UserTesting and the General Data Protection Regulation (GDPR)
On May 25, 2018, the General Data Protection Regulation (GDPR), intended to strengthen data protection for all individuals in the European Union (EU), goes into effect. This regulation extends EU data protection to cover all foreign (non-EU) companies processing data of EU residents. It is intended to bolster EU residents’ privacy rights, giving citizens the right to gain access to their personal data, and information about how the data is being acquired, processed, and its intended use.
UserTesting’s Commitment to Data Protection and GDPR Compliance
While UserTesting is a champion of open communication between companies and the consumers that they service, we are equally dedicated to the preservation of privacy and protection of data of all with whom we do business. UserTesting will be in compliance with the GDPR by May 25, 2018. We have carefully examined the relevant stipulations of the GDPR and conducted an assessment of applicable UserTesting processes. These steps, as well as ongoing efforts, help us in developing tools and procedures that ensure continuing GDPR compliance for all customers and users of UserTesting products and services.
Passed in 2016, the GDPR (Regulation (EU) 2016/679) replaces a previous directive (Data Protection Directive 95/46/EC). In doing so, it extends jurisdiction and unifies regulations to cover all processing of personal data of EU residents, regardless of a company’s location.
GDPR updates seek to increase clarity and streamline processes and communications for both consumers and data controllers. By clarifying expectations for all parties, the GDPR makes it easier for EU residents to manage who has their personal data and how it is used. Additionally, it gives them the right to request to see the personal data that has been collected about them or request that it be erased.
With passage of the GDPR, new rules and guidelines were established and communicated. Per the EU GDPR portal, the following changes go into effect with the enforcement of the GDPR.
|Key change||Summary of outcome|
|Increased territorial scope||More clarity on application of data privacy rules. Now, regulations apply to all companies processing personal data of EU residents, regardless of company location.|
|Consent||Clarity regarding consent. Companies must clearly and intelligibly communicate that they are collecting personal data and how it is meant to be used, ensuring consumer is informed that they are giving consent.|
|Breach notification||Immediacy of notification. Companies are mandated to notify impacted customers and relevant parties within 72 hours of first becoming aware of a data breach likely to “result in a risk for the rights and freedoms of individuals.”|
|Right to access||Availability of information. Consumers have the right to request information on whether or not their data is being processed, where and for what purpose and data controllers must comply in responding.|
|Right to be forgotten||Greater control over one’s data. Also known as Data Erasure, data controllers must comply when consumers ask that their personal data no longer be processed or distributed, or that it be erased completely.|
|Data portability||Supports automated transfer of personal data between data controllers. Consumers are able to transfer the personal data that they have requested to another data controller.|
|Privacy by design||Data protection as an integral consideration in the design of new systems. Rather than an afterthought or addition, data controllers must implement the appropriate technical and procedural measures to ensure data protection from the start of new initiatives.|
|Data protection officers||Mandatory appointment of data protection officer. DPO is responsible for ensuring ongoing compliance via education and training of relevant team members, routine security audits, and service as liaison between company and Supervisory Authorities.|
Implications for our customers and panel participants
Here at UserTesting, we understand that trust is the cornerstone of authentic discourse. We provide products and services that support the flow of honest feedback, under the premise that this information is vital towards innovation and providing consumers with better, more helpful and increasingly enjoyable experiences.
For this reason, the GDPR aligns directly with our goals and ideologies: that we have to respect the privacy and ensure the security of all customers, partners and associated parties who have made the choice to do business with us.
Information regarding data processing
As a platform, UserTesting takes instructions from customers and presents them to selected consumers that have opted in and have been screened for acceptance into our panel. Participants from the UserTesting panel are selected if they match the criteria, including demographics and screener questions, as indicated by the customer.
The participants follow the instructions while UserTesting records their:
- Device screen
- Camera input (which may include their face) for some kinds of tests
- Answers to any questions in the instructions
The resulting video and answers are then available to customers for further processing using the platform including:
- Note taking
- Clip making
- Highlight reel creation
- Machine transcription
- Sharing of videos (full videos, clips and highlight reels)
- Downloading of videos (full videos, clips and highlight reels)
- Downloading of notes, transcripts and links to videos in excel format
While this additional processing is facilitated by the platform, it is completely controlled by the customer.
Additionally, UserTesting facilitates live conversations with selected participants. UserTesting records these conversations.
Such recordings include:
- Voices of participants
- Faces of participants who turn on cameras
- Screens of participants who turn on screen sharing
Once completed, the recordings are subjected to the same supplemental processing described above.
Towards these outcomes, UserTesting engages the products and services of other vendors. As a step in ensuring GDPR compliance, UserTesting has reviewed and continues to assess vendors for compliance assurances. Customers can login to view current vendors and status here.
Support for our customers
For support on how to access, inspect, update and remove personal information, customers can email firstname.lastname@example.org.
Additionally, customers can access the UserTesting Help Center for insights and tips on maintaining privacy for study participants, including:
- Best Practices for Avoiding the Collection of Personally Identifiable Information (PII)
- Using the Blur Tool to Protect Personally Identifiable Information (PII)
Customers can download a copy of this GDPR Overview here.
Support for our study participants
Participants in the UserTesting panel (sometimes called “study participants” or “testers”) can view and manage personal information by logging into their account. They can also manually delete their account once logged in. Additionally, study participants can access the UserTesting Help Center for insights and tips on protecting their personal information, including:
|Panel participants||Individuals who have applied and been selected to participant in the UserTesting panel||https://www.usertesting.com/terms-of-use-tester|
|Participants invited by company||Individuals who have been invited to participate in a study via an email from a company (using “My Recruit”)||https://www.usertesting.com/terms-of-use-my-recruit/|
|Enterprise customers||Companies who are paying users of the UserTesting platform, and who create, launch and analyze studies using the audience of their choosing||https://www.usertesting.com/terms-of-use-enterprise-client|