The General Data Protection Regulation (GDPR) has been in effect for about 2 months now and I've seen both good and bad approaches to building GDPR compliant forms. In this post, I'll give some tips and tricks to guide you towards being compliant.
Does the EU apply to you? Probably! If you're based in the EU, then yes. If you're outside of EU it becomes rather vague but you can assume that it applies if you process any personal data from EU residents. In any case, the GDPR is a good thing! If you value the privacy of your customers as much as your own, see it as a set of guidelines!
Let's take a contact form where people can ask you a question about your product or services, there are a few questions you have to ask yourself that'll help you be compliant.
What is the minimal about of data I need?
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Art. 5.1 c
In terms of our contact form, this basically means that you should only ask for the information required to answer the question which is being asked. In general, that'll be a name and an e-mail address. Do you need to know the location of that person? Birthdate? Gender? Probably not, so don't ask for it.
Can I use the data for additional purposes?
With some exceptions, you generally can't. For our contact form, the purpose is to get an answer to question(s), you can't just run off to your marketing department with the newly acquired information.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
Art. 5.1 b
If you want to use the data for additional purposes, like a newsletter, then that should be an opt-in option. A user has to explicitly opt-in to a newsletter, this means you can not check a "sign up for newsletter" checkbox by default!
How long can I keep the data?
You keep it until its purpose is fulfilled. For our contact form that is until the question is answered.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
Art. 5.1 e
Does this mean you have to completely delete this data? No, but you have to remove or anonymize the bits and pieces that can lead to an identifiable subject.
I want to go a little further into that last part because it can be tricky. Let's say you have the following data from someone who used our contact form:
- First name: Foo
- Last name: Bar
- Company: TheBestCompany
- E-mail: firstname.lastname@example.org
- Question: I need a simple landing page with a newsletter sign up form, could you give me a rough price estimate? Call me +32233493084
E-mail is most likely to lead to the identification of someone. The others, by itself, could or could not lead to the identification of someone. For example, if you delete all the data and just kept company, in theory, if only a single person works at that company - they could be identified.
If you kept the first and last name, in reality, there may be many people with the same name, but there could also be just one Mr. Foo Bar in the whole world.
The data can be valuable to you, even without personal data. You really don't need to delete everything - just enough to make sure that the remaining data can never lead to the identification of a person. In our data example, we may just want to keep all the questions and remove everything else. But wait! What's that? Mr. Foo Bar left his phone number in the question field! It should be removed.
Because you never know what users enter in comment/question fields, automated anonymization of data can be troublesome. In the case of our contact form, someone will always read and respond to submissions. They should be responsible for the personal data and make sure it is correctly removed.
So either we delete the record completely or anonymize it. An example of anonymizing the data could be like the following:
- First name: F
- Last name: B
- Company: xxx
- E-mail: xxxx
- Question: I need a simple landing page with a newsletter sign up form, could you give me a rough price estimate? Call me +32233xxxx
Now, all that remains is F.B. who at one point asked for a price estimate for a landing page.
Always make sure you have maximum retention periods, automate removal/anonymisation of personal data older than x days. You don't want data floating around for longer than necessary.
Scroll horizontally to view entire table
Is the user aware of what happens to their data?
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
Art. 5.1 a
This means you must be transparent in the way you process someone's personal data.
That's it for now, be sure to comment if you see any mistakes!