Here at Webflow, we’re totally into it. The GDPR constitutes a huge step forward in protecting people from privacy and data breaches, and it establishes a new baseline for obtaining clear consent when collecting personal data. The GDPR provisions compel companies to include privacy protections in everything they do from the start, not as an afterthought. And that’s just how it should be.

A vital disclaimer

The following is for general information purposes only and may not be relied upon as legal advice. You should talk to a licensed attorney before relying on any information here.

–Our lawyers

With that out of the way, let’s dive in ...

Who the new GDPR rules affect

The GDPR applies to any company that collects, retains, and/or otherwise processes personal data from residents in the European Economic Area (“EEA” or “EU”). That includes Webflow — and some of you.

In fact, anyone who hosts a website that can have even a single EU visitor is impacted by this law.

That’s because any company that acts as a data controller or data processor of any EU residents’ personal data is subject to the new law.

Now let’s define those italicized terms to see if we can make that sentence a little more sensible.

What “personal data” is

The GDPR has a broad definition for this term, and it generally encompasses any and all information about a specific person, including:

• Name
• Email address
• Date of birth
• Physical address
• Profile photo
• Social media username

Or any other information that can lead to identifying a real person.

What a “data controller” is

A data controller is a person or company that collects personal data and decides:

• What information is collected
• How that information is collected
• How that information is used down the line

Webflow is a data controller of Webflow users’ personal data. And customers — such as yourself — who create and host Webflow sites, are the data controller of info gathered by their hosted sites, whether via form submissions, Google Analytics, or other analytics app integration.

The data controller has the most responsibilities under GDPR, and must make sure that proper consent, where necessary, is obtained before storing or using personal data.

What a “data processor” is

A data processor is a person or company that processes personal data on behalf of a data controller.

Because we have no control over the data our hosting customers collect or how they use it, Webflow is the data processor of personal data collected via websites hosted on our platform.

As processors, we’re committed to supporting your GDPR compliance.

What we’re doing to get ready for the GDPR

We’ve been doing a lot of work behind the scenes to get ourselves ready for GDPR and to help our customers meet their new obligations under the GDPR.

Some of the things we’re working on include:

• Applying for certification with the EU-US and Swiss-US Privacy Shield Frameworks — we’re awaiting approval and will update our customers once we receive a status update
• Auditing all our vendors that store or process personal data to ensure they’re on track with preparing for the GDPR
• Updating our Data Processing Agreements with vendors to include GDPR-required provisions
• Creating and documenting an internal process and governance structure for handling requests from data subjects, including requests for data access and deletion
• Creating an internal security and privacy training program to ensure that we continue to protect and secure personal data, which will help set the stage for other important security certifications in the future, such as ISO 27001
• Drafting a clear cookie policy that outlines the cookies Webflow uses to operate and improve our services — we’ll also be making some changes to our cookie notifications  to highlight this policy once it’s published
• Allowing customers to specify a Data Protection Officer (DPO) or EU Member Representative for each Webflow project, so we can contact the right person if one of our hosted sites receives a request for data we process but do not control
• Working on updating our Terms of Service and Privacy Policy to clarify how we collect, use, and disclose personal data as required by the GDPR

In short, rest assured that our internal practices, legal agreements with vendors, and security measures are being updated in preparation for the GDPR. We’ll let you know when we make any changes or updates you should know about.

What you should do to prep for the GDPR

If you host websites that collect personal data from EU residents — e.g., via form submissions or third-party scripts — you have responsibilities as a data controller. Some steps you can take include, but are not limited to:

• Understand your responsibilities as a data controller, and take steps to abide by the GDPR. This data protection self-assessment checklist can be helpful.
• If you’re creating forms that request personal data in Webflow, make sure to clearly ask for and get consent, unless another lawful basis for processing applies.
• If you’re creating websites for clients that collect personal data on their websites, make sure your clients understand their responsibilities as a controller of that personal data
• If you’re using third-party tools (e.g., Zapier) to connect your Webflow forms to external data sources and are sending personal data using those integrations, make sure to review your responsibilities as a data controller
• If you include third-party services on your website that use cookies to track website visitors, you should consider creating a GDPR-compliant cookie policy for your website. Cookies can be considered personal data if they can identify an individual. Tools like Cookiebot can help get you started.

GDPR’s impact on exported sites

When assessing the requirements of the GDPR, we determined that exported websites that send form submissions to Webflow servers were too difficult to maintain in the future, given our added responsibilities as a data processor. For example, exported form submission code can be manipulated to indicate that consent was given, while visually hiding a checkbox that asks a website visitor for that consent. So we’ve decided to start phasing out the ability to capture form submissions that arrive from exported sites.

This means that, starting on May 25, 2018, sites exported from Webflow will have the form submission source code removed, and exported code will need to be manually hooked up to another mechanism or service to capture form submissions.

If this change will affect any of your sites, you might want to look into sending form submissions via MailChimp, or other third-party tools like Formstack or Wufoo. Here are some general instructions on using third-party tools for managing form submissions.

For sites that were exported before May 25th, we’ll continue to record form submissions until July 31st, 2018, to give site owners time to transition. After that point, form submissions for exported sites will no longer be stored on our servers.

What’s next?

Early next month, we’ll be updating our Terms of Service and Privacy Policy to include additional data processing and security handling terms — all designed to make clear:

• What personal data we collect
• What we use the data for
• How we keep it secure
• Your rights to access and control your data
• Webflow’s responsibilities as a data processor for websites hosted on our platform

These new terms will come into effect on May 25th, and you will need to accept them to keep using Webflow.

Despite what our lawyers keep telling us, we’re also going to keep up our tradition of providing  plain-English versions of all of the new and changed terms to make them easier to understand — because, let’s face it, we all read those darned things top to bottom, right?

We’re also working on additional content for our blog and Webflow University to help our customers comply with EU data subject rights. Stay tuned for those in the coming weeks!