Whether you’re using a simple contact us form on your website, trying to drive newsletter sign-ups or even manage job applications through online forms.
Most of us are using online forms somewhere on our websites. Forms are a practical way to gather data but can also be a GDPR compliance risk if not set up correctly.
A lot of forms we see across the internet are not strictly-speaking GDPR compliant. On rare occasions there’s zero compliance effort at all. Normally we find something that’s just a bit off perfect.
In this article we’ll look at three things to keep in mind when setting up your forms that will help you improve compliance and skip the fines.
Purpose of data collection
Are you making the purpose of your data collection clear on your forms?
Technically you should provide some information about what you will do with the data provided.
This will help you comply with the GDPR principle of Lawfulness, fairness and transparency.
It will also help you fulfil your data subject’s right to be informed.
You will want to make this information clear to the data subject. So please avoid putting this information in a tiny font or in a difficult to read colour.
Privacy information
Do you link to your privacy policy from your forms?
To further improve your compliance with the GDPR principle of Lawfulness, fairness and transparency and your data subject’s right to be informed, you will want to place a link to your detailed privacy policy near to the form.
A good location would be at the top of the form, or next to the submit button.
Ability to withdraw consent
If you are relying on consent as the legal basis for processing the personal data within the form. For example your form is to collect names and email addresses for an email newsletter, you should also reference somewhere the ability for the data subject to withdraw their consent at a later date.
For an email newsletter this could be as simple as saying “Unsubscribe at any time using the link in each email.”
Consent checkboxes
Are you using checkboxes in your form?
For example to gather consent for marketing purposes.
This is an area where we see a lot of confusion. In many cases checkboxes are not even required, and in fact they complicate the form and your compliance efforts.
Let’s look at two examples to explain how and when checkboxes should be used.
Example 1 – Only collecting name and email for an email newsletter.
You are collecting a name and email address for an email newsletter. This is the sole purpose of the form. You explain how the data will be used, provide a link to the privacy policy and reference how consent can be revoked later.
In this case you do not need a checkbox.
Example 2 – Collecting data for a contact us form with the option to join marketing lists
You are collecting a name, email address and message from a website visitor. The information is part of your “contact us” form for general enquiries. At the bottom of the form you offer the data subject the chance to receive marketing information by email.
In this situation a checkbox is advised. The checkbox should not be pre-ticked and it should not be mandatory to tick the box in order to submit the form. It should be clearly labelled with information as to what extra processing will be applied if it is selected. As well as information about how to revoke consent.
Summary
In summary, while creating and setting up forms is easy, making them GDPR compliant can be difficult. We advise that you get someone trained on the GDPR rules to check any new forms which you are creating. You also may wish to consult with a GDPR consultant, the ICO or lawyer if your needs are complex.
You can use our short checklist for each of your existing forms to help you improve your compliance:
- The form provides a notice about how the data provided will be processed. It includes information about the ability to revoke consent if we are relying on consent to process personal data.
- The form has a link to our privacy policy. The link is easy to read and is not hidden from view. The privacy policy contains detailed information about how we process personal data.
- The form only asks for the personal data that we require for our intended purposes.
- If we are relying on consent for processing for purposes other than the main purpose of the form. For example we would also like to invite people to join our marketing email list. We use a checkbox to record consent for this. The checkbox is unticked and is not mandatory to submit the form.
We hope this helped you improve your GDPR compliance. If you are using Google Forms within your organisation then you might want to check out our article which provides a deep dive on the GDPR compliance issues you may face when using Google Forms.