Guide: How to create a GDPR-compliant customer onboarding process

Data protection and GDPR

Data protection continues to be a hot topic on a global scale, even more so as personal data fraud, such as identity theft and phishing, is becoming increasingly problematic.

As authorities tighten their grip on GDPR breaches, a lot of companies and industries have been under scrutiny lately. IMY (Swedish Authority for Privacy Protection) is the Swedish supervisory authority that works to protect personal data, for example about health and finances, to make sure they are handled correctly and do not fall into the wrong hands. Companies like Spotify, Klarna and Kry are just a few of the companies who have been audited in the last 12 months by IMY, receiving reprimands or sanction fees as a result.

1. Purpose-based data usage

According to the GDPR personal data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Meaning, collecting data to "maybe use it at a later stage" or "maybe using it later on for a different purpose", for example, is highly questionable from a legal perspective. A clearly defined and well-documented purpose of usage is therefore the place to start when dealing with usage of personal data in your process.

2. Bare minimum approach to data collection

According to the principle of data minimization in the GDPR, you should adopt a mindset of only collecting and using as little data as possible. Data minimization is a principle that states that the data collected and processed, should not be held or further used unless this is essential for reasons that were clearly stated in advance. In the GDPR, this is defined as data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

In other words, only collecting the data you require to fulfill the purpose of your data usage, is required from a legal standpoint. Making sure that the purpose is crystal clear, documented and time-bound is crucial. A good place to start, is to ask yourself the following when setting up your process:

What data is required to build my process?
Is it possible to achieve the purpose without data collection?
Does the individual know I am collecting the data and why? (If not, how can I clarify this in my process?)
How am I planning to use this data, and for how long?
What happens to the data when it is no longer required?

Also worth noting, is that this approach to data collection is highly beneficial from the customer's or user's perspective, as the process becomes faster and smoother when you avoid unnecessary steps of data collection. Meaning, better CX while ensuring GDPR compliance.

3. Alternative ways of presenting personal data

IMY has identified and cracked down on processes such as checkout solutions or digital registrations, when built in a way that enables others to use it as a lookup service. For example, using someone else's social security number to obtain the person's address, due to an autofill feature in the process.

In light of this problem, IMY has developed alternative, approved ways of using and presenting personal data in these types of processes which include:

Login through e-identification or with secure password management.
The usage of data in the background, without presenting anything to the user.
Masking personal data so that the information can be confirmed by the user, but doesn’t risk revealing personal data to an unauthorized person.

Well, what about given consent then?

Consent is considered a legal basis for handling personal data, which also includes sensitive information. However, it is not easy for companies to use sensitive data even if they have obtained consent. The process must very clearly inform the users of what they agree to, otherwise the consent is not considered valid.

In addition, a person should be able to take their consent back just as easily as they gave it. Meaning, as a company you must have functions and systems in place to handle that, leading to more structure, processes and administration being required on your end to support this function.

4. Follow the principles relating to processing of personal data

As GDPR can seem extensive and complex, a good place to start in terms of ensuring compliance, is to follow the principles relating to processing of personal data below:

Article 5 - Principles relating to processing of personal data

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes/…/ (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods /…/ (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	1 year
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	5 months 27 days	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_THG7SPKD18	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_84002038_1	1 minute	Set by Google to distinguish users.
_gat_UA-84002038-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. (en)
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
nQ_cookieId	1 year	Albacross sets this cookie to help identify companies for better lead generation and more effective ad targeting.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_hjSession_2735549	30 minutes
_hjSessionUser_2735549	1 year
AnalyticsSyncHistory	1 month
cookielawinfo-checkbox-advertisement	1 year
cookielawinfo-checkbox-necessary	1 year
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
li_gc	5 months 27 days
nQ_userVisitId	30 minutes
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
cookielawinfo-checkbox-advertisement	1 year
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.

Data protection and GDPR

1. Purpose-based data usage

2. Bare minimum approach to data collection

3. Alternative ways of presenting personal data

4. Follow the principles relating to processing of personal data

More on GDPR

Would you like to know more?