Product
Data protection and online forms: staying GDPR compliant – automatically
An applicant submits his documents. Although the position takes only six months to fill, the server is still storing his application data years later. A customer registers for a webinar, then doesn’t take part. Yet her contact details are still being stored indefinitely. A support ticket is closed, but the customer’s personal data is never actually erased.
Scenarios like this are common in many businesses. Not because they plan to misuse this data, but because manual data protection processes are time-consuming, error-prone and difficult to scale. Causing unnecessary risks, administrative overheads and potential GDPR violations.
The GDPR is very clear: personal data must be stored only for as long as is necessary to serve the intended purpose. In practical terms, this means regular checks must be carried out to see which data is still needed and which should be erased or anonymised.
These tasks quickly become too complex for a manual approach. Retention periods need monitoring, datasets need searching and records have to be processed individually. The more forms a company is using, the more difficult and convoluted this process becomes.
As a result, data is held on to for much too long ‘just in case’, retention periods are forgotten and teams waste valuable time on administrative chores instead of productive work.
Form submissions don’t always have to be deleted. In many cases, it makes more sense to just anonymise personal data, and keep the factual content for use in reporting and optimisation activities.
Take an event registration, for example. This will have some particulars that can be anonymised after the event: like the name, email address and phone number. But details like participant numbers, fields of interest or feedback ratings can be retained for future planning. This lets companies comply with data protection requirements without losing valuable insights.
The best strategy to use depends on the individual use case.
Modern form solutions make it possible to represent the various retention periods that may be needed. An application form, a contact request, a prize competition and a service process will all have different requirements here.
With Formcentric, companies can define standard data protection policies for all of their forms while setting up individual automation rules for specific processes. The rule with the shorter time period is applied automatically, ensuring that data protection always plays it safe.
As an example, your standard data protection policy might say that form submissions must be deleted after one year. However, you’ve also defined a six-month retention period for data from job application forms. In this scenario, application form data will be erased automatically after six months, while the annual rule will apply to all other forms.
Formcentric offers two levels of data protection automation.
Standard data protection settings: At this level, you define organisational policies that apply automatically to all of your forms. Once set up, form submissions are erased or anonymised after the prescribed periods of time, without any manual intervention.
Form-specific automation: Individual rules can also be defined for forms with special requirements. These rules determine whether submissions are erased in full or if personal data is only anonymised instead.
In the case of anonymisation rules, you specify exactly which form fields contain the personal data. Only the data in these selected fields is automatically erased or replaced by placeholders – all remaining content is retained.
Full transparency is ensured by an integrated history function, which provides you with the details of each automation rule executed and how many submissions were affected. This makes internal and external audits easier, and provides useful records for data protection officers.
Automated data protection processes have organisational, operational and strategic advantages for your company.
For your organisation:
Data protection should not be seen as something separate that needs to be considered later on. Modern form solutions build data protection into digital processes from the outset.
With Formcentric, businesses can enter and manage form data efficiently in full compliance with data protection legislation: from input and processing to automated erasure or anonymisation. This creates an unbroken, audit-ready workflow that ensures compliance with data protection policies and legislation
Have questions about data protection automation? We’ve prepared an FAQ to help you through the basics.
When data is erased, can it be restored later? No. Data erasure is permanent: the affected data cannot be restored later on. Settings should therefore be checked carefully before activating this functionality.
What happens to data that has already exceeded the specified period? If you set up an automation rule that affects earlier form submissions (i.e. their data is now older than the period in the rule) this form data is automatically erased or anonymised in the first nightly run after rule activation.
What happens if several automation rules are active? If standard data protection rules are active alongside form-specific automation rules, then the rule with the shorter retention period applies. This ensures maximum compliance with data protection policies/legislation.
What does ‘anonymisation’ mean, exactly? With anonymisation, the items of personal data in the selected form fields are either erased (i.e. fields become empty) or replaced by placeholders. The data removed from these fields is erased permanently, while the content in all other fields remains unchanged.
Which form fields should be selected as containing personal data? Select all fields that allow information to be inferred about someone: name, email address, phone number, postal address, date of birth, social security ID and similar identifiers.
How long does it take to set up these automation rules? Setting up automation rules typically takes only a few minutes. You specify the retention period, choose erasure or anonymisation, and then activate your rule. If you want to anonymise data, you also need to select the relevant form fields – but that’s all.
Does the setup procedure require any technical skills? No. All of the setup work is completed within our user-friendly interface, with no coding or IT skills needed. You simply specify the periods and rules that you want to use, and Formcentric handles all of the technical aspects.
Automated rules for erasing and anonymising form data help businesses achieve rock-solid compliance with the provisions of the EU GDPR. This approach cuts manual effort, reduces the likelihood of human error and makes your stored data audit-ready.
Setup is straightforward: specify your retention periods, decide whether data should be erased or anonymised, select relevant form fields – and that’s it. This establishes a systematic process for data protection without teams having to invest time in administrative chores.
As a result, data protection becomes an integrated part of day-to-day processes – and not an afterthought. Businesses can keep control of their data while honouring the rights of data subjects, and simultaneously establishing a clearly structured and auditable workflow.
Stay up-to-date with the latest features and developments of Formcentric.
Subscribe to our newsletter – we'll keep you informed of all updates and we're happy to answer any queries.
