GDPR compliance can be intimidating at first. The headline fines for non-compliance seem eye-watering and there’s a lot of advice out there, some of it conflicting, so it can be hard to know where to start.
This article is aimed at explaining the issues involved and busting some of the myths to offer simple, practical advice ensuring that you can make your online forms GDPR compliant without too much fuss. We’ve had many years of optimizing form conversion at Zuko so we’ve come across most of the potential GDPR issues for forms and understand how to solve them.
However, if diving into the details of GDPR scares you, we’ve also summarised our main practical takeouts just below. If you use these guidelines as a starting point it should hold you in good stead. Read further if you need the full breakdown.
The General Data Protection Regulation, “GDPR” is a piece of regulation aimed at protecting the privacy and data of European Union citizens. Billing itself as the toughest privacy and security law in the world, it was rolled out across the EU & European Economic area in 2018. Its provisions include rights of data subjects, duties of data controllers + processors, transfers of personal data to external countries, supervisory authorities plus liabilities or penalties for breaches / infringements.
GDPR affects the whole of the European Economic area (list of EEA countries here) so if your business is based in any of these countries, you’ll definitely need to be compliant. Not only that, the regulations cover the personal data of all the citizens + residents of these countries so if you do business with individuals and organisations in these territories it is also incumbent upon you to be compliant.
In addition, many other countries have modelled privacy legislation on the GDPR (Japan, South Korea, Brazil & Turkey to name just a few) so this de facto extends the reach of GDPR regulations further.
Finally, the UK, despite not being a member of the EEA, has essentially identical regulations (grandfathered in after Brexit) so also counts as a GDPR territory for the purposes of this article.
So, in essence, unless you are a very self contained business, only transacting in a specific non-GDPR territory (such as the USA), you pretty much have to make sure that you are following the GDPR rules.
So what are the principles you need to follow to make sure your form or checkout is compliant?;
GDPR defines a number of legal concepts at great length. However, for the purposes of forms, there are the main ones you need to get familiar with:
Personal data is any information that can directly or indirectly identify an individual. Obviously, this includes things such as name, address, email, etc. However, when taking the regulations at their strictest, anything that could, in theory (no matter how unlikely), be combined with other sources of data to identify someone can count as personal data.
This means that things such as anonymised web-cookies or randomly generated user IDs do count as personal data for the purposes of GDPR (even if the chances of them being used to identify an individual are minuscule).
Sensitive data is a step above general personal data and has additional restrictions on processing. It includes any data related to genetics, biometrics or health data plus data revealing racial / ethnic origin, political opinions, religious or ideological convictions or trade union membership.
This is any action performed on the collected data, whether automated or manual. GDPR cites the examples of collecting, recording, organising, structuring, storing, using or erasing data so pretty much means if data hits your system you are processing it.
This is the individual whose data you are processing - the form visitor / completer.
The organisation who decides how and why personal data is processed. If the form is on your website and you have access to the data then that basically means you.
A third party that processes data on behalf of the data controller. The most common examples in a form context would be third party form building software installed on your website (for example, Jotform) or cloud services where the data will be stored after form submission (AWS / Google / Azure).
There are particular obligations that fall upon controllers & processors:
Controllers are ultimately responsible for the GDPR compliance of data under their control. This means that, if it’s your form, the buck stops with you so you are responsible for ensuring you are not non-compliant.
Processors must only process data under specific instructions from the data controller unless required to do so by law. This means that there must be an agreement in place between controller and processor in order for the processor to work with the data. This agreement must contain clauses mandating compliance with prevailing GDPR and other privacy legislation.
The practical takeout from this is that you should Get a Data Processing Agreement in place with any processors that you use in your form journey (most will have a boilerplate template that you should be able to use and may form part of their Ts & Cs).
The principle of data minimization is that you only collect the data you actually need to deliver your service and you should only keep it for as long as you need it to deliver that service. So for example, an eCommerce checkout can ask for personal, financial and delivery details but should not ask for irrelevant details (hobbies, etc).
That said, the principle of “adequacy” is not specifically defined under GDPR so technically if you can demonstrate “legitimate interest” (see later) then there is a little wriggle room around this.
To cover yourself, we recommend auditing and logging all the data you are processing and documenting the purpose of that processing. The broader organisation should have been doing this under GDPR article 30 so you can simply incorporate the form data within that.
Of course, data minimization is useful for other reasons than GDPR. Asking for irrelevant information can be a cause of form abandonment so cutting out questions that are unnecessary can have a positive impact on your conversion rates as well.
The GDPR specifies that all data should be protected by “Appropriate technical and organisational measures”.
However, what this means exactly is not clearly spelt out in the regulations. As such, you should take technical advice on the strength of security needed, (such as end to end encryption of the data or two factor authentication to gain access to it), codify policies on data access and set up training on data privacy and data management for your staff.
These procedures and policies should all be documented and regularly reviewed in case your compliance with this aspect of GDPR is ever challenged.
Consents on forms are a constant source of user frustration but, fortunately, following the GDPR guidelines will also keep things clearer for your customers and improve their UX.
Although explicit consent is not always needed for data processing (see later), you do need to adhere to these consent principles to stay on the right side of GDPR.
Consent under the GDPR needs to be “freely given” so you can’t use patterns that pre-tick boxes and hope that the customer doesn’t notice.
Make it completely clear what the user is agreeing to by ticking the box. Don’t try to weasel them into agreement by confusing them over what ticking the box means:
“If you do not want to not not not receive endless emails for the rest of your lives and the lives of your children please remember to forget to remember to uncheck, check the non check, uncheck, check, check non check tickbox”. Michael McIntyre, Booking tickets
An extreme example but you get the point!
If you want multiple permissions from your user (agreeing to the terms of service and opting into marketing communications for example), you need to break them out and not bundle them together in one catch all. If you do this you are making the terms of service conditional on other, non-essential, consents which is not only a dark UX pattern but against GDPR regulations.
This example below would not be permitted under GDPR:
An individual must be able to revoke their consent after it has been given. Practically, this means things like allowing them to unsubscribe from marketing messages or removing permission to use images that have been submitted by them.
Note that communications that are essential to the delivery of a service do not fall under this provision (this includes things like service updates or delivery confirmation). You have the right to continue to send those communications unless the user cancels the service itself.
GDPR is specific on where the data captured through forms can be geographically stored or processed. The base standard is that the data needs to be processed in an EU territory OR a geography with equivalent data privacy standards to the GDPR. The principle behind this being that EU citizens' data should not be subject to lower privacy standards simply because it is being processed under a different jurisdiction.
Practically speaking, EEA countries and the UK currently have strong data equivalency agreements with the EU so you should be fine if you are processing the data in these locations.
Outside of this, you should check whether your proposed location is compliant. You can find a list of current GDPR adequacy agreements here.
The USA is obviously one of the biggest markets to make sure you know the status of. As of writing (2023), there is an EU-USA Data Framework in place enabling EU data to be processed by commercial organisations in the United States. However, the two previous agreements that enabled this (Safe Harbour and Privacy Shield) were both ruled invalid by the European Court of Justice so keep an eye out in case the latest framework goes the same way.
That said, if in doubt you should process data in an EU country to be on the safe side (full disclosure; this is what Zuko does - we store and process all data using servers in the Republic of Ireland).
After acquiring the data it is important that you adhere to the principles of the GDPR to ensure that you don’t accidentally infringe the regulations. These include:
Contrary to popular myth, explicit consent is not strictly necessary when processing data. The GDPR gives various legal justifications that enable you to process data for particular purposes. Specifically, they are:
It is this last “legitimate interest” basis that is most controversial. It is fairly woolly, giving organisations a lot of latitude to do what they want with the data they have captured. On the one hand, it prevents neighbourhood community groups from being sued if they use your email address to send you notice when a meeting is cancelled. On the other, unscrupulous organisations can use it to do pretty much anything as long as they can claim it is in their legitimate interest.
This often comes up in situations where you are using data to do something of value to your business that has no direct impact on the individuals involved. For example, running an aggregated analysis of users (purchasing behaviour / geography / etc). This is clearly in your legitimate interest so is allowed under GDPR. However, to completely cover yourself you should also follow the next point.
We recommend including a table which clearly states the type of data collected, the purpose of processing the data and the lawful basis for the processing. As an example you can look at Zuko / Formisimo’s policy here.
If your activities require “processing personal data on a large scale or involve large scale, regular and systematic monitoring of individuals” you need to appoint a data protection officer (DPO) under GDPR. Whilst this directive is fairly ambiguous, if you are of any reasonable scale and are regularly collecting data through forms you should really have a DPO.
The DPO (in conjunction with senior management / directors) is responsible for being the organisation’s data privacy champion and ensuring compliance with all relevant privacy laws, including GDPR. Your DPO can be a member of your organisation or you may appoint an external party to the role (this is the route that smaller businesses generally take).
Special category data is essentially the sensitive personal data types we outlined earlier in this article (health, religion, sexuality, etc). It needs to be handled slightly differently to other categories.
The main points to note regarding this special category data are:
You need to complete a Data Protection Impact Assessment (DPIA). This is essentially documentation that sets out the rationale behind processing the data, the risks involved to the individual in processing the data and how the risks will be mitigated. You can find a DPIA template here.
You also cannot just rely on the standard legal bases for processing - you must justify it using a separate condition under article 9 of the GDPR. This is especially pertinent if you are leaning on the legitimate interest rationale.
The separate conditions you need to be able to link to one of are:
Any individual has the right to ask an organisation whether they hold any personal data about them. If this is the case the individual may request access to the personal data that is being processed.
If an organisation holds incorrect data on an individual, that individual has the right to request that the information be corrected without undue delay.
No, this isn’t the right to dress in stonewashed denim and sing along to “Sometimes”. This right is also sometimes known as the “Right to be Forgotten”. An individual has the right to request that information an organisation holds about them be deleted. Note that this right isn’t automatic. It can only be triggered under certain circumstances such as if it is no longer needed to provide a service or if it was consent based and that consent has been withdrawn.
As an alternative to erasure, a data subject may request that you restrict the processing of their data. This is typically over a set time period when there are circumstances that require it, such as a challenge to the accuracy of the data or if the data has been unlawfully processed and the individual opposes erasure and requests restriction instead.
An individual has the right to request all the data held on them by an organisation in a commonly used machine readable format (typically this would be a csv, pdf or excel file).
The data subject has the right to object to an organisation processing their data. Whether the organisation must comply depends on the nature and the legal basis for processing. Some of the more common circumstances that may come up include:
Direct marketing - this is an absolute and you can’t refuse. If an individual requests that you stop marketing to them through emails, direct mail, etc) you must stop.
Legitimate interest or Public task - If your lawful basis for processing is either of these then the individual has the right to object. However, the organisation may refuse to comply if they are able to provide “compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or the processing is for the exercise or defence of legal claims.”
Research purposes - The right to object in this case is more restricted and typically the organisation can refuse to comply as long as it has appropriate safeguards in place (data minimisation, pseudonymisation, etc).
Cookies are one of the most contentious and ambiguous aspects of GDPR. The basic stipulations of GDPR (reinforced by the EU’s ePrivacy Directive) are that you must receive users’ consent before dropping cookies EXCEPT where those cookies are strictly necessary.
This is where the confusion and controversy come in as the definition of “strictly necessary” is not clearly defined. Whilst third-party and marketing cookies are squarely in the non-essential category, and first party functionality / session cookies are generally seen as essential (as they remember your preferences, basket selections, etc), the situation is not clarified around first party tracking cookies such as those used by Google Analytics or other analytics products.
Intriguingly, the proposed new data protection bill in the UK to supplement / supplant GDPR explicitly provides consent exemptions for tracking cookies. It will be interesting to see if this is passed into UK law and if the approach is adopted more broadly across GDPR territories.
Please note that, whilst we are confident in our interpretation of GDPR, the above guidelines should not be construed as legal advice. If you have any uncertainty about whether your forms are GDPR compliant, please consult a specialist privacy practitioner.
Zuko is the most powerful form analytics platform available on the market. Find out how to improve your form and checkout conversion by taking a product tour.PRODUCT TOUR