With the introduction of new GDPR legislation just around the corner, now is the time to look at your systems and processes to see where you may need to make changes to ensure you comply. One aspect of data collection and privacy that will impact most companies is their website. So, what do you need to think about on your own website? It is rare to find a website these days without a contact form and GDPR does not need to stop collection of valuable enquiries. However, what information you ask for, how you store it and its retention period are matters for review.
The first question is about the sensitivity of the data you are collecting. If the fields on your contact form are relatively standard (name, email, phone and address) then this is normal personal data and has a set level of protection prescribed to it. But if your product or service means you need further additional data as part of an enquiry (religion, nationality, union membership, children’s details, health info) then this may be classed as sensitive data and can require an added level of protection. Furthermore, it is worth thinking about the use of comments boxes and whether these encourage users to impart sensitive data, even if they have not been asked for it in other fields. So, review your web forms and ask whether it is wholly necessary to collect all the information via the web or whether this can be picked up further into the enquiry. Marketing best practice says fewer fields equals higher enquiry rate so GDPR could result in more leads bizarrely!
Data Storage and Retention
Once a form has been completed, where is it stored and for how long? Do you keep a copy in the website content management system (CMS) and if so, does it automatically delete after x days/weeks? Does the website CMS have an appropriate level of access security for the data held within it? – remember the word ‘appropriate’ is important. Yes, all data is valuable, but if you are holding basic contact data, a password secured CMS is probably deemed appropriate, but sensitive data may need secondary access levels within the CMS so only restricted users can view full personal data. You then need to ensure that you are only holding the data for an appropriate amount of time and it may be that once transferred to an internal system, your process is to remove the saved copy from the web CMS.
Final point on storage is about locality. Talk to your hosting provider and make sure you are aware of the location of their servers. It may be that they load balance across multiple server farms around the world but have dedicated servers in the EU for data protection compliance purposes. Ask them for their GDPR compliance statements and if in doubt move your website to someone that can give you a clear answer on location 24/7 x365. UK is best, EU is within regulation but outside of that may mean you fail a compliance test so it’s worth asking the question.
Consent and Policies
Before you collect, store or use the data you need to make sure it is clear how you will obtain it and intend to use it. Your web forms will need to be opt in, not opt out, so simply filling in an enquiry does not give you the right to market to someone. Give plenty of options for opt in and don’t be afraid to explain how frequently you mail/email your contacts and what the content of those communication may be. The keyword in this aspect of GDPR is explicit – have you gained explicit consent to use that data? Yes, it may mean you get fewer new names on your mailing lists but arguably the quality will improve as users will ask to be on there.