Is Storing (Personal) Data in a Google Spreadsheet GDPR Compliant?

[nelsonic]

Google Spreadsheets are a great way of capturing, analysing and sharing data within a team.
Sadly there are several major drawbacks of using GSheets to capture form data:

• Data is stored by Google on their Servers in the US.
• People ("users") cannot see the (personal) data that they have submitted
• People ("users") cannot change or request deletion of their data (i.e. GDPR compliance)
• GSheets makes it (too) easy to share (large amounts of) data
• GSheets makes it (too) easy to "Make a Copy" of sheet(s) at which point any "control" of the data is lost.
  None of these points is communicated to end-users when they are filling in an HTML form.

I think we should add a GDPR "disclaimer" at the Top of the tutorial
advising people to read: https://cloud.google.com/security/gdpr
and understand that they are personally responsible for the safekeeping of any personal data
they collect and store.
And that in addition to the data collection form,
they need a mechanism to allow people to contact them
in order to remove their data from their spreadsheet and any other retrieval systems.
The data collection spreadsheet should be treated with the same (if not more)
respect as your own personal/credit card details.
Don't share it with anyone you would not trust with your own credit card.

[mckennapsean]

I agree, a disclaimer cannot hurt, granted the legal actions someone could take against the project are minimal at best. The biggest risk on the project's end may be the example/demo page, since we currently have data that users can submit. We could add disclaimers, consent, or just not keep it saved.

For other people, these resources sound great! While only the EU will have these stricter measurements, everything else is good to practice in theory.

[mckennapsean]

FYI, we no longer save any user data. So we are GDPR-compliant. 😆 #209

We should still add a tagline disclaimer for others to learn about when using the form.

[mckennapsean]

I considered adding this to my current branch to update the readme, but I was unsure what phrasing we wanted to use and how best to update our readme in other languages, see #271 for discussing concerns around that.

Personally, I feel like we could streamline the readme/tutorial quite a lot, but the more we add the easier it is for people to miss things we have been adding like FAQ's or skipping over steps, etc. If we add something here, I would advise it be brief with just a heads up on GDPR and a link, that's about it. I don't think we are liable for what people do with this but rather we want to be nice and give them resources they need to hopefully make good decisions.

[nelsonic]

@mckennapsean thanks again for adding the GDPR warning to the README.md 👍
When we first captured and published this tutorial we never thought it would be this popular! 😮
With so many people using it, it's the responsible thing to do (to inform people about the need to protect the data they are collecting...), so thanks! ✨

[mckennapsean]

Agreed, and thank you for getting this awesome tutorial out there, it has made a HUGE impact ! :)