What is the GDPR?
The GDPR — or General Data Protection Regulation — is part of a new set of rules and regulations implemented alongside the Data Protection Act 2018 which places legal obligations on data controllers (that’s people receiving or processing personal data) who work with people based within the EU. In short, if you collect, collate or receive personal data (names, addresses, etc: stuff that identifies an individual) from people within the EU, you need to comply with the GDPR.
Is Jem’s Mail Form GDPR compliant?
Jem’s Mail Form is neither compliant nor incompliant. The GDPR sets regulations on how data is stored/processed rather than method of transmitting it. The mail form takes an entirely voluntary submission and sends it to the specified recipient and it is what the data is collected for, how the data is stored, whether and where that data is kept that becomes crucial under the GDPR.
Should I be encrypting mails sent via mail form to be compliant?
The GDPR does not require mail form submissions to be encrypted. The ICO advice on encryption is as follows:
Pseudonymisation and encryption are specified in the GDPR as two examples of measures that may be appropriate for you to implement. This does not mean that you are obliged to use these measures.
— ICO guide to the GDPR – Security (emphasis my own)
Encryption is heavily encouraged for topics of a particularly personal nature — medical or legal enquiries for example — but is not mandated. When it comes to sending email, 100% encryption is not actually possible as mail header data is sent between servers in plain text to allow servers to direct e-mail messages to appropriate addresses.
Can I use JMF to opt people into my newsletter and still comply with the GDPR?
Yes, it is possible to use Jem’s Mail Form (either in part or alongside other mail form fields) to subscribe people to a newsletter as long as the person signing up knows what they’re signing up for and explicitly consents to receiving newsletters/marketing emails from you. Make it clear:
- the name of your company or you, if you’re a sole trader/blogger for example
- the name of any third party controllers who will rely on the consent (this may include mentioning applications that you use to store/send newsletters, such as Mailchimp etc)
- why you want the data (to be able to send newsletters)
- what you will do with it
- that individuals can withdraw consent at any time (email newsletters and similar marketing mails should have a clear unsubscribe option)
General use mail forms, e.g. a contact form specifically used by a customer sending an enquiry with the intention of receiving a response do not need explicit consent to reply as that is a given: it is literally the purpose of the form and is therefore classed as “legitimate interest”. This is based on assumption that the data from your mail form goes directly to your inbox, where it will be responded to and then later deleted.
If you process and/or store this data in a CRM (Customer Relationship Management tool/app/software/whatever), archive or keep emails long term, or wish to use it to market to someone at a later date, you need explicit consent to process & store the data.
The premium version of Jem’s Mail Form uses a session cookie containing a random string to prevent multiple submissions of the form. This session cookie in no way identifies a user, nor does it contain any personally identifiable data and therefore does not require explicit consent to be set.