Is your business completely geared up for GDPR?
GDPR or the General Data Protection Regulation is the new law that ensures the protection of personal data for European citizens and it has got the whole world talking—and scrambling.
Of course, nobody wants to be fined, especially when we’re talking about humongous amounts of money.
Noncompliance to GDPR will cost you 4% of global turnover or €20 million, whichever is greater.
Yup, it’s that serious.
All businesses have been meticulously auditing their processes, policies, employee preparedness, websites, and tools, making sure that they are GDPR compliant as soon as possible.
You’re probably also working on yours. Or maybe you’re already down to the final review.
But have you checked on the super important web property? The one that serves as the first point of contact for your clients’ personal data?
Yup, I’m talking about your online forms.
Think about your newsletter subscription forms, payment forms, customer info sheets, and even your signup forms. These are affected by GDPR too.
As an online form builder and your data processor, we at EmailMeForm strive to protect our product and you, our clients.
We have been working on numerous items that will make it easy for everyone to be GDPR compliant, but here’s the 101 on the online forms aspect.
Why are online forms affected (and how EMF can help you comply)
GDPR requires your data subjects (a.k.a. any EU citizen whom you’re getting personal data from) to be granted specific rights. You use online forms to collect these personal data. That’s why they’re affected.
Now, when it comes to data collection, processing, and storage, below are the said rights and the respective ways on how EMF can handle GDPR for forms.
Right to access
Data subjects should be able to request and obtain confirmation that data is or is not being collected from them. If it is, the following should be specified clearly: what data, how, why, where, and what for.
Also, a copy of those data should be provided to them in an electronic format upon their request—for free.
EMF users have access to Data Manager where you can search, email, export, or print a specific form entry.
Right to rectification
Data subjects should be able to request a change on inaccurate personal data concerning them without undue delay.
EMF users have the control to modify form entries in the Data Manager.
Right to be forgotten
Data subjects should be able to withdraw consent and request for permanent deletion of their personal data when they ask to.
Aside from this subject right, GDPR also states that data cannot live indefinitely. This means that old data that you have gathered must expire and be deleted.
EMF users have total control of their form entries through Data Manager. They are equipped to modify and delete certain form entries.
Which of my forms are affected?
The rule is: all forms that collect personally identifiable data (PID) are affected.
So it means that any form collecting a data subject’s name, address, email, credit card, and any other information relating to an identified or identifiable person is affected.
As a form owner, you should be able to tell which data are identifiable and which are not. Signup forms are obviously affected, but anonymous quizzes are most likely not.
However, GDPR’s definition of personal data is any other information relating to an identified or identifiable person.
This is where it gets tricky. “Any other information” could mean cookies, occupation, IP address, a health-related data, or basically anything. That’s why it’s better not to collect these data if you don’t need them.
It is best to be vigilant and practice GDPR compliance on all of your online forms.
On making your EMF forms GDPR compliant
Now that you know these, let’s get to the point.
How can you make your EMF forms ready for GDPR? Continue scrolling to find out.
Disclaimer: These form tips are provided as a general information only and are not meant to replace legal advice. Applying them does not ensure that your data collection via web forms is in compliance with the GDPR. We strongly recommend to consult your legal counsel to understand the full impact of GDPR on your data collection, processing and storage.
GDPR Form Tip#1. Update your forms with consent tick boxes.
The GDPR data rule that affects signup forms the most: data cannot be used for purposes other than what was initially stated during collection.
That’s why consent tick boxes are highly important updates that you should add to your signup forms. They are easy ways to get proof that your data subjects have:
- Given you the right to receive, modify, and store their personal data
- Given consent as the holder of parental responsibility to collect and process the data of children under 16
- Agreed to your Terms of Use and Privacy Policy
- Given you permission to send them newsletter emails or promo alerts
For signup forms, adding a simple “I consent” checkbox will do.
However, if you have newsletters or promo SMS alerts that you wish to send out to subscribers, you will want to have separate checkboxes and specify the means of communication.
Avoid bundling several consents. It’s like asking the user to consent to two things on a single checkbox. For example:
Do not bundle several consents in your form.
This is against the rules of GDPR.
For forms that collect more user information like application forms, it is recommended to obtain explicit consent from the data subject to collect information. Below is an example on how you can do this.
Now if you’re using an automated system to process the data, GDPR for forms requires you to disclose it and ask the data subjects’ consent that they’re okay with it. Just add this note and checkbox to your application form.
If you have forms that need other types of marketing consent, you should definitely check these comprehensive examples.
Adding these elements is simple and easy using EmailMeForm’s form builder. You can readily update your EMF forms to be GDPR compliant in just a couple of minutes:
Adding consent checkboxes on EMF
You can find the Checkbox form field under the BASIC section. Just drag it to your form field, remove the unnecessary options, and start editing.
Adding text under the consent checkbox on EMF
Just click on the last element of your form and add text notes via the HTML portion of the checkbox field.
GDPR Form Tip#2. Create systems that will easily cater to form data requests.
No worries in catering to the subject data access requests. You, as an admin of your EMF account, can search, view, modify, and delete the entries in your Data Manager.
The one area that you should also act on is keeping track of those requests and automating the process. We recommend having a system that lets you tackle the requests in a systematic and documented manner.
Obviously, we are suggesting a request form, which you can easily create using our tool.
Create a request form to help you track and act upon GDPR subject data requests.
You can build upon a simple template like this one and include information that you deem necessary like: name, email, data request (data modification, data access, data deletion), form subject, and an “additional information” text box.
GDPR Form Tip#3. Educate your team about your GDPR Data handling standards
If you have a team who handles personally identifiable data (PID) , it is best to not only educate them about GDPR in general. Train them on how to execute your company’s standard GDPR procedures like processing subject data requests.
GDPR Form Tip#4. Ensure form security at all times
We always recommend that you take security seriously on all your forms, especially if you’re collecting sensitive data by:
- Turning on SSL on for all your forms
- Using encryption on form fields
- Enabling mask option to ensure sensitive data is not transmitted via email
- Using passwords on sensitive forms
- Always checking and updating form user management (who has what access to which data)
_Note that some of the features mentioned on this guide are only available to higher plan users. Please see our Pricing Page or talk to us to find out which plan best suits your needs in making your online forms GDPR compliant._
And finally… (important reminder)
Making your online forms conformable does not guarantee full GDPR compliance.
It’s just one aspect of being GDPR compliant. There are other conditions that you have to comply to.
As an online form builder who has been in the industry for over 10 years, we have always been committed to protecting your privacy. This new data protection rule change is just kicking this protection up a notch.
We have been diligently taking action (hint: new GDPR-related product updates and EMF custom plans). We’re confident that we can maintain this privacy promise. You can read about how we’re GDPR-proofing our tool for you here.
In this compliance process, we want to be instrumental to your own GDPR transition as well.
So make sure to always check back to our blog (or your inbox if you’re already an EMF user). You can follow us on Facebook and Twitter so you won’t miss these exciting new updates.
Got more GDPR-related questions? We’ll be happy to answer them. Reach out to our support team at gdpr@emailmeform.com.