Where are we now with GDPR

So I’ve read the threads and sill haven’t seen an example of how people are complying with GDPR regulations in a B2C situation. Great to have cookie consent and terms and conditions tick box and even the login screen component but for me that’s not enough. How are people dealing with cookie consent under the various categories I.E. Necessary, Preference etc. Not to mention Google Analytics! Can anybody show me an example of a landing page on the app or anywhere else that deals with these? The Glide documentation is clear and excellently laid out but that does not cover the intermediary I.e. us the data controller. Please prove me wrong and tell me that all of the above is doable. I’d be happy to pay triple of the monthly pro plan price!

2 Likes

For my EU telemedicine company we have:

  • privacy + terms & conditions as links on email splash screen
  • terms are voluntary, in that if you do not agree to them, do not use the app
  • we ask for permission to use the glide mandatory cookie (for use)
  • we are adjusting our data privacy to give us the right to use Google Analytics (we believe it is necessary for us to offer the service we need)
  • we support the right to be deleted and have a process to support that
  • we moved our Google Workspace account to Germany
  • we are locking down external services like cloudinary and AWS S3 so we reduce image data leakage (and are actively looking to delete / not reference images ‘saved’ in glide - as these would be deleted automatically by glide after 7 days)
  • we use row owners throughout the app (restricts data leakage through the browser ‘inspect’ tools)

I think that’s it - but it’s plausible there is more going on.

I hope this helps :slight_smile:

6 Likes

Thanks @Mark_Turrell! I’d like to see the landing page. In relation to Google Analytics I understand that in certain circumstances these might be necessary but are they really? Great to have an option for users to opt in or out of these and still use the app IMHO. Seems like it’s standard across most websites and apps for users to be able to indicate what cookies they would like to opt for. Is there an option for registered users to be managed through the app as having opted in or not for Google analytics? I remember reading on another post that potentially we don’t need to ask for consent as Google have recently changed their analytics to not include PI

2 Likes

It would be great to have it as an option.

Inside our app we have a second layer of consent - for permission to use health data (required) and to accept marketing communication (optional). The Health data needs to be a separate explicit consent within the app - and if you do not accept, you cannot create an account fully or use the app.

Our law firm told us we needed explicit consent in our data privacy terms to use Google Analytics. So we are following their advice.

In terms of usefulness, I started not planning to implement it, but we have it on our company web site and the data has been extremely useful to develop functionality, content, flows, etc. Inside our user app we currently only have about 50% of people who sign into the app actually complete an account - and I would love to improve the experience and make that 80%+. And there are many other parts of the app that could similarly benefit from insight such as this.

Thanks @Mark_Turrell. Great information here and I’m a little more at ease with the potential for this app in the EU!

So if my understanding is correct you have a landing public app which changes to to a public with email when a user consents to t&c’s? Are you using the sign in component to manage this?

I’m relation to Google Analytics how do you intent to manage this at signup? If a user consents to all other t&c’s but not Google Analytics is there a way to exclude this user Google Analytics?

Thanks again for all your help.

Right now Google analytics is mandatory - so it’s agreed to before signup.

Glide does not have the option to make it optional right now.

And I have a public pro app.
Splash screen to collect email has links to our terms + data privacy
If they enter their email, and then the pin, then they have accepted the terms.

Then they go to onboarding and setup screens. They can only complete the setup if they agree the health data terms. If not, their account is not saved.

Thanks, @Mark_Turrell. I’ve done a bit of snooping and can see the T&C’s links etc on your website. It’s very clear and excellently done! As you say in a previous post that explicit consent is required and it would be a great addition to be able to manage this within Glide. Currently, how are informing users of this? Is it also in the T&C’s? Perhaps I’ve missed it! I’d like to have a look at it as I’m meeting a client tomorrow who is GDPR crazy. Ireland is a hotbed of GDPR activity so I’d like to have an answer about how I could manage this until we can manage it within Glide. As you say the alternative is not to use it.

BTW I can only imagine given the type of data you are collecting the hoops you must have add to jump through so I applaud you in getting this far within the confines of GDPR. I’ll simply be collecting an email and name so I’m not in the same league!

We have a new Terms & Conditions we are putting up this week while the system is offline for major updates. Our lawyers said we only need to change our Data Privacy Terms - so that’s what we will do :slight_smile:

And yes - I have a lot more info when one collects data for covid-19 rapid tests - and the process via video supervision… and then ship out a medical certificate :slight_smile: :slight_smile:

I have become adept at handling hoop-jumping - the answer is often ‘no’, but then you just need to reframe the question to get a different answer (one that works)

2 Likes

:rofl:

Great @Mark_Turrell. If its just a change, this would be amazing. It’s just dawned on me that with a move to Google Workspace I’ll need to redo the app! :frowning:. A small price to pay I suppose. I noticed a countdown on your app. Is this the countdown component or some other Google sheet wizardry? There’s no pause button on show. I’d like to implement something like this.

Countdown is just a simple math column (X - now) * 1440 (for mins in a day), then a template column to display :wink:

2 Likes

Interesting and thanks.

thanks for the checklist @Mark_Turrell

Can you please elaborate: how do you achieve the following:

AWS is a few things (I hired an AWS certified technical person to help me - and maybe you could borrow her if you need).

With Cloudinary it is work about to be started - but not yet done yet. She will do this work for me too - and we see how far we get :slight_smile: :slight_smile:

1 Like

We fixed our data privacy terms - to take into consideration how Glide processes and stores data, plus our use of Cloudinary and Integromat. And the solution is:

  1. Data transfer abroad

Your personal health data (ie data on symptoms and advice) and other personal data are primarily stored within the EU. However, some of the recipients are located outside your country and the EEA or do relevant business where data protection laws may not offer the same level of protection as the laws in your country and there may not be an adequacy decision by the European Commission. Covessa will take measures to ensure adequate protection in the event of transfers outside the EEA, as prescribed by the applicable data protection laws.

The recipients outside the EEA are based in the United States. Standard contractual clauses have been concluded with these companies. Covessa has also ensured that all of these recipients have taken appropriate technical and organizational security measures to protect the personal data from accidental or unlawful destruction, accidental loss or change, unauthorized disclosure or access, and any other unlawful forms of processing. Further transfers to subcontractors are only permitted with prior approval by Covessa (Art. 28 GDPR).

5 Likes

Many thanks @Mark_Turrell for being so open to sharing your experience of managing GDPR. I think like a lot of other EU gliders you’ve really clarified that we can in fact use the platform a B2C / B2B context. What remains to be clarified is the use of Google Analytics within apps and how glide can manage the selection process of these from a user perspective. Hopefully this is on a road map somewhere!

1 Like

I put the use of Google Analytics into our terms and conditions :slight_smile: and made it mandatory if you want to use the app :slight_smile:

thanks @Mark_Turrell !
For clarification: so, even though AWS and cloudinary are not your direct business partners (since there is Glide in between; they are Glide’s subprocessors), you were able to conclude contracts with them for ensuring data security?
If yes: amazing that they agreed! Especially on the part that requires your prior approval.

Do you think it makes sense if Glide makes such contracts with its subprocessors for all Gliders with European users, and makes these contracts transparent?

I suspect people are being persuaded by their lawyers to overthink this and focus on irrelevant things.

We have standard agreements with all our IT providers, Glide, AWS, etc. Totally standard.

These standard terms are considered acceptable in terms of our Data Transfer terms.

And I end the argument there :slight_smile: :slight_smile: There is no need to do more… and if your lawyer says otherwise, find another lawyer (there are many of them… and I focus on paying to get an answer I need rather than letting them dictate what they think is interesting :slight_smile: :slight_smile: I have about 300,000 Euro worth of experience chatting with these people over the years :slight_smile: :slight_smile: