Overwhelmed by the barrage of privacy and security jargon floating around you recently? Read our previous post on the GDPR, to get an idea of how Zoho is dealing with it.

If you’re using Zoho Forms and wondering how the GDPR affects your forms specifically, don’t fret! We’ve done all the hard reading for you, so we can break down this seemingly intimidating thing called the GDPR and what it means for your form building.

A side note from our lawyers: While this post tries to explain the essence of the GDPR, it is by no means actual legal advice, so you’ll need to consult a lawyer for that.

Now that we’ve got that out of the way, let’s look at what we’re dealing with here. The GDPR deals with the collection and processing of data of individuals who reside in the EU. Previously, this was covered by the European Data Protection Directive, which was introduced way back in 1995. That’s definitely outdated for the data privacy needs of today. So it’s gotten a much-needed revamp in the form of the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018. It’s much more relevant to the way data and privacy are perceived in the EU today, and brings the residents of the EU under a much more effective umbrella of protection for their data and privacy.

Who’s who under the GDPR?

Out of all of the GDPR jargon, here are three terms you’ll need to be familiar with:

Data Subject: This is your form respondents who give you their personal data. They’re the individuals whose data is covered by the GDPR.

Data Controller: That’s you — the one who creates the forms which collect the data. That makes you responsible for its safe collection, storage and management.

Data Processor: That’s us. We don’t control the data that you collect, but we process it on your behalf.

Why is GDPR a good thing?

If there’s one thing you can never have too much of, it’s security. This law is intended to strengthen online privacy rights and boost Europe’s digital economy. While doing that, it also improves your relationship with customers by providing the most secure means of processing and storing their data. Your European customers will feel better about doing business with you when they know your forms are GDPR compliant.

Does this law apply to your business if you’re not in the EU?

The answer is most likely a yes. If you’re a B2C company, and you have customers or potential customers in the EU, then yes, the GDPR applies to you — even if you’re not based in the EU. So if you have a web form on your website that collects signups from customers, which can include customers from the EU, your form needs to be GDPR compliant. Quite simply, if you’re expecting any traffic at all from the EU, then your forms need to be GDPR compliant to collect their data.

But what does being GDPR compliant mean?

To call yourself GDPR compliant, you’ll have to address the following rights of EU residents guaranteed by the GDPR:

Right to Access and Rectification

Your form respondents have the right to know if, how, and why their data is being collected and processed. Under this right, respondents must also have access at any time to the data they’ve submitted and some way to edit it.

Right to be Forgotten

This one, which has a nice ring to it, simply means that at any time a form respondent can ask you to permanently erase (or forget) their data from your system. Once the respondent asks, you must comply with their request without any delay.

Data Portability

Your form respondents have the right to export the personal data they’ve submitted to you. This means that once your respondents have given you their personal data, you have to be able to provide them that data whenever they ask for it, even if it’s so they can share the data with another controller.

Right to Object

Once you’ve explicitly told your form respondents about how you intend to use the data they’re submitting, they have the right to object to any part of it. For example, if you have an option at signup that says you’d like to use the respondent’s data to send promotional emails (which is something that you have to disclose according to the right to access), your respondents can exercise their right to object by not checking this box. In case of any disagreement later, you need to have proof that the respondent provided consent and did not object to your uses of their data.

Right to Restrict Processing

There are some situations where a respondent’s data should not be used, but doesn’t necessarily need to be deleted. For instance, if your respondent hast pointed out a concern of unlawful processing on your end and you are currently investigating this, it’s appropriate to stop processing their data in the meantime. Or a respondent may request to stop a particular kind of processing, such as receiving promotional emails. Good consent practices and clear terms of service can help to minimize the likelihood of a processing restriction request, but if a respondent does ask to restrict processing, you must comply.

Consent under the GDPR

While the term “consent” seems pretty straightforward, under the GDPR it is slightly more nuanced. For instance, silent or soft opt-in is not acceptable, so the  decision boxes collecting consent in your forms cannot be pre-ticked. You also have to individually state each purpose and type of processing for which you’re obtaining consent. Ideally, to obtain valid consent to send emails about a new product, a respondent should actively check the box saying they would like to receive promotional emails about future products from you while they are filling out your form.

What does not being GDPR compliant cost?

The price for non-compliance is pretty steep, with especially severe violations being penalized up to 20 million Euros, or up to 4% of the company’s total global turnover in the previous fiscal year, whichever is higher. But even less severe violations can cost you up to 10 million Euros, or up to 2% of global turnover of the previous fiscal year, whichever is higher. This is totally avoidable by taking a few simple measures with regard to your forms.

How does Zoho Forms help you become GDPR compliant?

To equip you better, we’ve been working on some great features that will make post-GDPR life a whole lot easier:

  • A new Terms and Conditions field. Just add it to your form and list all the necessary information in plain language, or add a link to your privacy policy. Now you’ve taken your first step towards GDPR compliance.
  • We have introduced a Double Opt-In feature. Once you have enabled it, respondents will have to confirm via email that they’d like to opt in to your form. This gives you another chance to get explicit consent from your respondents for actions involving that form submission, and also confirms that it was really them that submitted the form. This helps you ensure that you gather data only from genuine respondents.
  • Also in the works is a Do Not Process state, which, when applied to a form entry, disables any further processing of that entry.
  • We’re bringing in the option to mark a field as Personal, ensuring greater security for your respondents’ data. When you’re involving any of these sensitive fields in third-party integrations and other actions, we’ll warn you so you can be careful not to share personal data accidentally.
  • Additionally, you can Encrypt a field so that its contents are unintelligible to unauthorized people.  No one processing or handling this encrypted data can gather any information from it, which provides an added safety net for your customers’ sensitive information.
  • The Send form response as PDF feature, if enabled, provides respondents with a copy of their data in the form notification email to automate your compliance with the right to access. By providing an edit link in your form submission email, you can also offer respondents a self-service way to exercise their right to rectification.
  • Ensuring the right to be forgotten is easy with Zoho Forms. With the Double Opt-In feature enabled, once someone opts out, we list their submission under Opted-Out Entries and don’t allow anyone to add that email address in that particular form, effectively “forgetting” that respondent.

All this might seem like a lot of work, but it really isn’t. Besides, the GDPR is here to stay and it’s going to make the relationship between businesses and their customers a lot more transparent. So don’t lose any time in making your forms GDPR compliant. If you’re looking for a more comprehensive read on GDPR for Zoho Forms take a look at this E-book we’ve prepared!


If you have any more questions regarding the GDPR, let us know in the comments below or tweet us @zohoforms