GDPR and Cloud-based Services

Published: Posted on



Link to Formstack site infographic

If you are using Formstack to collect and process personal data then you must ensure that the security options are enabled for each of your forms. This includes all three of:

SSL – Secure Sockets Layer for the website. If enabled, the URL starts with “https://” and the browser displays a padlock symbol.

Database encryption – ensures the data is encrypted in storage.

PGP – encrypts email notifications generated by Formstack,  unencrypted email with Formstack URL is likely to be blocked by SPAM email filters. Note that Formstack does not support the University’s S/MIME email encryption standard.

Your form is not GDPR-compliant unless these are enabled.

Retention and Disposal

You also need to think about data retention and disposal. This means being clear about the legal basis on which you are relying to justify the collection, processing and storage of personal data.

Don’t forget that you may only use the data for the purpose for which it was collected and must not reuse it for other purposes without proper justification.

If you are relying on the consent of the data subjects, you must make this explicit and provide a way for the subjects to withdraw their consent. The GDPR says that withdrawal of consent must be as easy as giving it in the first place.

You also need to define how long you want to keep the data, and this also depends on the legal basis, and ensure it is purged at the end of that period.  Formstack provide workflows to automate this and you should set up appropriate workflows for each form.  Otherwise you will have to remember to manually purge at the end of the defined period and risk being in breach of the GDPR if you do not.

Further information can be found on the Formstack website at


Leave a Reply

Your email address will not be published. Required fields are marked *