Does your website and it's forms comply with the GDPR?
Posted on Tuesday 5th December 2017
How we can help your website, contact forms, their processing and storage become compliant with the General Data Protection Regulation (GDPR), that comes into affect on 25th May 2018.
This is a continuation of our previous blog - GDPR and what it means for your Websites and Forms, if you have not read this blog first you may want to take a look.
Steps that need to be taken to ensure your
website and it's forms comply with the GDPR
1. Do you need to store contact form submissions?
If you don't need a record of the data collected via your forms, don't store the data. This eliminates the need to comply with the GDPR. This is unlikely to be a good solution for anyone, the purpose of a form is to collect data and having a record of submission and access to the data within is critical. Even just sending the contact form to an email address requires you to comply with the GDPR, this does not only affect personal data that is submitted to a database or other system/application.
2. Request Consent
Informing the user a form is going to collect personal data and requesting consent is achieved by adding the following to your contact forms;
Request Consent Part 2: A tickbox that is required to be tick before the form is allowed to submit that requests consent; "I consent to having ABC Company collect my details".
Age of Consent Considerations
In addition to the above, you may need to request parental consent if you are providing a contact form to be used by children/minors (at the time or writing, a minor is defined as someone under the age of 16, this may change as the age up to which a minor is classified has not been agreed by all EU member states, it varies between 13 and 18. In principle the age of 16 has been specified, however the UK and Belgium would like to lower the age of consent to 13 years).
Request Consent Part 2 Amendment: Part 2 would need to have the wording updated to something along the lines of the following; “I am 16 or older and I consent to having ABC Company collect my details”.
Parental Consent Part 3: Where the form is being completed by someone under the age of 16, parental consent would need to requested via a tickbox with wording along the lines of; “I am the parent/guardian and I consent to having ABC Company collect my child's details”.
3. Organise User Data and make it Accessible
You must be able to provide a user with all personal data you have on them on request, you must also be able to delete all personal data you have on them on request. The responsibility of being able to associate submitted data with the submitter falls to you.
We will work with you to help you make this process as simple as possible. First we need to identify where users personal data is stored, this data should be stored in the minimum number of places to help facilitate this. Currently your contact form submissions maybe stored in the following places; your sites Database, your email client(s), your backups, your internal CRM (or similar), our backup Database and our forms email backup account.
To comply with GDPR, we recommend that the users personal data should only be stored in the database that maintains your website only. When someone submits your contact form, rather then sending all the personal data within the email, an email is generated telling you a contact form has been submitted and you need to log into your websites admin area to access it. If you need the personal data to be passed to your CRM or any other system, this is fine as long as you make the user aware and you have a way of making the data organised and accessible (we are unable to help with this and you will need to contact the provider of the system for help with making it GDPR compliant).
We will no longer be able to store a backup of your contact forms in our database or backup email account.
4. Allow users to request what data you have collected on them to view and/or delete
Part of the GDPR Compliance requires that you are reachable and responsive to users requests for data that you store on them. They should be able to request to view or delete the data you hold. We recommend this is handled by none other then a form, with consent that you will be requesting they submit personal information that you will store of course!
We hope this document allows you to get an understanding for how the GDPR affects your website and forms. Our intention is to inform you of your requirements and where we can help. We want all our clients to be able to move to the GDPR compliance as easily as possible. The information contained within this email is as accurate as possible. If you have any questions or queries do not hesitate to ask. We may not have the answers to all your questions but if they are specifically to do with your website and the forms on your website, there is allot we should be able to answer.