Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Web forms and consent

Tuesday, July 11, 2017 - 10:46

Looking at yet another of those web registration forms that seems to collect more data than required, it occurred to me that there might be quite a neat way to meet the General Data Protection Regulation's requirements for positive, recorded consent.

First step, as with anything under the GDPR, it to think about which information is really necessary to provide the service, rather than optional. Will the service actually break if I tell it I'm a seventeen-year-old wizard called Harry Potter? If not, that information isn't necessary and consent is the right basis for processing it. The remaining fields should be documented, and processed, under one of the Regulation’s "necessary for..." clauses: most likely "necessary for the performance of a contract".

For the other, optional, fields, where consent is the appropriate basis, the Regulation requires that this be a positive choice by the user, that providing the information not be a condition of providing the service, that the user's choice be recorded, and that it be as easy for the user to withdraw consent as to provide it in the first place. Where a field is populated using a drop-down list, that could be as simple as providing a "prefer not to say" option and making that the default. If something else appears in the user's submission, you know that's a result of them having made a positive choice to change the default. Similarly for free-text entry, the form field should be empty by default, with the user allowed to leave it that way.

This means consent to processing data from any of those fields is both positive and not a condition of providing the service. For the documentation requirement you need to record when the information was provided. To ensure you know what each user consented to, you need to keep a record of all changes to information provided on the input form and your published privacy policy. And you need a "manage my account" form that allows users to change their information and set any optional fields (and the database behind them) back to "prefer not to say".