How to get my website forms ready for GDPR

Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information. 

Introduction

For many small businesses, data collection happens primarily through website forms – whether they are contact forms, forms completed to buy services online, or registration forms of some kind.

To follow the principles of the GDPR your website forms need to avoid bad practices and request the explicit consent of every customer before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. The consent also must stand alone from other matters or requests and not be buried in other text. Lastly, you must provide individuals with privacy information at the time you collect their personal data from them.

It is also a requirement that you keep a clear note of the time and date that the consent was given, and have a copy of the information that was shown to the customer at the time they consented – we cover suggestions for how to do this below.

GDPR Compliant Registration / Sign-Up Forms

Registration forms often ask for a considerable amount of personally identifiable information and then store it in a computerised system. For most forms like this, it will be sufficient to have a clear statement about what the data you are collecting will be used for, accompanied by a checkbox giving clear consent to do so. Note, importantly, that these checkboxes must never be pre-ticked. The GDPR is explicit that customers must be informed and choose to consent for themselves.

If you routinely share this information with any third parties for the purposes of marketing, it is vital that you mention this here, describe why, and allow the customer to opt out. If the sharing of their details is necessary to provide the main service you provide for them, then it is sufficient to cover that usage in your Privacy Policy.

Examples

"Dogs In Distress" is a voluntary dog rehoming centre, and customers may join their group to show support and be kept in touch with their news. Their GDPR-compliant member registration form should look like this:

The Privacy Policy would mention the customer's various Rights, which we cover in more detail here.

Note that we have used the acceptance of the club's Terms and Conditions to explicitly mention consent to the storage and use of the customer's details. This gives us the lawful basis for processing and storing their information.

The GDPR says that consent must be "unbundled" and "granular", meaning that you should not force your customers to consent to marketing just to use your services, which is why the email newsletter is offered separately above. Again, these checkboxes must never be pre-ticked.

To be granular means that, if possible, options should be shown separately. For example, if Dogs In Distress also offered phone calls and direct mail to let members know about new dogs up for adoption, then the form should look like this:

Note that each potential form of communication is being shown individually, and it is up to your business processes to respect this.

GDPR Compliant Contact Forms

Contact forms generally come in two types. If your contact form only emails you (or a member of your staff), without entering your customer's information into a database of some kind, and you don't then transfer those details to a system for the purposes of marketing, then it is straightforward to be GDPR compliant.

A simple statement to that effect is sufficient:

If this is the case, and you delete their enquiry email once you have made contact, there is no further GDPR requirement. You could, arguably, omit this message from these kinds of forms and have this information in your Privacy Policy, but I believe customers will take comfort in knowing, explicitly, that they aren't inviting future marketing by using your contact form.

However, if your customer is automatically entered into a database/Customer Relationship Manager of some kind you would need to ask for their consent to store their information in a similar way to Registration Forms above:

Of course, if you routinely start marketing to them based on their enquiry that would have to be stated explicitly, and made opt-in, as with all other marketing activities:

GDPR Compliant Ecommerce Forms

Buying goods or services from a website is incredibly common, and luckily the GDPR implications are very similar to Registration forms (see above) with only a couple of important differences.

Typically online stores use third parties for processing payments and for delivering goods. It is necessary to list these third parties in your Privacy Policy, by name.

You also need to be sure that each of the third parties you list is, themselves, GDPR compliant by searching their website for GDPR information, checking their Privacy Policy or speaking to a representative.

I would also recommend linking to their GDPR statement or Privacy Policy within your Privacy Policy. I recommend this because you are collecting consent on the third parties behalf for them to be able to process your customers' data, and your customer must have access to that information, at least theoretically, to be able to give their informed consent.

Example

In the above example notice, in particular, the wording "You agree to us sharing your details, where necessary, with various companies to both process your payment and deliver your goods." next to the link to your Privacy Policy, which will in turn list the third party companies you use for payment processing and delivery, by name, and link to their GDPR statement or Privacy Policy.

Proof of Consent

A technically-challenging part of the GDPR says you must record both what a customer was shown when they gave their consent, and what time and date this consent was given. This information should be kept so that you can prove that you had a lawful basis to process and store that customers data, if necessary, in the future.

In an ideal world, all websites would automatically support this concept overnight on the 25th May, but that's far from the case. I recommend, as a stop gap, that you keep a folder in your email where you put all automated customer registration emails, of any type, whether they come from a contact form, placing an order, or some other kind of sign-up - this gives you the time and date of consent.

I also recommend that you take a screenshot of every form on your website where customers can enter their data, print them out and write on them the date that the form was in effect. When the form is revised, repeat this so that you have a complete archive of how your forms looked over time.

Not a perfect solution, but a good first line of defence if you need to prove you had informed consent and therefore a lawful basis for using their data.

Nine Rules to Remember When Revising Your Forms

Use plain-English, without jargon or the use of double-negatives.

Don't make consent to marketing a precondition of a service.

Ensure privacy is always the default option - no pre-ticked consent.

Specify why you want the customers' data and what you're going to do with it.

Have a clear link to your Privacy Policy above or below the form.

Give granular options where possible to give people control and choice.

Keep a record of exactly what your customer was told at the time of consent.

Keep a record of when and how you got consent from the customer.

Ensure that the individual can refuse to consent without detriment.

The Good, the Bad & the Ugly

Lastly, let's take a look at some examples from household-names that are getting it right, right-ish or plain wrong: