GDPR question

eoin ryan

Hi Folks

Appreciate if someone can tell me if this is GDPR compliant....

I'm developing an app that will collect individual weekly data. Lets call it their weekly scores

This data will then be transfered anonymously to a group page that collects the same data and scores and pro rata it as a group weekly score total.
Example if five individuals give a score of 6/10 and five give a score of 8/10 then the group score will be 7/10

There is no way of knowing who gave what score as they automatically update in the group page with the group scores.

Are there any GDPR rules being broken here?

Thanks in advance

GerardKeating

eoin ryan wrote: »

This data will then be transfered anonymously to a group page

Define "anonymously" in this context please. Could you (as the developer) figure out whom send the data, and if not, how would you prevent the same person sending multiple "scores".

Would the "scores" fall under any catagory of "sensitive data"?

eoin ryan

Thanks Gerard for response

if they are part of a group they will get a code to allow them to use the app.
That will also open them up to the group page.
When they submit their scores it will automatically populate the group page. So one page bounces the info to the other

I'm not the developer of the app (on the tech side of things) - I'm the customer (probably more accurate way to describe myself)

I have asked the developer to create the app in such a way that the neither i as the super user or an adminsitrator of the group (there will be one) can see who is submitting the data to the group scores

Information would include questions ranked out of 10 for the week such as
Rate your quality of sleep
Rater you quality of nutrition
I do ask for their weight
Number of days off work

I guess if depends if people think this is 'sensitive data' and some might. Which is why when pooled together - they may not care.

I should mention that they will know that their data will be pooled into a group score before they partake.

Do you see any GDPR holes in this?

Thanks

hullaballoo

The reality is that with GDPR, it's pretty safe to assume you are collecting personal data and mitigate the risk under GDPR by properly developing a data privacy policy and consent forms in line with that rather than trying to pre-emptively lawyer a way around it. Personal data is broadly enough defined that it captures almost all information you collect on individuals. If I understand you, the fact that this is later aggregated into group data is good but doesn't obviate the need to have relevant regulatory notices/consent forms under GDPR imo.

I have to say that it sounds like you are going out of your way to ensure you are not needlessly collecting personal data that goes beyond what is required to deliver a service through your app, which is commendable and what GDPR is aimed at in large part. You can point this out in the privacy policy/GDPR notice and highlight it on whatever consent forms you build in. Users may or may not appreciate it but the DPC will appreciate it if her office ever gets involved (unlikely).

It is not rocket science to draft up something on this. Make sure you set out clearly what data you are collecting, how this is processed and for what reason.

eoin ryan

Thanks for reply

I am making an effort to protect peoples data because I don't want them to be turned off participating. That would kill the idea

What the app will also do is show them how they are tracking week on week verses the group scores. So they can see if they are above or below average in quality of sleep for example....

The grand scheme is that the employer (who will pay for this) can see how the employees are doing (on average) week on week and everyone else can see how they sit verses their peers. The information is shared and open for the group to see

A win win I hope.....

So i guess transparency is key and king