The EU's General Data Protection Regulation (GDPR) went into effect on May 25th, 2018.
For any FormAssembly user who is collecting data from EU citizens, you must make sure that your forms are in compliance with the GDPR. If you are unsure if the GDPR applies to you, this resource provides additional details and information.
If the GDPR does apply to you, you will need to follow the steps below to acknowledge that the GDPR applies to your use of FormAssembly.
FormAssembly does not have the authority to evaluate your forms in any capacity to determine if they are in compliance. We highly recommend seeking legal consultation when determining if your forms are in GDPR compliance.
Account Settings for GDPR Compliance
If you have determined that the GDPR applies to your use of FormAssembly, you will need to navigate to your Account page, and then check the box below:
Checking this box will let the FormAssembly team know to reach out to you and ask you to sign our Data Processing Addendum.
- Learn more about whether the GDPR applies to you and your use of FormAssembly.
- Read our GDPR FAQ that covers common questions and a brief overview of the GDPR.
GDRP Regulations Overview
There are a number of obligations that you must be in compliance with in terms of your data collection processes. In general, there are four main rights that your form respondents are granted under the GDPR, which you are obligated to provide:
- The right to information and access
- The right to rectification and erasure
- The right to withdraw consent and object processing
- The right to data portability
Details on these rights and obligations, as well as practical solutions for meeting these obligations within FormAssembly, are discussed below.
The GDPR Applies to Me, Now What?
If you have determined that the GDPR applies to you, the next best step is to contact your legal representation to ensure that all forms are in compliance with the GDPR. As stated above, FormAssembly does not have the authority to evaluate forms to determine if they are in compliance.
In addition to consulting with legal services, the webinar below provides additional, introductory information on the GDPR, and its general impact on FormAssembly processes.
How to Approach the GDPR and Resources to Help Navigate International Waters
Once you have a basic understanding of the GDPR and how it relates to data collection processes, the following webinar can provide you with additional resources and ideas on how our clients are enacting compliance across their forms.
This webinar will be posted as soon as it is available.
Understanding Informed Consent and Transparency under the GDPR
Your organization is obligated to provide a number of pieces of information to form respondents such as your identity, contact information, and the purpose of processing their data.
For a detailed discussion of these obligations, as well as practical solutions for meeting these obligations, please read our post on Rights of the Data Subject: Transparent Information.
Additionally, in order to remain compliant with the GRPR, you must obtain informed consent to process all respondent data. Our post on Obtaining Informed Consent discusses this obligation in detail, and provides suggestions for implementation.
Finally, you can view the webinar below for a detailed discussion on informed consent and data transparency.
This webinar will be posted as soon as it is available.
GDPR Request Form Template for Rectification and Erasure
As a data controller, you are responsible for providing form respondents with the right to access their personal data, the right to rectification in case data is incomplete or inaccurate, and the right to erasure or restriction of processing.
To help meet these obligations, we have created a GDPR request template, that you can customize for your own use.
You can read additional information about these obligations and this requirement here in our blogpost, or in our GDPR ebook.
The GDPR and You: Practical Strategies for Reaching Compliance
In addition to the resources and webinars provided above, the class below provides practical, concrete strategies for reaching GDPR compliance within your forms.
Anonymizing Form Response Data
To help you remain compliant with GDPR, FormAssembly gives you the option to anonymize the IP address of every submission on a form by form basis.
Anonymizing the IP address means that the form respondent's IP address will not be fully recorded so that it cannot be used to identify an individual respondent.
Additional information on this feature can be found here.
Personally Identifiable Information and General Sensitive Data
In compliance with the GDPR, you may need to label certain fields in your form as containing Personally Identifiable Information (PII) or General Sensitive Data.
Additionally, you will likely need to determine if sensitive data being collected is from a first party or third party source. For any field marked as sensitive, you have the ability to define this respondent data relationship classification.
You can find additional information about sensitive data here.
Form Contact Information
For a form to be compliant with the GDPR, you are obligated to provide specific contact information to all form respondents. This contact information must be available so that form respondents can easily access information about the data you are collecting, and how that data will be used.
Additionally, you are obligated to provide form respondents with information about their specific rights under the GDPR.
In order to customize your contact information on a form by form basis, you can find out more information here.
Finally, additional FAQ's in regards to the GDPR and how it relates to FormAssembly and your data collection processes are addressed here on our website.