What we’re doing to get ready for the GDPR
We’ve been doing a lot of work behind the scenes to get ourselves ready for GDPR and to help our customers meet their new obligations under the GDPR.
Some of the things we’re working on include:
- Applying for certification with the EU-US and Swiss-US Privacy Shield Frameworks — we’re awaiting approval and will update our customers once we receive a status update
- Auditing all our vendors that store or process personal data to ensure they’re on track with preparing for the GDPR
- Updating our Data Processing Agreements with vendors to include GDPR-required provisions
- Creating and documenting an internal process and governance structure for handling requests from data subjects, including requests for data access and deletion
- Creating an internal security and privacy training program to ensure that we continue to protect and secure personal data, which will help set the stage for other important security certifications in the future, such as ISO 27001
- Allowing customers to specify a Data Protection Officer (DPO) or EU Member Representative for each Webflow project, so we can contact the right person if one of our hosted sites receives a request for data we process but do not control
In short, rest assured that our internal practices, legal agreements with vendors, and security measures are being updated in preparation for the GDPR. We’ll let you know when we make any changes or updates you should know about.
What you should do to prep for the GDPR
If you host websites that collect personal data from EU residents — e.g., via form submissions or third-party scripts — you have responsibilities as a data controller. Some steps you can take include, but are not limited to:
- Understand your responsibilities as a data controller, and take steps to abide by the GDPR. This data protection self-assessment checklist can be helpful.
- If you’re creating forms that request personal data in Webflow, make sure to clearly ask for and get consent, unless another lawful basis for processing applies.
- If you’re creating websites for clients that collect personal data on their websites, make sure your clients understand their responsibilities as a controller of that personal data
- If you’re using third-party tools (e.g., Zapier) to connect your Webflow forms to external data sources and are sending personal data using those integrations, make sure to review your responsibilities as a data controller
GDPR’s impact on exported sites
When assessing the requirements of the GDPR, we determined that exported websites that send form submissions to Webflow servers were too difficult to maintain in the future, given our added responsibilities as a data processor. For example, exported form submission code can be manipulated to indicate that consent was given, while visually hiding a checkbox that asks a website visitor for that consent. So we’ve decided to start phasing out the ability to capture form submissions that arrive from exported sites.
This means that, starting on May 25, 2018, sites exported from Webflow will have the form submission source code removed, and exported code will need to be manually hooked up to another mechanism or service to capture form submissions.
If this change will affect any of your sites, you might want to look into sending form submissions via MailChimp, or other third-party tools like Formstack or Wufoo. Here are some general instructions on using third-party tools for managing form submissions.
For sites that were exported before May 25th, we’ll continue to record form submissions until July 31st, 2018, to give site owners time to transition. After that point, form submissions for exported sites will no longer be stored on our servers.
- What personal data we collect
- What we use the data for
- How we keep it secure
- Your rights to access and control your data
- Webflow’s responsibilities as a data processor for websites hosted on our platform
These new terms will come into effect on May 25th, and you will need to accept them to keep using Webflow.
Despite what our lawyers keep telling us, we’re also going to keep up our tradition of providing plain-English versions of all of the new and changed terms to make them easier to understand — because, let’s face it, we all read those darned things top to bottom, right?
We’re also working on additional content for our blog and Webflow University to help our customers comply with EU data subject rights. Stay tuned for those in the coming weeks!