Introduction to GDPR
Disclaimer: This guide is not intended to serve as legal advice. If you’re working to comply with the GDPR, it’s up to you and your own legal counsel to determine how these privacy laws apply to your specific business.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that allows its citizens and residents to have access and control over their personal data. This new law will affect organizations all over the world who are doing business with citizens and residents of the EU.
What does this mean for me?
If your business collects any information from citizens or residents of the EU, you’ll want to take a look at your data collection processes and make sure they are compliant with GDPR data protection laws. There are three main areas of your data collection process you’ll want to examine:
Consent
Consent is when a user gives you the right to use their data for any reason, such as emailing them promotions or using their data in reports and analysis. Under GDPR, the conditions to meet consent have increased. You’ll want to make sure any forms or documents that are collecting personal information have clear, explicit opt-in processes.
Right to Access
Under the new GDPR law, you'll need to be more transparent with the information you collect from users. If a user wants access to their information, you’ll need to provide an electronic version of their personal information, note where it's stored, and explain how it is being used.
Right to Be Forgotten
Users will also have the ability to request that their personal data be removed from your systems at any time. This means you’ll need to create a process that routes through all systems where personal information is stored and provide notice to the requestor that their information has been deleted.
When does GDPR go into effect?
The new GDPR law goes into effect on May 25, 2018. If you’re a little behind and need to get moving quickly, we’ve got your back. We’ve compiled some quick tips on how you can use Formstack to collect consent from users, store their data, and create a workflow process to execute on their right to be forgotten.
Let’s dive in!
Collecting Consent with Your Online Forms
What is consent?
Collecting consent from your users is a critical requirement for GDPR compliance. Consent must be freely given, informed, specific, and unambiguous. People cannot be forced into consent or be unaware that they are providing permission to use their data. This means you must make it very clear why you are collecting information and how that information will be used.
How can I collect consent with my forms?
Formstack can help you stay GDPR compliant by giving you an easy way to state your intentions, link to privacy policies, and collect opt-in consent. Keep in mind that not all forms are impacted by GDPR laws. You only need to collect consent when you ask for personally identifiable information like names, emails, addresses, and phone numbers.
There are two key form fields you can use to collect consent from your users. Let’s go over the best practices you should keep in mind for each one:
Checkboxes - Use Opt In, Not Opt Out
Add a Checkbox field to your data collection form to get opt-in consent from your users. You should not use pre-checked checkboxes. Gone are the days when it was okay to pre-select a consent box to offer opt-out consent. GDPR opt-in policies require that a user must actively give their consent in order for that consent to be valid.
Keep in mind that if you’re planning to use information for multiple activities, it’s important to explain each activity and get explicit consent for each one. For example, if you’re planning to send communications (like social and retargeting ads) to people who sign up for your newsletter, you must list and explain these activities on your form.
Description Fields - Share Your Policies
How are you planning to use the information people share with you? Are you going to store it in your database, or will it be sent to a third party? To answer these questions and more, you need to make your privacy policies digestible and accessible.
Share this information by adding a Description field to your GDPR consent form. These fields allow you to insert rich text, including images, links, and formatted text. Include a link to your privacy policy to give users all the information they need on your intended use of their data.
Documenting Consent
Your users have the right to request access to their data at any time. To provide them with the right information, you need to properly document their consent. Use your forms to maintain the following records:
Who Opted In
Always ask for a name so you can identify the person that opted in on your GDPR consent form. Simply drag a name field onto your form in the Formstack builder to collect first and last names.
How They Opted In
Make a copy of the form you used to gather consent. The copy should contain the consent statement used at the time and any relevant privacy policies. You can easily save copies of a form by creating a special folder to house different versions. Label each copy with the date it was last updated so you can quickly identify which versions of a form match specific submissions.
When They Opted In
To prove that you’ve collected consent for an individual, you need to document the exact date and time that someone permitted you to use their information. Formstack timestamps submissions automatically so you can tie a person’s data to the correct version of the form used to capture their information. To view this information, go to the Submissions tab and look at the “Date Submitted” column. You can also view date/time data by clicking on a particular submission.
Pro Tip: Segment Your Database By Opt-In Permissions
Use a custom filter on your form submissions to quickly find people who’ve provided their consent. Custom filters let you search for records where any or all of the statements you choose are true or false. Set the filter to specifically search for records where a person checked a consent box. You can export these submissions or send them to a third-party integration to create easily accessible lists that you can use for emails, ad targeting, and other activities.
Executing the Right to be Forgotten
The GDPR data protection law gives people the right to “be forgotten” or withdraw their consent at any time. To meet these requests, you need to put the proper withdrawal procedures in place. Withdrawing consent needs to be as simple and painless as possible. Ideally, your users should be able to withdraw their consent with the same method they used to give it. This means that if they used a form to opt in, they should also be able to use a form to opt out.
How to Create Seamless Erasure Workflows
Successfully deleting user data can be complicated if you don’t have a smooth process in place. With Formstack’s workflows feature, you can meet erasure needs quickly by setting up a workflow that moves across multiple departments. Each workflow step can be assigned to a different person, and after each step is completed, the workflow form is automatically routed to the next person so they can complete their part.
For example, you could create a workflow across marketing, sales, and product to ensure a person’s data is deleted across all your company systems. Here’s what that could look like:
Step 1:
George submits an erasure request form. His submission kicks off a workflow that starts with Sara in marketing.
Step 2:
Sara sees George’s request and deletes his data from the company’s marketing systems. She makes note of each system on the form and clicks submit.
Step 3:
Tiffany from sales reviews Sara’s notes, deletes George’s data from the company’s sales systems, and adds her own notes to the form.
Step 4:
The form finally moves to Jack in product, who completes a final review of the erasure process to ensure that George’s data has been removed from all systems.
Step 5:
After all data is deleted, a confirmation email is sent to George letting him know that erasure is complete.
Keep in mind that this is only an example. You need to make sure your workflow is as thorough as possible to ensure erasure is successful. Discuss your erasure process with your team to identify who needs to delete data and where.
Get Ready for GDPR
Think you’re ready for the GDPR? Use the checklist below to make sure your forms and processes are compliant:
- My GDPR consent forms are accessible and easy to understand.
- My forms include a simple way to opt in to communication.
- My forms do not have opt-in boxes already checked for users.
- My forms let users know how their information will be used.
- I use description fields to give users access to my privacy policy.
- I collect the date and time of a user’s consent with my company.
- I document how a user opted into consent with my company.
- I’ve created an easy process that gives users access to their information.
- I have an easy way for users to ask for their data to be removed.
- I have a workflow process to delete user data from my systems.
If you’ve checked all of these boxes, congrats! You’re well on your way to GDPR compliance. If you’re still missing a couple checkmarks, start a free trial of Formstack and use the knowledge you’ve gained to build forms and processes to complete your compliance.
This guide was prepared by Formstack, a versatile workflow acceleration platform that enables businesses of all types and sizes to remove complexity and get more work done. With Formstack, anyone can quickly and easily build custom forms, create documents, collect eSignatures, and automate workflows—all without code.
The platform offers multiple robust features, including conversion tools, 150+ integrations, and a native app for Salesforce. Whether you’re an operations director trying to maintain GDPR compliance or a marketing professional trying to improve your lead generation process, Formstack has the power and flexibility to help you succeed.