The General Data Protection Regulation (GDPR) is a set of rules designed to give citizens in the European Union (EU) more control over their personal data. It also addresses the export of personal data outside the EU.

The GDPR applies to organizations located within the EU as well as those located outside of the EU if they offer goods or services to Data Subjects (individuals who are the subject of personal data) who live inside the EU.

Personal data is any information related to a natural person (or 'Data Subject') that can be used to directly or indirectly identify the person. If you intend to collect personal data, you must first obtain explicit consent from data subjects.

Every Data Subject must give their explicit consent through an active opt-in. An active opt-in requires an individual to give their consent through a clear affirmative action, such as ticking a checkbox. Soft or silent opt-ins (such as a checkbox that's already filled in) should be avoided.

You can easily obtain explicit consent on your form using a Yes/No field:

1. Add a Yes/No field to your form.
2. In the field settings, select the Checkbox type.
3. Make sure to include a message written in clear, easily understandable language (ex: "I agree to the terms and conditions") and set the field as required.

Please note that the GDPR also refers to "special categories of personal data," which require additional security. These include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs, or trade union membership
• Genetic data or biometric data for the purpose of uniquely identifying a natural person
• Data concerning health or data concerning a natural person's sex life or sexual orientation

Check out our blog post to read our tips on how to design GDPR compliant online forms. Best practices include:

• Obtain explicit consent before collecting personal or sensitive data
• Enable data encryption to encrypt all personal or sensitive data at rest
• Link your privacy policy to ours
• Collect a minimal amount of data and delete when it is no longer required
• Allow data subjects to have their information erased or corrected