GDPR: Forms

GDPR Forms

The General Data Protection Regulation (GDPR) has been in effect for about 2 months now and I've seen both good and bad approaches to building GDPR compliant forms. In this post, I'll give some tips and tricks to guide you towards being compliant.

Does the EU apply to you? Probably! If you're based in the EU, then yes. If you're outside of EU it becomes rather vague but you can assume that it applies if you process any personal data from EU residents. In any case, the GDPR is a good thing! If you value the privacy of your customers as much as your own, see it as a set of guidelines!

Let's take a contact form where people can ask you a question about your product or services, there are a few questions you have to ask yourself that'll help you be compliant.

What is the minimal about of data I need?

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

Art. 5.1 c

In terms of our contact form, this basically means that you should only ask for the information required to answer the question which is being asked. In general, that'll be a name and an e-mail address. Do you need to know the location of that person? Birthdate? Gender? Probably not, so don't ask for it.

Can I use the data for additional purposes?

With some exceptions, you generally can't. For our contact form, the purpose is to get an answer to question(s), you can't just run off to your marketing department with the newly acquired information.

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

Art. 5.1 b

If you want to use the data for additional purposes, like a newsletter, then that should be an opt-in option. A user has to explicitly opt-in to a newsletter, this means you can not check a "sign up for newsletter" checkbox by default!

How long can I keep the data?

You keep it until its purpose is fulfilled. For our contact form that is until the question is answered.

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

Art. 5.1 e

Does this mean you have to completely delete this data? No, but you have to remove or anonymize the bits and pieces that can lead to an identifiable subject.

I want to go a little further into that last part because it can be tricky. Let's say you have the following data from someone who used our contact form:

E-mail has to be scrapped no matter what, it could always lead to the identification of someone. The others, by itself, could or could not lead to the identification of someone. For example, if you delete all the data and just kept company, in theory, if only a single person works at that company - they could be identified.

If you kept the first and last name, in reality, there may be many people with the same name, but there could also be just one Mr. Foo Bar in the whole world.

The data can be valuable to you, even without personal data. You really don't need to delete everything - just enough to make sure that the remaining data can never lead to the identification of a person. In our data example, we may just want to keep all the questions and remove everything else. But wait! What's that? Mr. Foo Bar left his e-mail in the question field! It should be removed.

Because you never know what users enter in comment/question fields, automated anonymization of data can be troublesome. In the case of our contact form, someone will always read and respond to submissions. They should be responsible for the personal data is correctly removed.

So either we delete the record completely or anonymize it. An example of anonymizing the data could be like the following:

Now, all that remains is F.B. who at one point asked for a price estimate for a landing page.

Always make sure you have maximum retention periods, automate removal/anonymisation of personal data older than x days. You don't want data floating around for longer than necessary.

Not every form is the same, you may want to keep records from one form for 30 days and another for 60 days. Keep a submission date and max retention period per record in the database. When you later decide to keep records longer, the previous records aren't affected. This is important because they agreed to the privacy policy at the time they submitted the form, they did not agree with your changes to keep their data longer.

I'd recommend versioning your privacy policy and keep track of which privacy policy a user agreed to. Example:

FirstName LastName Email Company Question SubmittedAt MaxRetention AgreedToPrivacyPolicy PrivacyPolicyVersion
Foo Bar foo.bar@gmail.com TheBestCompany ... 2018/06/22 15:00:00 30 true 1.2
Scroll horizontally to view entire table

Is the user aware of what happens to their data?

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

Art. 5.1 a

This means you must be transparent in the way you process someone's personal data.

If you use 3rd party software, like a customer support system where all the contact form information goes to - you should mention that in your privacy policy which a user has to agree with.

Ideally, you shouldn't limit this information to the privacy policy but mention this on the contact form somewhere too. Why not add something like "Your question and contact details will be sent off to our support system where our awesome support team is ready to handle it with care and get right back to you!" above the submit button? It's completely transparent and leaves a good impression.

That's it for now, be sure to comment if you see any mistakes!