This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.
GDPR—the General Data Protection Regulation—is a seismic shift for data privacy in the EU. EU organizations and organizations that process the data of EU citizens will have to drastically change the ways deal with customer data, from how they collect it, to how they legally justify that collection, to what they must disclose to customers about their data collection, to what they can legally do with data.
The deadline for GDPR enforcement is May 25, 2018 but there is still confusion about this regulation and who it applies to. One definite truth from the regulation is that organizations who fall under the purview of the GDPR must work with GDPR compliant data processors. FormAssembly is one such data processor. In this GDPR Q&A Our CEO Cedric Savarese weighs in on the GDPR, FormAssembly’s role, and what it means for businesses.
What are some of the things that the GDPR requires of businesses?
There are a number of obligations, the first is that they have to be transparent about the data collection process. What that means in practice is that when a person goes to fill out a form with their information, they have to be able to access certain information easily. That information includes the business’ identity and contact information and the purpose of the data collection process. This information can’t be be buried in the fine print of a legal document; it has to be clear, concise, easy-to-find information. Companies also can’t be vague about how they plan to use the data they’re collection. They can’t just say, “We’re going to use this information for marketing purposes.” Under the GDPR, that’s not specific enough.
Companies also need to disclose the legal basis for the data collection. You actually have to say – I’m collecting this information and this is why it’s lawful data collection. You also have to disclose information about your users’ rights as individuals when they are entering information. They have rights to request and review the information you collected at a later time, they have the right to put limits on how that data is going to be used, and they have the rights to get that data removed. You need to disclose all the rights that they’re going to have through your data collection process.
What responsibilities does FormAssembly have under the GDPR?
In the framework of the GDPR, we are a service provider for our customers. We classify as what they call a data processor, and our customers are data controllers. As a data processor, we don’t decide what kind of data is being collected, that’s our customers. Also, per our responsibilities, we’re requiring our customers to whom the GDPR applies to sign an additional contractual agreement called a data processing addendum, which provides assurance that we’re complying with the GDPR regulation. Beyond that, though this isn’t a requirement, we’ll be trying to help our customers who are data controllers fulfill their obligations under the GDPR.
How will FormAssembly be helping customers meet the requirements of the GDPR?
We are going to roll out some changes that help our customers meet their obligations under the GDPR. Beyond the transparency aspect, they also have to respond to requests, such as requests to update or remove information. Our customers will have to process those requests. What we’re doing to help them fulfill those requests is we’re providing tools to help them categorize the information they collect and then search that information. So when our customers’ forms ask for details like first name and last name, that can be classified as personally identifiable information, or PII, and they will be able to search it so they can find someone who’s asking for information—who they are, whether or not they’re in the database at all, and then what information is stored.
Beyond that, we have lots of content already on our website related to the GDPR and the requirements and we’re continuing to develop more.
How can an organization know if the GDPR applies to them?
If you are using FormAssembly to collect and process Personal Data of European Union data subjects, either as an organization established in the European Union (EU), or as an organization not established in the EU but offering goods or services directed at European Union data subjects, then the GDPR applies to you.
For more information you can refer to our recent blog post: “[GDPR I] Does the GDPR Apply to You and Your Use of FormAssembly?”
If a FormAssembly customer has decided the GDPR does apply to them, are there any next steps they need to take?
If you’ve determined that the GDPR applies to your data collection, you will need to sign our Data Processing Agreement. You can find the agreement along with more information on how you can use FormAssembly to meet your obligations under the GPDR in our GDPR FAQ.
What are some of most important things to know about the GDPR?
Don’t ignore it, whether or not you think it applies to you, because those are good practices: disclosing what you do with the data you collect, being transparent about yourself, asking for explicit consent, avoiding dark patterns, like tricking people into agreeing to things they aren’t aware of or understand—those are good practices that companies should be doing regardless of the GDPR. Also, it’s important to remember that there’s always a price you may end up paying if you try to hide things and be less transparent—even if it’s three to four years later.
What are some of the top challenges you think businesses will face related to the GDPR?
One would be making sure that you have that proper disclosure on a form-by-form basis. You can’t just put a link to your privacy policy, and you have to explain different use cases differently. Being able to create those forms and those disclosures on a form by form basis is going to be a challenge, and that’s something we want to help with. Adding clarity to each form by outlining the intended purpose and distribution is key. For instance, adding checkboxes to forms that dictate how the information is used, ensuring that your respondents deliver their information under the proper pretense.
Another challenge is going to be having a process to handle requests from individuals. Right now, only the largest organizations like Google or Facebook have to worry about this, but now under the GDPR everybody has to be able to process those requests. If you’re not the size of Google it’s unlikely that you’re going to get hundreds of those requests, but even if you only get one you have to have a process, because under the GDPR you have to respond to those requests within a specific time frame. We can help with that because you can create a separate form just to process requests, so that you actually have a way for users to submit their information and there’s a record of that information being received and when it was received. Then data controllers can answer it any way they want.
The third challenge is going to be for data controllers to work with data processors that are GDPR compliant.
What are some of the biggest changes to regulation presented by the GDPR?
What the GDPR does is clearly set new standards for what they call “informed consent.” You can’t just say, “Oh, I can do whatever I want with your data because there was some sort of click through explanation that nobody reads or it was in the small print somewhere.” That’s no longer allowed. Under the GDPR you have to have explicit consent.
How can customers track consent for their users through FormAssembly?
Using FormAssembly, there are a few different ways you could track consent. The GDPR requires a “clear affirmative act,” which can be through an electronic signature (you can implement this in our forms) or checking a checkbox with notice, etc. Silence, pre-selected boxes, or inactivity on the part of the user will not constitute consent. It is important to note that regarding the GDPR, FormAssembly is not the data controller, we are a data processor. We process on behalf of the customer and act upon their instructions. Consent is up to the data controller to implement.
What’s the main benefit to working with FormAssembly as opposed to other web form solutions if GDPR compliance is a requirement?
We are GDPR-ready. We’re meeting the requirements under the GDPR as a data processor, and we have a very large customer base. Beyond that, we’re providing tools to help our customers be compliant, such as being able to organize the information you’re collecting, being able to identify the individual you’re collecting data form, being able to disclose the required information at the time of data collection—all that is built into the product.
Learn more about the GDPR and submit any questions you have on our GDPR FAQ page.