The Ultimate Guide to GDPR
On May 25, 2018, the European Union introduced the General Data Protection Regulation, commonly known as GDPR. This contemporary legislation contains hundreds of pages of rules and requirements that dictate security and data privacy laws for businesses and individuals within (and marketing to) the European Union.
GDPR is a regulation, rather than a directive. As such, it is highly enforceable and carries hefty financial penalties for non-compliance or failure to act in response to specific data governance guidelines.
From a holistic standpoint, GDPR was created to safeguard and protect the data privacy of citizens in the European Union, while providing a standardized data privacy law for other European nations and businesses. Since its adoption, the GDPR has dynamically changed how organizations manage data privacy, particularly in regard to consumers.
In this guide, we’ll take a deep dive into what the General Data Protection Regulation (GDPR) is, what it means to businesses and individuals, and how FormAssembly can aid in compliance measures. Keep reading to discover the steps you and your organization must take to maintain compliance.
Table of Contents
- An introduction to GDPR
- Implications for FormAssembly customers
- Important GDPR terms
- Understanding GDPR rights and responsibilities
- The Data Processing Agreement
- Step-by-Step guide to creating GDPR-compliant forms
- Recent updates to GDPR (2021)
- How FormAssembly can help with GDPR compliance
- Get started with GDPR compliance
This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.
An introduction to GDPR
The European Union’s GDPR (General Data Protection Regulation) is a law that defines and mandates data privacy rules in the European Union. The primary purpose of this regulation is to protect data privacy for EU citizens.
According to the European Union, GDPR is “the toughest privacy and security law in the world.” There are numerous requirements, definitions, and business obligations found within the GDPR’s extensive pages.
Why is it important?
On the surface, GDPR sounds daunting. After all, the legislation contains hundreds of pages of stiff requirements that must be adopted point blank. Although it appears intimidating at first glance, authors of the legislation intend for it to be a flexible blueprint for other nations and marketplaces around the world.
Additionally, GDPR significantly increases the current level of monetary fines for data privacy non-compliance. In the most severe cases, financial penalties to organizations could potentially be as high as 4% of the total worldwide annual turnover or €20,000,000 (whichever amount is higher).
With the introduction of such strict and steep fines, compliance with data privacy rules has been elevated to the same level as antitrust, anti-bribery, and anti-corruption compliance on the corporate radar.
Who does GDPR apply to?
One of the most important questions that we hear regarding the GDPR is, “Does this really apply to my organization?” Particularly for businesses within the United States, knowing how to navigate policies of the European Union can be complex and confusing.
In short, the GDPR’s mandates have substantial geographic reach, potentially extending to organizations around the world. The GDPR most specifically applies to:
- Organizations in the EU which process data as part of their EU establishment (i.e., their legal and physical presence in the EU)
- Organizations that are outside of the EU (based in any location in the world) which process personal data as part of:
- Offering goods or services to data subjects that are in the EU; or
- Monitoring the behavior of data subjects in the EU
What new rules does the GDPR introduce?
To date, the GDPR is one of the most comprehensive data privacy documents in the world. At its inception, GDPR introduced or codified several new processes into law. Many of these updates changed the way that organizations had traditionally conducted operations, marketed to patrons, or communicated with customers.
For a complete overview of how GDPR introduced these new data privacy rules, head over to our GDPR FAQ page.
New business-related obligations
Under GDPR, businesses and organizations faced new mandates in regards to several important activities; many of these requirements focus on the notion of consumer consent.
- How to gain valid consent for collecting data in the first place
- Data breach notifications
- Appointment of a local representative in the EU to be the point of contact for EU individuals and EU regulators
- Obligation to appoint a Data Protection Officer
Although some new processes are the responsibility of internal team and staff members, GDPR requires updated processes as a way to ensure compliance.
Modern process requirements should now include:
- Prioritizing the importance of data protection impact assessments
- Internal record-keeping and accountability
- Implementation of robust information security measures (particularly anonymization and pseudonymization of data)
- Incorporation of “privacy by design and default” principles as part of the corporate mindset and high-level strategy
New or enhanced rights for data subjects
The “data subject” is the individual to whom the data belongs. Under GDPR, new rights for the data subject can include:
- Right to erasure (also known as the right to be forgotten)
- Right to data portability
- Right to object to profiling
- Right to restrict processing
Many of GDPR’s new rights and provisions do require that organizations have adequate technical and administrative systems or protocols in place. These resources are required in order to give effect to the rights within the timeframes and in the manner required by the GDPR.
What does all of this mean for FormAssembly customers?
Compliance with GDPR standards is a shared responsibility between a Data Controller (you) and the Data Processor (FormAssembly). If you know that the GDPR applies to your organization, FormAssembly’s role is to process data on your behalf and per your instructions. In this regard, FormAssembly is the Data Processor, and you are the Data Controller.
As your Data Processor, we will enter into an additional arrangement (the Data Processing Addendum) which is a contractual agreement that requires us to meet our Data Processing obligations and to protect the rights of the data subjects.
To a certain extent, FormAssembly will assist your organization in meeting your obligations under the GDPR policies, such as retrieving, editing or deleting personal data, or obtaining and preserving proof of consent when applicable. Regardless, you are still responsible and liable for any specific responsibilities that are yours as the Data Controller.
Important GDPR terms
[Suggested infographic placement–highlight each term with brief definition]
To understand the ways in which GDPR changes and defines your organization’s data privacy policies, you must first be familiar with several terms that are unique to this legislation. By grasping each of these terms, you’ll be better equipped to understand what role you play in complying with GDPR policies.
Although many aspects of GDPR are complex and nuanced, informed consent is relatively simple. Informed consent is the process of clear and honest disclosure about your organization’s data privacy policies.
As a general rule, informed consent should be outlined in clear, plain, and simple language. The specific legislation states the following about informed consent.
“For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”
According to the directive, failure to establish informed consent is non-compliance. Learn more about informed consent and how your organization can and should acquire it in this step-by-step blog post.
Under GDPR, the data controller is responsible for maintaining data privacy standards and policies. This includes protecting the rights of data subjects and adhering to all compliance rules and standards set forth by governing bodies.
At all times, the data controller is responsible for understanding what types of data are collected, for what purpose and intention they are collected, and for how long the data is kept or stored.
In contrast to the data controller, the data processor is responsible for processing the data that the controller provides to them; this can be an automated or manual process.
Although the process doesn’t initiate the collection of data, it is the job of the processor to develop secure and reliable systems for collection, processing, or storage. A qualified processor is one that prioritizes cybersecurity and other security frameworks in order to safeguard information from data subjects and provide reassurance to data controllers.
One of the fundamental beliefs of the European Union is that the right to transparency and protection of personal data is fundamental. The steps are fairly straightforward—if GDPR applies to your organization, you must maintain and promote compliance by completing actions such as:
- Providing transparent information at the point and time of data collection
- Linking to an updated privacy notice or policy
- Including data purpose information within the same page
To learn more about transparent information and how you should prioritize it, take a look at our blog post, Rights of the Data Subject: Transparent Information.
Per GDPR compliance, data erasure refers to the right to be forgotten. Data subjects can invoke this right whenever they want to remove their personal data from an existing server or customer relationship management system.
When data subjects make the request for data erasure, this request must be honored exactly and in a timely manner. Failure to erase data after the receipt of a formal request could result in non-compliance fines and other legal penalties.
Data controllers are responsible for providing form respondents with the right to access their personal data, the right to rectification in case data is incomplete or inaccurate, and the right to erasure or restriction of processing.
To help data controllers meet these obligations, FormAssembly has created a GDPR request form template that you can customize for your own use.
Understanding GDPR rights and responsibilities
Whether you submit and share your data as an individual or you collect personal data as a processor, it’s important to understand how GDPR changes the process. Individuals should have a clear understanding of what they’re entitled to, and businesses should take responsibility for specific actions or adjustments. Both perspectives are highlighted briefly below.
Rights and responsibilities for individuals
GDPR mandates several rights regarding the data that organizations collect about those individuals. These rights include:
- The right to be informed
- The right of access
- The right to erasure
For additional clarification, you can refer back to the above definitions or learn more information about these specific rights on ico.org.uk.
Rights and responsibilities for organizations using web forms
If you have already determined that GDPR guidelines apply to you and to your business activities, a practical next step is to contact your legal representative. A legal team, especially one with experience in handling GDPR directives, can ensure that all web forms are in compliance with the GDPR.
Please note: Because FormAssembly does not have the legal authority to evaluate individual forms, we cannot provide legal advice on whether your organization’s web forms are in compliance.
The webinar below provides additional, introductory information on the GDPR and its general impact on FormAssembly processes.
>> Watch the webinar <<
The Data Processing Agreement
FormAssembly’s Data Processing Agreement is an addendum that exists between FormAssembly and active subscribers. This document clarifies several key terms of the subscription in light of GDPR compliance. In an effort to promote full disclosure and compliance, FormAssembly offers a web-based and downloadable copy of this document.
The Data Processing Agreement is designed to help customers better understand their unique position as a FormAssembly customer operating under GDPR. In this agreement, you can expect to find more information and clarity about essential data policies such as:
- Data protection guidelines and definitions
- Security breaches
- Data transfers
- General terms and conditions
- EU model clauses
Step-by-step guide to creating GDPR-compliant forms
FormAssembly is an all-in-one data collection platform that helps organizations in all industries become better stewards of the data they collect. Our platform offers encryption at rest and is compliant with GDPR, in addition to other data privacy regulations (including CCPA, HIPAA, GLBA, PCI DSS level 1, and more).
FormAssembly’s Compliance Cloud plan features advanced security and privacy controls, plus personalized data security training and other privacy features. If you’re looking to make the most of our platform’s GDPR compliance capabilities, here are a few tips that can help you be successful.
- Share your organization’s identity and contact information. New forms should be clearly branded with your identifying information. For the respondent, this information communicates to whom they are providing their personal data. This is an important transparency aspect of GDPR.
- Describe who will receive the data. If a particular individual, team, or department is receiving the incoming data, make sure to define those terms. For example, if your form adds the respondent to a general marketing list, be sure to let the individual know that by submitting their information, they will receive marketing messages.
- Showcase where to find customer support. Each form that you create with FormAssembly will contain a link to Customer Support. Per GDPR, relevant contact information should be visible and easily accessible. This link can also be customized to suit your specific help department.
- Customize each form to include transparent information. Although form templates can save time and effort, don’t forget to tweak forms each time you publish them. GDPR compliance means leveraging as much transparency and clarity as possible.
- Clearly signal notable text to respondents. Use highlighted text, customizable text boxes, and hints to point out information that respondents may otherwise miss.
- Obtain informed consent (checkboxes, etc.). For GDPR compliance, you must obtain true, affirmative, and clear consent from each individual who submits a new form. A checkbox is one of the most user-friendly ways to obtain this agreement. Don’t forget to make it required in order to prevent respondents from skipping it accidentally.
- Help respondents locate where and how to make data changes. GDPR policies are strict when it comes to a data subject’s ability to change and revoke their personal data at any time. Educate respondents on how they can make adjustments in the future if they need or want to.
- Mark personal data as PII or sensitive. As a form creator, you must take responsibility for marking personal data as sensitive. FormAssembly can help alleviate extra work through sensitive data features that allow you to indicate additional sources of data as needed.
- If necessary, anonymize the respondent’s IP address. In some instances, a respondent’s IP address may come through as another sensitive data point. As the data collector, you should anonymize this IP information in order to prevent the collection of data without explicit consent.
>> Watch the full GDPR class, The GDPR and You: Practical Strategies for Reaching Compliance, hosted by our expert Customer Support team. <<
Overview of best practices for your entire organization
In addition to designing forms that are in the best interests of your organization and your customers, remember that everyone on your team plays an important role in compliance. You can build a GDPR-friendly operation by following these tips:
- Implement data protection by design and by default
- Offer training and GDPR education to all employees
- Choose compliant third party services for processing data
- Seek appropriate legal counsel for any clarifying questions
GDPR compliance checklist
>> Download our free GDPR Compliance Checklist to perform a fast and efficient audit on your organization’s compliance strategy. <<
Recent updates to GDPR (2021)
Since its original release and publication in 2018, GDPR has undergone several negotiations, updates, and amendments. As part of its standard review process, the European Commission may continue to release new changes that impact the way organizations handle GDPR-related compliance measures and business practices.
As a result of the most recent updates to GDPR, here’s what organizations can expect to see in 2021 and beyond.
- Removal of the U.S. Privacy Shield. Although originally intended to make data more portable, recent updates have revoked the privacy shield in exchange for standardized GDPR contractual clauses. This change mostly impacts businesses in the United States that market to citizens of the European Union.
- More GDPR-inspired legislation around the world. Other countries, states, and regions have caught on to the effects of the GDPR. In 2020, California released the California Consumer Privacy Act (CCPA). While not a total copycat of GDPR, this act is the first of its kind within the United States to protect data privacy of California citizens.
- Clarification on cookies. Under new guidelines, organizations cannot rely on “cookie walls” for new users while continuing to block content without consent. Moreover, scrolling or swiping does not count as cookie consent, as these actions are passive or inactive.
How FormAssembly can help with GDPR compliance
In addition to helping you create web forms that comply with GDPR policies and procedures, FormAssembly is also committed to assisting your organization with getting up to speed on new data privacy regulations. Because of our commitment to data stewardship, we regularly create and publish helpful resources that allow our customers to focus on what matters most.
The FormAssembly blog is full of timely, relevant content that will equip you to be a better steward of your data. Explore some of our top GDPR blog posts for more clarification on this and other data privacy policies:
- GDPR Compliance Checklist
- Obtaining Informed Consent
- Does the GDPR Apply to Your Use of FormAssembly?
- Data Privacy Day 2021: A Roundup of Our Top Data Privacy Resources
- [Quiz] Data Collection 101: Where Do You Stand?
FormAssembly’s Data Privacy Deep Dive webinar series sheds light on how to simplify GDPR and data privacy compliance measures. Throughout the series, we discussed how to know whether GDPR applies to you, what steps to take if it does, and how you can honor customer requests with respect to data privacy.
GDPR rules and requirements can be confusing and occasionally difficult to navigate. If you want to save time and effort attempting to locate the right answer, don’t stress. Simply head over to our GDPR FAQ page for an in-depth look at some of the most common questions.
FormAssembly’s extensive help documentation highlights everything you need to know about GDPR and compliant web forms. Head over to our GDPR compliance resource page for a quick overview of the legislation plus tips on how to adjust your account settings appropriately.
Take the next steps toward GDPR compliance
Take the next step towards GDPR compliance with our handy GDPR compliance checklist.