How to Create GDPR-compliant Forms
If you are collecting data via a web form and conduct business in the EU, then you need to ensure that your organization is GDPR compliant when sending, receiving, and storing the submitted information.
To what organizations does GDPR apply? The GDPR applies to any organization that does business in the European Union. Even if you operate your business in the United States, if you sell goods or services to customers in the EU, then your business must comply with GDPR.
What Is the GDPR?
The General Data Protection Regulation is a slate of cybersecurity and data protection laws passed and governed by the European Union for the purpose of defining the rights of consumers in relation to their personal data. GDPR claims jurisdiction over any business operating in a country in the EU, including businesses from other countries that conduct digital commerce within EU borders.
The heart of this legislation is the protection of data. Since the passage of GDPR, other government entities have followed suit and passed similar data privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the California Consumer Privacy Act (CCPA), and the Data Protection Act 2018 (DPA).
Some of the critical facets of the GDPR that impact data gathering and business operations include:
- Data Subjects and Data Ownership: GDPR defines “data subjects” as individual consumers with private data that may be used for business purposes. These subjects are the foundation of the law, and all rights to data protection and privacy stem from the rights of these individuals (rather than, say, the right of a business to collect data).
- Disclosures and Fair Use: All businesses operating in the EU must, upon gathering data for any purpose, disclose the reasoning for their gathering of that data clearly to the data subject. Furthermore, they must justify both to that subject and to any GDPR audit that the data they collect is related to well-defined business practices aligned with products and services. Businesses cannot simply sell user data to third parties as they see fit.
- Security: All private data must be secured using modern cybersecurity measures. This includes the data itself and any data created as a result of using that information—namely, data like audit logs, IP addresses, etc.
- Locality: Businesses collecting information from EU citizens are not allowed to transmit this information outside of EU borders to avoid jurisdictional challenges. For example, a company cannot take information and transmit it from French servers to U.S. servers to avoid penalties under the GDPR.
- Consent: All data collection efforts must include clear, unambiguous, and uncoerced consent from the data subject.
These approaches can seem restrictive and complex for individuals and businesses outside of the EU. However, they simply require, for the most part, a new approach to managing data online. Organizations must ensure that these data privacy controls are part of their integrated risk management strategy.
What Does the GDPR Say About Consent?
Consent is often the most important and challenging part of GDPR compliance simply because it calls for businesses to ensure that they are clear and specific about their business practices.
GDPR, however, makes clear the obligations of any business as related to consent:
- The Necessity of Data Gathering: First and foremost, a business must have a justifiable reason for collecting data. It is a matter of legal compliance that organizations restrict their data-gathering activities to that which directly pertains to their operations and the provision of services to data subjects.
- Freely Given: Consent must not be coerced or gained under false pretense. While you can make the data request a prerequisite for products and services, you cannot place hardship or penalty against users for failing to provide or revoking provided data.
- Specific and Unique: There are no blanket notices for consent under the GDPR. Each request must be specific for its medium and purpose, and each request must call for an individual consent mechanism. So, for example, if you request permission to use cookies to gather data as well as permission to send emails, these must be separate requests.
- Informed and Unambiguous: No matter how many requests you make, each must provide a detailed description of what data is being collected, why the data is collected, for what purposes, and to what extent. This serves two purposes: one, it allows data subjects to make informed consent on the release of their data, and two, it forces the collecting organization to define the limits of their use of the data strictly.
- Revocation: The data subject can, at any time, revoke consent for permissions previously provided. This includes the ceasing of emails or removal of cookies or other data-collection forms.
Users outside of the EU are already starting to see the impact of these rules, with increasingly descriptive and ubiquitous requests for cookies and tracking on e-commerce and news reporting websites.
What Makes a Compliant GDPR Form?
A major part of maintaining GDPR compliance is ensuring that your requests for information adhere to the requirements listed above. This, in turn, means having compliant forms and data security tools to match those regulatory compliance efforts. Organizations must ensure that third-party risk management policies include policies on the use of web forms.
Generally speaking, GDPR-compliant consent and information-gathering forms include some of the following best practices:
- Avoid Pre-checked Forms: Implementing a form with consent checkboxes already prefilled violates rules against limiting informed, non-coerced consent. Attempting to persuade consumers to consent to something they may not otherwise can seem like deception. Even worse, it could be interpreted as a way to take advantage of consumers who may not notice the actual checkbox.
- Provide Individual Consent Forms: Organizations should not create massive web forms that ask respondents for a long list of consent. To begin, this is a bad user experience. But it also violates several aspects of GDPR. It is important to use different, highly descriptive forms that clearly define exactly to what the recipient is consenting.
- Granularize Consent Options: Each individual form of consent must have its own description and its own mechanisms for showing consent. If you include something like consent for marketing emails alongside other types of data gathering, then that should be its own section, with its own checkboxes or switches. When in doubt, make it granular.
- Make Opting Out Easy: GDPR is an “opt-in” system, meaning that users must opt in to data gathering. Organizations must also make it easy and intuitive to opt out of that data gathering or communications.
- Record Consent in Secure Systems: All records of subject consent must be recorded in secure systems for auditing and privacy. Thus, an organization’s back-end system must include security mechanisms to protect records of consent—employing GDPR-compliant security and encryption.
Launch and Maintain GDPR Forms With Kiteworks
Organizations conducting or planning to conduct operations in the EU must have GDPR-compliant systems that can support data storage and gathering that meets both security and consent laws.
The Kiteworks platform delivers a web form capability that meets these requirements. Kiteworks’ file and document management system provides extensive and flexible cloud infrastructure with easy-to-create forms that can power GDPR compliance from user engagement to server storage.
Kiteworks also includes the following:
- Security and compliance: Kiteworks utilizes AES-256 encryption for data at rest and TLS 1.2+ for data in transit. Its hardened virtual appliance, granular controls, authentication, other security stack integrations, and comprehensive logging and audit reporting enable organizations to easily and quickly demonstrate compliance with security standards. It has out-of-the-box compliance reporting for industry and government regulations and standards, such as HIPAA, PCI DSS, SOC 2, and the GDPR.
In addition, Kiteworks touts certification and compliance with various standards that include, but are not limited to, FedRAMP, FIPS (Federal Information Processing Standards), FISMA (Federal Information Security Management Act), CMMC (Cybersecurity Maturity Model Certification), and IRAP (Information Security Registered Assessors Program).
- Audit logging: With the Kiteworks platform’s immutable audit logs, organizations can trust that attacks are detected sooner and maintain the correct chain of evidence to perform forensics. Since the system merges and standardizes entries from all the components, its unified Syslog and alerts save security operations center teams crucial time and help compliance teams to prepare for audits.
- SIEM integration: Kiteworks supports integration with major security information and event management (SIEM) solutions, including IBM QRadar, ArcSight, FireEye Helix, LogRhythm, and others. It also has the Splunk Forwarder and includes a Splunk App.
- Visibility and management: The CISO Dashboard in Kiteworks gives organizations an overview of their information: where it is, who is accessing it, how it is being used, and if sends, shares, and transfers of data comply with regulations and standards. The CISO Dashboard enables business leaders to make informed decisions while providing a detailed view of compliance.
- Single-tenant cloud environment: File transfers, file storage, and user access occur on a dedicated Kiteworks instance, deployed on-premises, on an organization’s Infrastructure-as-a-Service resources, or hosted as a private single-tenant instance by Kiteworks in the cloud by the Kiteworks Cloud server. This means no shared runtime, shared databases or repositories, shared resources, or potential for cross-cloud breaches or attacks.
To find out more about the Kiteworks platform and its secure web form capabilities, schedule a custom demo that can be tailored to your specific GDPR requirements.
Additional Resources
- Case Study Discover How Hartmann Ensures GDPR Compliance by Protecting PHI
- Case Study Find Out How Tyrol Military Command Protects Citizens’ PHI During the Global Health Crisis
- Report See How GDPR Ranks Against Other Regulatory Compliance in the 2022 Sensitive Content Communications Privacy and Compliance Report
- Glossary What is PCI Data Compliance?
- Blog Post What is a HIPAA-Compliant Form?
- Blog Post What is GDPR Compliance?
- Glossary How to Manage Third-Party Risk
- Blog Post GDPR Compliant Email: What You Need to Know