Mobyform DocsGDPR Controls Setup
Step-by-step guide to configuring GDPR-oriented controls for your forms.
GDPR Controls Setup
This guide walks you through privacy controls that can support GDPR-oriented data handling in Mobyform forms. It is not legal advice and does not guarantee that your organization or a specific form is GDPR compliant.
Before You Begin
GDPR may apply if you collect personal data from individuals in the European Economic Area (EEA). Even if your organization is based outside the EU, GDPR can apply when you process data of EU residents.
Key GDPR principles that affect form design:
- Lawfulness — You must have a legal basis for collecting data
- Purpose limitation — Data must be collected for a specific, stated purpose
- Data minimization — Only collect data that is necessary
- Storage limitation — Do not retain data longer than needed
- Accountability - You must be able to demonstrate appropriate practices
Step 1: Enable Privacy Consent
Add a consent mechanism to your form so respondents explicitly agree to data processing.
- Open your form in the editor
- Go to "Form Settings" → "Privacy"
- Enable "Privacy Consent"
- Configure the consent options:
| Setting | Description |
|---|---|
| Consent Checkbox | Adds a required checkbox at the end of the form |
| Consent Text | Customize the consent message shown to respondents |
| Privacy Policy Link | Link to your organization's full privacy policy |
| Terms Link | Link to your terms of service (optional) |
Example consent text:
I consent to the collection and processing of my personal data
as described in the Privacy Policy. I understand I can withdraw
my consent at any time.Step 2: Mark Sensitive Fields
Identify and mark fields that collect sensitive personal information. Marked fields receive additional access controls and encryption.
- In the form editor, click on a field that collects personal data
- Open the field's "Advanced Settings"
- Enable "Sensitive Field"
- Select the sensitivity category:
| Category | Examples |
|---|---|
| Personal Identity | Full name, ID number, passport number |
| Contact Information | Email, phone number, address |
| Financial Information | Bank account, credit card, salary |
| Health Information | Medical conditions, prescriptions, disability |
| Location Data | GPS coordinates, home address |
| Biometric Data | Fingerprints, facial recognition data |
Sensitive fields are:
- Encrypted at rest in the database
- Masked in the data management panel (e.g.,
john***@email.com) - Excluded from data exports unless explicitly included by an admin
- Logged whenever accessed
Step 3: Set Data Retention Policy
Configure how long form submission data is retained.
- Go to "Form Settings" → "Data Retention"
- Choose a retention policy:
| Policy | Behavior |
|---|---|
| Permanent | Data is never automatically deleted |
| Custom Period | Data is auto-deleted after a set number of days (e.g., 90, 180, 365) |
| Delete After Processing | Data is deleted once it has been processed or exported |
- Set the retention period if using "Custom Period"
- Enable "Notify Before Deletion" to receive a warning before data is purged
Data scheduled for deletion can be reviewed and extended if needed before the retention period expires.
Step 4: Configure Lawful Basis
Specify the legal basis under which you are collecting and processing data.
- Go to "Form Settings" → "Privacy" → "Lawful Basis"
- Select the applicable basis:
| Basis | When to Use |
|---|---|
| Consent | Respondent explicitly agrees to data processing |
| Contract | Data is needed to fulfill a contract with the respondent |
| Legal Obligation | Processing is required by law |
| Legitimate Interest | You have a justified business reason (requires balancing test) |
| Public Interest | Processing serves a public function |
| Vital Interest | Processing is necessary to protect someone's life |
For most forms collecting voluntary responses, Consent is the appropriate basis.
Step 5: Set Up Data Subject Request Handling
GDPR grants individuals rights over their data. Configure how these requests are handled.
- Go to "Settings" → "Privacy" → "Data Subject Requests"
- Enable the request portal
- Configure handling for each right:
| Right | Description | Configuration |
|---|---|---|
| Right of Access | Respondent can request a copy of their data | Set response timeframe (default: 30 days) |
| Right to Deletion | Respondent can request their data be deleted | Enable auto-deletion or manual review |
| Right to Rectification | Respondent can request corrections to their data | Enable self-service editing or manual review |
| Right to Restriction | Respondent can limit how their data is used | Enable processing restriction flag |
| Right to Portability | Respondent can receive their data in a portable format | Enable CSV/JSON export for respondents |
When a data subject request is received:
- The system logs the request with a timestamp
- The assigned admin is notified
- The admin reviews and processes the request
- A confirmation is sent to the requester
- The action is recorded in the audit log
Step 6: Run a DPIA Assessment
For forms that process high-risk data (large-scale processing, sensitive categories, systematic monitoring), a Data Protection Impact Assessment is recommended.
- Go to "Settings" → "Privacy" → "DPIA"
- Click "New Assessment"
- Complete the assessment questionnaire:
- Describe the data processing activity
- Identify the necessity and proportionality of processing
- Assess risks to individuals' rights and freedoms
- Document mitigation measures
- Save the assessment so it is stored with your privacy records
When DPIA Is Required
- Forms collecting health or biometric data
- Large-scale surveys targeting a broad population
- Forms that combine data from multiple sources
- Automated decision-making based on form responses
Step 7: Configure Breach Notification
Set up automated notifications for handling potential data breaches.
- Go to "Settings" → "Privacy" → "Breach Notification"
- Configure the notification settings:
| Setting | Description |
|---|---|
| Internal Alert | Email and in-app notification to designated privacy officers |
| Authority Notification | Template for notifying supervisory authorities within 72 hours |
| Subject Notification | Template for notifying affected individuals |
| Breach Log | Automatic logging of breach details, timeline, and response |
When a breach is reported:
- An internal alert is sent immediately to the privacy officer
- The breach is logged with date, scope, and affected data types
- If high risk, the authority notification template is prepared
- Affected individuals are notified with clear language about the breach and recommended actions
Audit Logs
Privacy-related actions are automatically logged and cannot be modified or deleted:
- Consent collection and withdrawal events
- Data access, modification, and deletion actions
- Data subject requests and their resolution
- DPIA assessments and updates
- Breach notifications and responses
- Admin access to sensitive fields
Access the audit log from "Settings" → "Privacy" → "Audit Log".
Compliance Checklist
Use this checklist to verify that key privacy controls have been configured:
- Privacy consent enabled with clear consent text
- Privacy policy linked in the consent section
- Sensitive fields identified and marked
- Data retention policy configured
- Lawful basis selected and documented
- Data subject request handling configured
- DPIA completed for high-risk forms
- Breach notification set up
- Team members trained on GDPR procedures
Next Steps
- GDPR Controls Reference - Detailed reference for privacy controls
- Data Management — Manage, export, and delete form data
- Collaboration — Control team access to sensitive data