Web Insights
PII, or Personally Identifiable Information, refers to any data that can be used to identify an individual. This includes, but is not limited to:
Web forms are common tools for collecting user information for various purposes such as registrations, subscriptions, purchases or enquiries. We recommend the following best practices for web forms that collect PII:
This can done using a one to two sentence statement directly visible on the form above the submit button. Greater detail could be provided by linking to a separate privacy policy page.
This can be done using a checkbox alongside a statement of consent. The checkbox field would be required to be checked by the user before the form can be submitted.
When PII is stored in your website's database, it is essential to:
Our preferred form plugin (Craft Formie) has an option to encrypt form field data. We turn this on by default for forms initially created by us during the development process and we recommend you enable this for any future forms as well.
If multiple users are accessing the back-end of your website, we need to ensure that the right people have the right permissions, so access to the PII is limited.
We recommend jumping on board our maintenance plans to ensure your website CMS can be kept up to date and have regular check-ups. Find out more about how we keep your website up to date here.
Data retention policies should be defined and enforced to determine how long PII is stored. Only retain PII for as long as necessary to fulfill the purpose for which it was collected. For any web forms that store PII we recommend a 14 day data retention period.
It's important to ensure data deletion processes comply with relevant regulations (ie. GDPR). When a user requests for their data to be completely removed from your website storage system, you must be able to action this quickly and easily.
If your system sends email notifications containing PII, we recommend the following:
If your form data is being stored in the website database or connected directly to a CRM then your notification emails may not need to display the information.
Our websites and email sending systems do this by default so your emails are secure.
It's recommended to consider employing security and data retention policies surrounding your staff email accounts. Are your systems and email accounts protected by multi-factor authentication (MFA)? Does sensitive data stored in emails get purged after a certain amount of time?
When connecting your website to external systems such as Customer Relationship Management (CRM) platforms, ensure:
To enhance the overall security of PII on your website, we recommend adopting the following best practices:
Of course - we're always happy to talk further and help you with implementing these best practices.
Protecting PII is a shared responsibility between us and our clients. By understanding and implementing these practices, you can help safeguard your users' data, comply with regulatory requirements, and build trust with your audience. If you have any questions or need further assistance, please do not hesitate to contact us.
As your trusted website development and hosting partner, we prioritise the security and privacy of your users' data. This article outlines essential considerations for managing Personally Identifiable Information (PII) collected through public web forms on your website. Understanding these aspects will help ensure compliance with data protection regulations and maintain the trust of your users.
