How GDPR will impact your website data collection

By 21 February, 2018All Posts, Web design

With just over 3 months to go until the new GDPR (General Data Protection Regulation) comes into force, business owners are turning their attention to data collection, storage, access and usage within their organisations.

By now, you should be aware that this sweeping new suite of data privacy regulations comes into effect on 25th May 2018 and that it applies to data collection, which impacts any EU citizen – whether you’re based in an EU country or not. You’ll also have heard of the huge fines (up to 4% of your turnover) for non-compliance.

So how does GDPR affect the data you collect via your website and is your business prepared for these changes?

Legal disclaimer follows:

Much to the disappointment of our parents, we are not lawyers, so what follows should not be taken as legal advice. But Cyan Marketing does have a vested interested in the success of its clients’ websites under GDPR, which is why we have teamed up with an accredited GDPR practitioner who can provide specific guidance to help you achieve compliance for the whole of your organisation – not just the relatively simple matter of your website forms.

Aims of the GDPR

These new data privacy regulations are seeking to empower EU citizens with more control over how their digital data is being collected and used. The emphasis is on greater transparency and ‘explicit consent’ with the ultimate aim being to afford citizens the right to purge whatever data you are holding on them, if this is their desire.

Explicit consent for data collection

Strengthening consent requirements is at the very core of the new regulation. So, if you collect or manage any EU citizen’s data, you must:

  1. Request the explicit consent of every user before any data collection takes place. These requests must be in clear, plain English. They must also stand alone from other terms or requests and must not be buried in other text.
  2. Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
  3. Provide a means for users to request, access and view the data you have collected on them.
  4. Provide users with a way to withdraw consent and purge personal data collected on them. This has been termed the “Right to Be Forgotten”.

Impact of GDPR on your web forms

Most businesses use one or more forms on their website to request data from visitors, guests or members. These may range from generic enquiry forms designed to request further information or a quote for specific services right through to newsletter subscriptions, ecommerce transactions and document download requests.

The good news is that not all of your forms will necessarily be impacted by the GDPR. For example, if you’re running an anonymous quiz or survey that does not collect ‘personally identifiable’ information on users, your form will not be affected by the new regulations.

However, as soon as you are capturing names, personal email addresses or phone numbers, GDPR comes into play. So what measures need to be taken for you to remain compliant?

How to achieve GDPR compliant web forms

Follow these 4 simple steps.

  • Decide whether you need to store it. The simplest way to achieve GDPR compliance is to dispose of the information you gather via your web forms, as soon as you have dealt with the client’s enquiry. Now obviously, this will not satisfy most of us who use our forms for the express purpose of collecting data that we can use in future marketing campaigns. So, how can we store client data and still comply?
  • Request consent. If you intend to store data, then explicit consent must be obtained before collection can take place. In other words, before the user submits the form, they must be made aware that this form is collecting personal data with the intent to store that information. The user must then explicitly opt in (for example, by ticking an additional checkbox field). If you’re planning to use this data in more than one way, you’ll need to include more than one checkbox and request a separate opt-in for each (for example, to receive a quarterly newsletter as well as ad-hoc service notifications). If you’re planning on marketing via more than one media, for example email and by post, you will require a separate opt-in for each. These opt-in fields can no longer be pre-populated with ticks. Explicit opt-in (preferably ‘double opt-in’) consent is now required under GDPR.
  • Privacy policy. The Right to Access states that a user must be informed if data is being collected, what data is being collected, how, where, and for what purpose. That’s a lot of information to cram into the contact form itself, so you should use your privacy policy to fully explain your data collection and storage practices, and then provide a link to that privacy policy from the form where you request consent.
  • An open channel for user requests. GDPR compliance requires that you be reachable and responsive to user requests for data that you’ve collected on them either to view or delete. There are several ways to handle this and Cyan Marketing would be happy to discuss these options with you further. One simple method would be to include a consent withdrawal/request to view form on your privacy policy page. You could then create a link to this form from any other web form on your site that collects personal data.

Other considerations for your website

We know what you’re thinking: if I follow all the steps above, will my website be fully GDPR compliant? Unfortunately, there may be other considerations on your website too because any process that collects personally identifiable data needs to be reviewed. This could mean Google Analytics, tracking and remarketing cookies and meta data collected via blog comments. Companies collecting user information in return for access to Wifi networks will also need to request permission for this to be stored. Finally, check out our recent blog Why every website requires an SSL certificate.

Any questions?

GDPR is an important but potentially confusing area for UK businesses and we know you’ll have more questions.

Cyan Marketing is currently working with its clients to implement the core functions that will help ensure compliance for website data collection. But we have also partnered with an accredited GDPR consultant who can advise on the wider impact of GDPR on your entire business.

To discuss any of the issues contained within this blog, please contact us on or call 01268 778555.