Export or Forget a User's Data - GDPR Compliance

GDPR Overview

As of May 25, 2018 the European Union's (EU's) General Data Protection Regulation (GDPR) affects all companies processing data from EU citizens. Firstup has features that empower our customers to comply with the GDPR requirements, though the regulation only applies to the data of employees with citizenship in the EU. If you do not have employees located in the EU, you still have the option to leverage these features for your program but are not required to do so.

To comply with GDPR, we have the following features:

• Data portability: Users will be able to request an export of their data directly through the platform and Program Managers will be able to export a user’s data form the Users page in Studio.
• Right to be forgotten: Users will be able to reach out directly through the platform to request erasure of their data and Program Managers will be able to forget a user’s data from the Users page in Studio.

Export Data or Forget a user from the Users page:

Configure GDPR Contacts

Customize who on your team receives GDPR request emails from your users on the Basics page under Configure Program. 

Export User Data

Export Data is to be completed after receiving a request from a user.

If you are looking to export the data about more than one user, please refer to Review or Edit User Data and Roles - Exporting Users instead.

How to export data for one user:

1. Navigate to your program's Users page.
2. Search for the user who requested the data export by email or name.
3. Click on the three dots to the right of the user to select Export Data.
4. After selecting Export Data, a .csv will automatically download into your browser window or your Downloads folder on your computer.
5. Respond to the user with an email that includes the exported .csv as an attachment. Create a new email if you are not able to reply directly to the user.

The Export Data button does NOT trigger an email to the user. Per the requirements of General Data Protection Regulation (GDPR), the request for the exported data must be fulfilled by the Data Controller (your Organization), the request cannot be fulfilled by the Data Processor (Firstup). 

Forget (aka Erase) User Data

To be completed after receiving a request from a user.

1. Navigate to your program's Users page.
2. Search for the user who requested the data export by email or name.
3. Click on the three dots to the right of the user to select Forget.
4. You will be prompted to confirm that you want to proceed with this irreversible step. Forgetting a user does the following:
   • The user's personal data is erased, all other data for their record is anonymized, and they will no longer be able to log into the web experience, mobile apps, or Studio.
   • If you try to look the user up later, you will find no results by email or name. The account will appear as a Blocked profile with a name such as "ForgottenUser".
   • Note, the Blocked status does not prevent the user from creating a new account with the same email - see the re-registering note below.
5. Respond to the user with an email confirming that their account has been erased. Create a new email if you are not able to reply directly to the user.

The Forget button does NOT trigger an email to the user. Firstup is not able to automate a reply to the user, as the user's email and device information has been erased from our system.

Note: if you leverage a user date file via SFTP to synchronize your user data with our system, the user should also be removed from the user data file before the user is forgotten. If the user is not removed from your user data file, at the time of your next file upload the user will be re-added to the platform as a created user including custom attributes provided in the file. This will violate their expectation of being forgotten.

Forgotten Users Re-Registering

If a forgotten/erased user chooses to re-register, they would be able to create a new account using the same email that was forgotten (our system will not recognize their email or employee ID or nameID as having previously registered). Do not use Forget to handle a user that needs to be stopped from accessing your program (such as a separated employee). We recommend using Block & Demote (without Forget) to stop a user from accessing the program.

What Data Does Firstup Collect?

Please review the attached spreadsheet for more information about the data we collect on each user. For any definitions for metrics you are unsure about, refer to our Measure Glossary.