How to get my website forms ready for GDPR
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
For many small businesses, data collection happens primarily through website forms – whether they are contact forms, forms completed to buy services online, or registration forms of some kind.
To follow the principles of the GDPR your website forms need to avoid bad practices and request the explicit consent of every customer before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. The consent also must stand alone from other matters or requests and not be buried in other text. Lastly, you must provide individuals with privacy information at the time you collect their personal data from them.
It is also a requirement that you keep a clear note of the time and date that the consent was given, and have a copy of the information that was shown to the customer at the time they consented – we cover suggestions for how to do this below.
GDPR Compliant Registration / Sign-Up Forms
Registration forms often ask for a considerable amount of personally identifiable information and then store it in a computerised system. For most forms like this, it will be sufficient to have a clear statement about what the data you are collecting will be used for, accompanied by a checkbox giving clear consent to do so. Note, importantly, that these checkboxes must never be pre-ticked. The GDPR is explicit that customers must be informed and choose to consent for themselves.
"Dogs In Distress" is a voluntary dog rehoming centre, and customers may join their group to show support and be kept in touch with their news. Their GDPR-compliant member registration form should look like this:
Note that we have used the acceptance of the club's Terms and Conditions to explicitly mention consent to the storage and use of the customer's details. This gives us the lawful basis for processing and storing their information.
The GDPR says that consent must be "unbundled" and "granular", meaning that you should not force your customers to consent to marketing just to use your services, which is why the email newsletter is offered separately above. Again, these checkboxes must never be pre-ticked.
To be granular means that, if possible, options should be shown separately. For example, if Dogs In Distress also offered phone calls and direct mail to let members know about new dogs up for adoption, then the form should look like this:
Note that each potential form of communication is being shown individually, and it is up to your business processes to respect this.
GDPR Compliant Contact Forms
Contact forms generally come in two types. If your contact form only emails you (or a member of your staff), without entering your customer's information into a database of some kind, and you don't then transfer those details to a system for the purposes of marketing, then it is straightforward to be GDPR compliant.
A simple statement to that effect is sufficient:
However, if your customer is automatically entered into a database/Customer Relationship Manager of some kind you would need to ask for their consent to store their information in a similar way to Registration Forms above:
Of course, if you routinely start marketing to them based on their enquiry that would have to be stated explicitly, and made opt-in, as with all other marketing activities:
GDPR Compliant Ecommerce Forms
Buying goods or services from a website is incredibly common, and luckily the GDPR implications are very similar to Registration forms (see above) with only a couple of important differences.
Proof of Consent
A technically-challenging part of the GDPR says you must record both what a customer was shown when they gave their consent, and what time and date this consent was given. This information should be kept so that you can prove that you had a lawful basis to process and store that customers data, if necessary, in the future.
In an ideal world, all websites would automatically support this concept overnight on the 25th May, but that's far from the case. I recommend, as a stop gap, that you keep a folder in your email where you put all automated customer registration emails, of any type, whether they come from a contact form, placing an order, or some other kind of sign-up - this gives you the time and date of consent.
I also recommend that you take a screenshot of every form on your website where customers can enter their data, print them out and write on them the date that the form was in effect. When the form is revised, repeat this so that you have a complete archive of how your forms looked over time.
Not a perfect solution, but a good first line of defence if you need to prove you had informed consent and therefore a lawful basis for using their data.
Nine Rules to Remember When Revising Your Forms
Use plain-English, without jargon or the use of double-negatives.
Don't make consent to marketing a precondition of a service.
Ensure privacy is always the default option - no pre-ticked consent.
Specify why you want the customers' data and what you're going to do with it.
Give granular options where possible to give people control and choice.
Keep a record of exactly what your customer was told at the time of consent.
Keep a record of when and how you got consent from the customer.
Ensure that the individual can refuse to consent without detriment.
The Good, the Bad & the Ugly
Lastly, let's take a look at some examples from household-names that are getting it right, right-ish or plain wrong: