GDPR: Web forms and consent

Looking at yet another of those web registration forms that seems to collect more data than required, it occurred to me that there might be quite a neat way to meet the General Data Protection Regulation’s requirements for positive, recorded consent.

First step, as with anything under the GDPR, it to think about which information is really necessary to provide the service, rather than optional. Will the service actually break if I tell it I’m a seventeen-year-old wizard called Harry Potter? If not, that information isn’t necessary and consent is the right basis for processing it. The remaining fields should be documented, and processed, under one of the Regulation’s “necessary for…” clauses: most likely “necessary for the performance of a contract”.

For the other, optional, fields, where consent is the appropriate basis, the Regulation requires that this be a positive choice by the user, that providing the information not be a condition of providing the service, that the user’s choice be recorded, and that it be as easy for the user to withdraw consent as to provide it in the first place. Where a field is populated using a drop-down list, that could be as simple as providing a “prefer not to say” option and making that the default. If something else appears in the user’s submission, you know that’s a result of them having made a positive choice to change the default. Similarly for free-text entry, the form field should be empty by default, with the user allowed to leave it that way.

This means consent to processing data from any of those fields is both positive and not a condition of providing the service. For the documentation requirement you need to record when the information was provided. To ensure you know what each user consented to, you need to keep a record of all changes to information provided on the input form and your published privacy policy. And you need a “manage my account” form that allows users to change their information and set any optional fields (and the database behind them) back to “prefer not to say”.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *