Learn-to-send-email-via-google-script-html-no-server: Is Storing (Personal) Data in a Google Spreadsheet GDPR Compliant?

Created on 29 Mar 2018  ·  5Comments  ·  Source: dwyl/learn-to-send-email-via-google-script-html-no-server

Google Spreadsheets are a _great_ way of capturing, analysing and sharing data within a team.
Sadly there are _several_ major drawbacks of using GSheets to capture form data:

  • Data is stored by Google on their Servers in the US.
  • People ("users") cannot _see_ the (personal) data that they have submitted
  • People ("users") cannot _change_ or request deletion of their data (_i.e. GDPR compliance_)
  • GSheets makes it (_too_) easy to share (large amounts of) data
  • GSheets makes it (_too_) easy to "Make a Copy" of sheet(s) at which point any "control" of the data is lost.
    _None_ of these points is _communicated_ to end-users when they are filling in an HTML form.

I think we should add a GDPR "disclaimer" at the _Top_ of the tutorial
advising people to read: https://cloud.google.com/security/gdpr
and _understand_ that they are _personally_ responsible for the safekeeping of any personal data
they collect and store.
And that in _addition_ to the data _collection_ form,
they need a mechanism to allow people to contact them
in order to _remove_ their data from their spreadsheet and any _other_ retrieval systems.
The data collection spreadsheet should be treated with the same (_if not more_)
respect as your _own_ personal/credit card details.
Don't share it with anyone you would not trust with your own credit card.

chore discuss question technical

Most helpful comment

Agreed, and thank you for getting this awesome tutorial out there, it has made a HUGE impact ! :)

All 5 comments

I agree, a disclaimer cannot hurt, granted the legal actions someone could take against the project are minimal at best. The biggest risk on the project's end may be the example/demo page, since we currently have data that users can submit. We could add disclaimers, consent, or just not keep it saved.

For other people, these resources sound great! While only the EU will have these stricter measurements, everything else is good to practice in theory.

FYI, we no longer save any user data. So we are GDPR-compliant. :laughing: #209

We should still add a tagline disclaimer for others to learn about when using the form.

I considered adding this to my current branch to update the readme, but I was unsure what phrasing we wanted to use and how best to update our readme in other languages, see #271 for discussing concerns around that.

Personally, I feel like we could streamline the readme/tutorial quite a lot, but the more we add the easier it is for people to miss things we have been adding like FAQ's or skipping over steps, etc. If we add something here, I would advise it be brief with just a heads up on GDPR and a link, that's about it. I don't think we are liable for what people do with this but rather we want to be nice and give them resources they need to hopefully make good decisions.

@mckennapsean thanks again for adding the GDPR warning to the README.md 👍
When we first captured and published this tutorial we _never_ thought it would be this _popular_! 😮
With so many people using it, it's the _responsible_ thing to do (_to inform people about the need to protect the data they are collecting..._), so thanks! ✨

Agreed, and thank you for getting this awesome tutorial out there, it has made a HUGE impact ! :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

eleosa picture eleosa  ·  4Comments

vlknlvnt picture vlknlvnt  ·  4Comments

onurusluca picture onurusluca  ·  4Comments

austinjupiter picture austinjupiter  ·  3Comments

ThomasSalty picture ThomasSalty  ·  4Comments