Sure, it’s not the most exciting title, but the General Data Protection Regulation (GDPR in short) is a super-important and far-reaching regulation passed by the European Parliament. The goal? To dramatically strengthen the data protection for individuals without the European Union. It took effect May 25th, 2018 – and we are very pleased to announce that Riddle is a fully GDPR-compliant quiz maker.
Why should you care?
This regulation will affect anyone creating quizzes to engage their audience and gather leads and other data – and the potential fines up €20 million (approx. $23 million USD) apply to everyone involved in the handling of an individual’s personal information.
To protect yourself if you create and embed a quiz, you need to be sure that any quiz maker is fully compliant.
Ouch, right? Don’t worry – we’ve got you covered.
How is Riddle a GDPR compliant quiz maker?
The good news is that Riddle is GDPR compliant quiz maker – well before the regulation takes effect. We’re big data protection geeks – we already meet these core qualifications for the GDPR:
- No individual or personal data from quiz takers is being stored by Riddle quizzes – unless you are using our current Riddle lead form, in which case you are also covered as the data is stored encrypted in your own private webspace, not accessible by anyone but you and hosted in a secure Frankfurt, Germany data center with a backup server located in Luxembourg.
- Your data is your own private workspace – when you use Riddle to build your quiz you are creating your content in your own private webspace and your quiz takers data is stored in your private space. No one else has access to that data. This means, you are fully responsible for how you use Riddle. Our toolkit provides you with everything you need to keep your quizzes compliant with GDPR, but if you are based outside of Europe and have no European visitors on your sites, you might not need all these warnings and messages, so we are giving you the option to not show them. If you are using Riddle to generate leads and choose to store them in your private space on our German servers, we will encrypt the lead data and only you will have access to the decrypted data via download. You can also choose to delete selected records and inform your customers about the personal data stored.
- All Riddle servers are EU-based in Germany – and we are not using Google, Amazon or any other non-European cloud provider to store data. Our data center is ISO 27001 certified (see below for more info on our data center certifications).
- Riddle is a German company – with the snappy name of Riddle Technologies AG.
- No more Google Analytics – we removed our Google Analytics and Google Tag manager on Nov 11th, 2017 from all Riddle embeds. This means, when you embed a Riddle in your site, we will not be tracking data from the embed with Google Analytics or any other tracker.
- No individual tracking of data – all tracking will be EU-based on Riddle’s all-German servers; we will only track aggregate data – never individual quiz taker information.
- If you wish to sign a data processing agreement with us, please head on over to our online documentation, where you can print and sign our DPA.
We only store aggregate quiz data – with no additional information added.
For example, if 1,000 people take your quiz, we store just the total count of quiz answers and overall results – not the specific responses from each user. For example, we will never store data like: Person A answered the questions for Quiz 11343 in this order.
(Riddle supports this option using our Zapier app, our webhook or our new lead forms – but you will need to store that data outside of Riddle using a tool like DropBox, in a way that is GDPR-compliant.)
Here is a screenshot from our database showing how Riddle data is stored. The various ID’s (uid, riddleid, leadid) have no link to any data from quiz takers.
- UID is the ID of the registered Riddle user who created the Riddle
- riddleid is the ID of the Riddle
- leadid is a bit misnamed nowadays. It is a legacy ID from when Riddle was a very different tool. Now it is just a unique ID in the Riddle Database Table.
Why is a GDPR compliant quiz maker important if you’re not an EU company?
Based outside the EU? You may think that GDPR does not concern you.
However, you may still be liable under the GDPR – unless you are actively preventing any Europeans from visiting the page where you embed the Riddle quiz.
Okay – but what does liable mean?
It’s pretty brutal. You can be fined by the EU for serving a non-GDPR compliant site to Europeans – even if you have no intention to target them.
This is especially true if you are using Riddle or any other quiz maker to collect leads. The fines related to GDPR violations are not trivial either – they can be as high as €20 million or 4% of your worldwide turnover. Learn more about GDPR fines here.
GDPR compliance: what do I need to do?
For now, just sit tight. As a GDPR compliant quiz maker, we’ve got you covered:
- Our Riddle embeds contain absolutely no tracking tools like Google Analytics or Facebook Pixels.
- For Lead Generation data storage we offer 2 great options – storing on our servers or sending data to a tool of your choice
- Creating a data processing agreement. No need to make one yourself – you’ll be able to download, add your company info – then submit to us for signature. We will sign verifying that we are compliant with the GDPR.
Data collection via our GDPR compliant quiz maker:
Our lead collection tools have been rebuilt from the ground up.
Featuring a drag/drop form builder, they are more flexible, powerful, and user-friendly than ever. Save your data in two ways:
- Option A: Storing data on our servers in Germany
- Want to download quiz data and leads with a CSV or XLS file?
- No problem – your data will be on our servers but in a “walled garden” in your own account. Only you control who has access to this data.
- To comply with the GPPR, you can use our form builder to add a message to your form, informing the users where you are storing their data.
- Option B: Store leads and data yourself
- Riddle’s new lead generation processing features will let you:
- Store leads in your very own Dropbox account
- Send leads to a Google Spreadsheet that you control
- Connect and send leads to a wide range of CRM tools with our build in connectors.
- Push leads via webhook to a URL of your choice, where you can process them internally
- Send leads to Zapier.com
- Riddle’s new lead generation processing features will let you:
A quick note about GDPR compliance:
Please note – sending leads to a tool or location of your choice does not make you automatically GDPR compliant.
It just ensures that both you and Riddle are compliant as far as the quiz maker part goes – we won’t be storing any personal customer information anymore.
You’ll still need to make sure you’re compliant on your side. Here are some other resources from the UK’s Information Commissioner’s Office.
Background info on the GDPR
So what is all the GDPR about anyways?
Here’s a quick summary of the GDPR in an easy to digest format – with a focus on being a GDPR compliant quiz maker.
(One more pesky legal disclaimer… remember, this is not legal advice, and this article on GDPR is for informational purposes only – we are not accountable for what we say here. It’s entirely possible we missed some stuff or gave you incorrect info for your particular situation. Please, please, please get a lawyer and data protection specialist to work with you to ensure that your company and website is GDPR-compliant. We are doing the same for Riddle.)
Remember, the most important rule:
The GDPR applies to ANY organization that collects or processes personal data of EU residents – no matter where it is located.
GDPR: What is considered personal data?
According to the GDPR, personal data is anything that relates to a person’s private, professional or public life, including:
- Email address
- Bank details
- Posts on social network sites
- Medical information
- Computer’s IP address
- (Seriously – IP addresses are now considered personal data – so make sure you have your Google Analytics or other tracking software to not collect these.)
Your responsibilities relating to the GDPR
- You will need to provide your customers with contact information for a data controller and you need to provide a data protection officer.
- EU citizens have the right to request information and ask for the deletion of all data stored about them. You need to make sure that you can comply with these requests.
- You also need to make sure to encrypt or pseudonymize data you store. When you choose a tool to store your lead data outside of Riddle, make sure they are compliant.
Any time someone asks the team at Riddle for details about their information – or for information deletion, we’ll pass the request on to you the quiz creator.
However if you have opted in to store lead data with Riddle (Option A listed above), we will provide the info directly to the end user and delete their data upon request.
- We’re happy to handle requests for your account as part of our customer service.
- But being transparent – if we start getting loads of requests for your account, we will work with you to either get the data onto your servers or work out a reasonable fee to cover our costs to handle these requests.
Sanctions and fines
Okay – so what happens if you’re caught breaching the GDPR?
Check out these outcomes and possible sanctions:
- Written warning in case of a unintentional first offense
- Regular data audits (these will hurt)
- Fine up to 10 million EUR or up to 2% of your annual worldwide turnover (whichever is greater)
- Fine of up to 20 million EUR or up to 4% of your annual worldwide turnover (whichever is greater)
As you can see, the fines are pretty drastic.
Sure – the EU might have a difficult time collecting these if your business is based outside the EU, with no business relationship with any EU-based entity or person.
But is it worth the risk? At the very least, it might put a huge damper on your next romantic trip to Paris if you get arrested when entering the EU.
Any questions about the GDPR and your quiz maker?
Drop us a line at firstname.lastname@example.org – we’re not lawyers, but we super-friendly and can probably help with most questions. 🙂
Our data center certifications
We take data protection seriously. Our data center is certified as follows:
- ISO 9001:2016 and ISO/IEC 27001:2013
- Payment Card Industry Data Security Standard (PCI DSS)
- ISO 14001:2015, OHSAS 18001:2007 and ISO 50001:2011
If you require copies of the certificates, please email us at email@example.com – and we’ll get them right over to you.