Does your website and it's forms comply with the GDPR?

Blog

Does your website and it's forms comply with the GDPR?

Does your website and it's forms comply with the GDPR?

Posted on Tuesday 5th December 2017

  • GDPR

How we can help your website, contact forms, their processing and storage become compliant with the General Data Protection Regulation (GDPR), that comes into affect on 25th May 2018.

This is a continuation of our previous blog - GDPR and what it means for your Websites and Forms, if you have not read this blog first you may want to take a look.

 

Steps that need to be taken to ensure your
website and it's forms comply with the GDPR

1. Do you need to store contact form submissions?

If you don't need a record of the data collected via your forms, don't store the data. This eliminates the need to comply with the GDPR. This is unlikely to be a good solution for anyone, the purpose of a form is to collect data and having a record of submission and access to the data within is critical. Even just sending the contact form to an email address requires you to comply with the GDPR, this does not only affect personal data that is submitted to a database or other system/application.
 

2. Request Consent

This can be achieved by making the user aware that the form is collecting personal data with the intent to store that data, then requesting explicit consent. There is also a responsibility for letting the user know how the data will be stored and used. This can be achieved by checking the privacy policy on the website and making sure it includes a statement to inform the user data is being collected, what data is being collected, how, where and for what purpose. Once confirmed that it's in the privacy policy, it can be used to fully disclose your data collection and storage practices. A link to the privacy policy from the where you request consent is all you need.

Informing the user a form is going to collect personal data and requesting consent is achieved by adding the following to your contact forms;

Request Consent Part 1: Adding something like the following text to your forms; "This form collects your name and email so that we can add you to our newsletter list for updates and new services. Check our Privacy Policy for the all the information for how we store, protect and manage your submitted data".

Request Consent Part 2: A tickbox that is required to be tick before the form is allowed to submit that requests consent; "I consent to having ABC Company collect my details".

Age of Consent Considerations
In addition to the above, you may need to request parental consent if you are providing a contact form to be used by children/minors (at the time or writing, a minor is defined as someone under the age of 16, this may change as the age up to which a minor is classified has not been agreed by all EU member states, it varies between 13 and 18. In principle the age of 16 has been specified, however the UK and Belgium would like to lower the age of consent to 13 years).

Request Consent Part 2 Amendment: Part 2 would need to have the wording updated to something along the lines of the following; “I am 16 or older and I consent to having ABC Company collect my details”.

Parental Consent Part 3: Where the form is being completed by someone under the age of 16, parental consent would need to requested via a tickbox with wording along the lines of; “I am the parent/guardian and I consent to having ABC Company collect my child's details”.
 

3. Organise User Data and make it Accessible

You must be able to provide a user with all personal data you have on them on request, you must also be able to delete all personal data you have on them on request. The responsibility of being able to associate submitted data with the submitter falls to you.

We will work with you to help you make this process as simple as possible. First we need to identify where users personal data is stored, this data should be stored in the minimum number of places to help facilitate this. Currently your contact form submissions maybe stored in the following places; your sites Database, your email client(s), your backups, your internal CRM (or similar), our backup Database and our forms email backup account.

To comply with GDPR, we recommend that the users personal data should only be stored in the database that maintains your website only. When someone submits your contact form, rather then sending all the personal data within the email, an email is generated telling you a contact form has been submitted and you need to log into your websites admin area to access it. If you need the personal data to be passed to your CRM or any other system, this is fine as long as you make the user aware and you have a way of making the data organised and accessible (we are unable to help with this and you will need to contact the provider of the system for help with making it GDPR compliant).

We highly recommend that contact forms always collect an email address when you collect personal data of any type. Submissions can then easily be searched by email address. This will allow you to easily pull together submissions from a given user and either provide and export on request or delete them on request. Personal data stored in emails can similarly be searched and dealt with. This should also be stated somewhere within your privacy policy that this is how you're handling these requests.

We will no longer be able to store a backup of your contact forms in our database or backup email account.
 

4. Allow users to request what data you have collected on them to view and/or delete

Part of the GDPR Compliance requires that you are reachable and responsive to users requests for data that you store on them. They should be able to request to view or delete the data you hold. We recommend this is handled by none other then a form, with consent that you will be requesting they submit personal information that you will store of course!

A simple consent withdrawal/request to view form should be available from your privacy policy page (which is linked to by any form that collects personal data). These requests should be submitted to your website database and an email notification sent to you that someone has made a request that needs to be actioned.


 

That's it!

We hope this document allows you to get an understanding for how the GDPR affects your website and forms. Our intention is to inform you of your requirements and where we can help. We want all our clients to be able to move to the GDPR compliance as easily as possible. The information contained within this email is as accurate as possible. If you have any questions or queries do not hesitate to ask. We may not have the answers to all your questions but if they are specifically to do with your website and the forms on your website, there is allot we should be able to answer.