 27001:2013
- Payment Card Industry Data Security Standard (PCI DSS)
- ISO 14001:2015, OHSAS 18001:2007 and ISO 50001:2011
If you require copies of the certificates please write to firstname.lastname@example.org