- Consent must be explicit, unbundled from other terms, and never pre-ticked — silence or a pre-checked box is not valid consent under GDPR.
- Data minimisation is the single biggest lever: only ask for fields you will actually use, and state why you're asking near the form.
- People have the right to access, export, and erase their data — your form workflow needs a real process for all three, not just a privacy policy paragraph.
- Sensitive data and file uploads (IDs, health information, financial documents) need extra care: encryption at rest, tighter retention, and a clear justification for collecting them at all.
- This is a practical starting checklist, not legal advice — GDPR obligations depend on your specific data flows and should be reviewed with a qualified professional.
If you collect data through a form — a signup, a lead form, a job application, a support request — and any of your respondents are in the EU or UK, GDPR applies to you. That sounds heavier than it usually is. Most of GDPR compliance for a typical form is a handful of concrete habits: ask for less, explain why, store it safely, and make it easy for people to get their data back or have it deleted.
This is a practical checklist for people building forms, not a legal brief. It covers the decisions that actually show up when you're designing a form: what to ask for, how to phrase consent, where the data goes, and what happens when someone asks you to delete it.
Start with a lawful basis
Before you build the form, know why you're allowed to collect the data. GDPR requires a lawful basis for processing personal data, and for most forms — signups, contact forms, lead capture — that basis is consent or legitimate interest. Consent is the safer default for anything marketing-related; legitimate interest can cover things like responding to a support request, where processing the data is the obvious and expected next step.
The test is simple: could a reasonable person look at your form and understand why you need each piece of information, without being told? If not, either add a short explanation or remove the field.
Make consent explicit, not implied
If you're relying on consent — for a newsletter, marketing follow-up, or sharing data with a third party — that consent has to be a clear, affirmative action. In practice, that means:
- Use an unticked checkbox for marketing consent. Never pre-tick it.
- Keep consent separate from your terms of service. "I agree to the terms" is not the same as "I agree to receive marketing emails," so don't bundle them into one checkbox.
- State plainly what the person is agreeing to — who will contact them, how often, and for what.
- Make it just as easy to withdraw consent later as it was to give it (an unsubscribe link, an account setting, or a support email that actually works).
This matters most on lead forms, where the temptation is to fold newsletter sign-up into the submit button. If you collect leads with forms, separate the act of submitting an enquiry from the act of opting into marketing — they are two different permissions.
Collect less than you think you need
Data minimisation is the principle that does the most work with the least effort: only collect what you will actually use. It's also good form design — shorter forms convert better — so this is one of the rare cases where compliance and conversion point the same direction.
For every field, ask: what happens if we don't collect this? If the honest answer is "nothing," remove it. Phone numbers, company size, and "how did you hear about us" fields are common candidates — useful to have, but rarely necessary to ask for up front.
State the purpose near the form
GDPR expects you to be transparent about what you collect and why, and the clearest place to do that is right next to the form itself — not buried three clicks away. A single sentence above the fields ("We'll use this to reply to your enquiry within one business day") does more for trust and compliance than a link alone.
Always link to a full privacy policy from the form, even if you've summarised the purpose. The short statement sets expectations; the policy carries the legal detail — retention periods, third parties, and how to exercise data rights.
Secure the data you do collect
Once someone submits a form, the data needs to be stored securely — GDPR calls this "integrity and confidentiality," and in practice it means encryption, access control, and not keeping data longer than necessary. If your form accepts attachments, this applies with extra force: a resume, an ID scan, or a contract is more sensitive than a name and email.
If you collect file uploads through a form, check where those files are stored, whether they're encrypted at rest, and who has access to them. Formiqa stores uploaded files on Cloudflare R2 with encryption at rest, and respondents never need to create an account to submit a file — one less place their data has to live.
Set retention limits and actually delete data
"Keep everything forever" is not a retention policy — it's a liability. Decide, in advance, how long you need submissions for a given form (a job application might be 6 months; a one-off support request might be 30 days), write it down, and delete on that schedule. Old submissions you no longer act on are risk with no upside: they can't help your business, but they can be part of a breach.
- Set a retention period per form, not a single blanket rule for everything you collect.
- Export and archive anything you need for records before deleting the working copy.
- Review dormant forms periodically — a form you stopped promoting two years ago is still collecting and storing data if it's live.
Support access, export, and erasure requests
GDPR gives people the right to ask what data you hold on them, get a copy of it, and have it deleted. For a small business, this doesn't require special software — it requires a process. When someone emails asking "what do you have on me," you need to be able to find their submissions, export them, and delete them without a multi-day scramble.
This is one reason a submission dashboard with search and export matters beyond convenience: it's how you fulfil an access or erasure request in minutes instead of digging through a spreadsheet or an inbox.
Treat sensitive data and file uploads with extra care
GDPR singles out "special category" data — health information, religious or political beliefs, biometric data, and similar — for stricter rules. Most forms should avoid asking for this outright. If your use case genuinely requires it (a health intake form, for example), you need a clear lawful basis beyond ordinary consent, and you should minimise how long that data is retained.
File uploads deserve their own scrutiny even when they're not "special category" — a signed contract, a passport scan, or a payslip is personal data with real consequences if it leaks. Only request the file type you actually need, and be explicit in the form about what it will be used for and how long you'll keep it.
Know your processors and where data goes
Every tool that touches your form data — the form builder, your email provider, your CRM, your file storage — is a processor, and GDPR expects you to know who they are and have a basis for using them. Most reputable vendors publish a list of their own sub-processors and a data processing agreement (DPA); read it once, understand roughly where data flows, and keep it on file.
International transfers are a related, higher-level question: if any processor stores or processes data outside the EU/UK, there needs to be a valid transfer mechanism in place (such as Standard Contractual Clauses). This is worth a direct conversation with your vendors rather than an assumption — ask where data is hosted and what safeguards apply.
Compliance isn't a badge you earn once. It's the accumulation of small, boring decisions — one field removed, one checkbox unticked by default, one retention date honoured — repeated across every form you publish.
A short pre-launch checklist
- 1Every field has a stated reason someone could understand without asking.
- 2Marketing consent is a separate, unticked checkbox — not bundled into terms or a submit button.
- 3A privacy policy is linked from the form, not just from the site footer.
- 4Uploaded files and stored responses are encrypted and access is limited.
- 5You know how long each form's data is retained, and something actually enforces it.
- 6You have a real process for access, export, and deletion requests.
- 7Sensitive fields (IDs, health data, financial documents) are minimised or avoided entirely.
Where Formiqa fits
If you're deciding what Formiqa is and whether it fits a compliance-conscious workflow: forms are built with an unticked-by-default approach to any consent field you add, file uploads are encrypted at rest on Cloudflare R2, and every submission is exportable and deletable from your dashboard — so access and erasure requests are a few clicks, not a support ticket. None of that replaces legal advice, but it removes the technical excuses for cutting corners.
Frequently asked questions
Does GDPR apply if my business isn't based in the EU?
Is a pre-ticked newsletter checkbox ever acceptable under GDPR?
Do I need a Data Processing Agreement with every tool my form uses?
What's the difference between data minimisation and just having a short form?
Build a better form with Formiqa.
Free forever. No credit card. No per-response fees.