Blog
How to Create a GDPR-Compliant Lead Form (Plain English)
How to Create a GDPR-Compliant Lead Form (Plain English)
GDPR is one of those topics that everyone has heard of and almost no one has read. The text of the regulation is 88 pages of legal prose. The version your lawyer sends you is 30 slides. The version a compliance vendor sells you is a $20,000 platform.
For most small teams, this is overkill. If you collect a name and an email on a contact form, you do not need a 30-slide deck. You need a few practical changes that line up with the regulation.
This guide is the plain-English version: GDPR for forms in 90 seconds, the four must-haves on every lead form, and a sample privacy notice you can adapt. It is not legal advice — for any high-stakes scenario, talk to a lawyer. But for the standard B2B or B2C lead form, it covers the ground.
GDPR for forms in 90 seconds
GDPR is a European Union privacy regulation that took effect in 2018. It applies to any organization that processes personal data of EU residents, regardless of where the organization is based. A bakery in Idaho with a contact form that anyone in the EU can fill out falls under GDPR.
The regulation rests on two simple ideas:
- Personal data is the property of the person it describes. Collecting it requires a legal reason. Using it for something the person did not agree to requires a new reason. Storing it forever requires a justification.
- The person retains rights over their data. They can ask what you have, ask you to delete it, ask you to export it, and ask you to stop processing it. Your form must support those requests.
In practice, this translates into four things every form must do.
The 4 must-have elements
If your lead form covers these four points, you are 90% of the way to GDPR compliance.
1. Lawful basis
You must have a legal reason for collecting the data. For lead forms, the two most common bases are:
- Consent. The person actively agreed (checkbox, signed consent). Required for marketing follow-up.
- Legitimate interest. You need the data to respond to a clear request from the person (someone fills out a request a demo form, your legitimate interest is responding to the demo request). Sufficient for one-off response.
Most lead forms operate on a mix: legitimate interest for the immediate response plus consent for ongoing marketing.
2. Consent (when applicable)
If you intend to use the data beyond the immediate request — adding the lead to a newsletter, retargeting them with ads, sharing with a sister company — you need explicit, opt-in consent.
Two rules that trip up most teams:
- No pre-ticked boxes. Pre-checked consent boxes are not valid consent under GDPR.
- Specific, not blanket. "I agree to receive marketing communications" is OK. "I agree to the terms" is not. Each consent should be specific to a use.
A typical lead form has two checkboxes:
- Acceptance of the privacy policy (linked).
- Optional opt-in to marketing communications.
3. Retention
You cannot keep data forever just because it is convenient. GDPR requires a retention policy that is tied to the purpose of collection.
Practical patterns for lead forms:
- Lead that converted to a customer: keep as long as the business relationship lasts.
- Lead that did not convert: delete after 12 to 24 months of no activity.
- Newsletter subscriber: keep until they unsubscribe.
- Spam / disposable submission: delete immediately.
The key is having a written, applied policy. "We delete inactive leads after 24 months" is a fair, defendable policy. "We never delete anything" is not.
4. Data subject rights
The form (or a linked privacy policy) must explain how the person can:
- Request a copy of their data (right of access).
- Ask for it to be corrected (right to rectification).
- Ask for it to be deleted (right to erasure, or right to be forgotten).
- Object to processing or withdraw consent.
In practice, this is a single email address (privacy@yourcompany.com) that handles these requests. You do not need a portal. You need a documented process.
Building a GDPR form by describing it in Brieform
Here is the workflow.
From your AI client (Claude, ChatGPT, Cursor, or any MCP client), describe the form:
Lead form for a B2B SaaS. Fields: name, work email, company, role, what problem are you trying to solve. Add a GDPR consent field for the privacy policy and an optional checkbox for marketing newsletter consent.
The form is generated in about 10 seconds with the right field types. Brieform has a dedicated gdpr field type built specifically for consent capture — use it for the required privacy-policy agreement, plus a regular optional checkbox for marketing. Link the privacy-policy text to your own /privacy URL.
One final touch: add a one-line consent description above the checkboxes (use the sample below). You don't need to configure data residency — Brieform hosts all data in the EU (Frankfurt) by default, on every plan.
Done. Your form has the four must-haves, the data lives in the EU, and consent is properly captured.
Where to host & where data lives
Two questions matter for GDPR compliance:
Where is your form hosted? GDPR does not require EU hosting, but using EU-based infrastructure simplifies cross-border data transfer concerns. Brieform hosts all data in the EU (Frankfurt) by default — on every plan, including Free — with encryption in transit and at rest.
Who processes the data? Any third party touching the data is a processor under GDPR and must have a Data Processing Agreement (DPA) with you. For a DPA, reach out to Brieform at dany@brieform.app. Your CRM, email tool, and analytics tool also need DPAs in place.
For most small teams, the chain looks like:
- Form (Brieform, EU-hosted, DPA in place)
- → CRM (HubSpot, Salesforce, etc., DPA in place)
- → Email tool (Mailchimp, ConvertKit, etc., DPA in place)
If any link in the chain does not have a DPA, your compliance posture is weak. The fix is to either get the DPA, switch the tool, or stop sending the data there.
Sample privacy notice copy
Here is a starting template for the consent block on your form. Adapt to your actual practice.
Privacy notice. We will use the information you provide to respond to your request and, if you opt in below, to send you occasional updates about [Company]. You can unsubscribe at any time. We store your data on EU-based servers and do not sell it to third parties. For full details, see our Privacy Policy.
[ ] I have read and agree to the Privacy Policy. (Required)
[ ] I would like to receive marketing emails from [Company]. (Optional)
A few notes on the wording:
- The required checkbox covers the lawful basis (acceptance of the privacy policy).
- The optional checkbox covers ongoing marketing consent.
- The notice text covers retention (we will use) and data residency (EU-based servers).
- The link to the privacy policy carries the longer-form details (full retention timelines, data subject rights process, third-party processors).
This is not legal advice. Have a lawyer review before you ship anything that handles sensitive data (health, financial, regulated).
Common mistakes that get teams fined
Five patterns show up in most GDPR fines against small teams.
1. Pre-ticked consent boxes
Despite eight years of guidance, pre-ticked boxes are still on lead forms across the web. They are not valid consent under GDPR. A single user complaint to a Data Protection Authority is enough to trigger an inquiry.
Fix: all consent checkboxes are unchecked by default.
2. Bundled consent
"By submitting this form, you agree to our terms, privacy policy, and to receive marketing emails." This is bundled consent — three different uses wrapped into one click. Not valid.
Fix: separate checkboxes for separate uses.
3. Vague privacy notice
"We may use your data for legitimate business purposes" is not a privacy notice. The data subject must understand specifically what you are going to do with the data.
Fix: specific, plain-English notice. Match the words you use to the actions you take.
4. No retention policy
Keeping every lead forever is the easiest path. It is also the hardest to defend. Without a written retention policy, you have no answer to "why do you still have this 6-year-old lead's data?"
Fix: write a one-page retention policy. Apply it at least once a year.
5. Ignoring deletion requests
When a person asks for their data to be deleted, you have one month to respond. Ignoring the request is a direct GDPR violation. Many small teams have no process for handling these requests, so they pile up.
Fix: a single inbox (privacy@yourcompany.com), a documented checklist for handling deletions, and a calendar reminder to check the inbox weekly.
FAQ
Where does Brieform store form responses?
In the EU (Frankfurt), by default, on every plan including Free. All data is encrypted at rest and in transit, and you can export or request deletion of your responses at any time.
Is consent enough for marketing?
Yes, when collected properly. Consent for marketing must be specific (not bundled with other terms), opt-in (not pre-ticked), and revocable (the person can unsubscribe at any time). Brieform's default newsletter checkbox meets these requirements.
Can I add a custom privacy notice?
Yes. The consent block on every form supports custom copy and a link to your privacy policy. Use the sample above as a starting point and adapt the language to match your actual practice.
Is Brieform GDPR-compliant?
Brieform is GDPR-aligned: EU hosting (Frankfurt) by default, a native gdpr consent field, data deletion on request, and CSV export of all your responses on every plan. Compliance ultimately depends on how you use the tool — your form copy, your retention practice, and your downstream processors all matter. Brieform gives you the GDPR-ready building blocks; you assemble them into a compliant practice.
Disclaimer: This article is a plain-English overview, not legal advice. For high-stakes GDPR scenarios — sensitive personal data, automated decision-making, or cross-border data transfer arrangements — consult a qualified data protection lawyer.
Keep reading
How to A/B Test a Form (Without a CRO Team)
How to A/B test a form without a CRO team: the three variables that move the needle, how to split traffic in 5 minutes, and how to read the result by having your AI count responses via get_responses.
How to Embed a Form on Webflow, Framer, or WordPress
Step-by-step guide to embedding a Brieform form on Webflow, Framer, or WordPress with a simple iframe, a mobile checklist, and conversion tracking via a thank-you-page redirect in GA4 or Plausible.
How to Add Conditional Logic to a Form (No Code)
How to add conditional logic to a form without code: show/hide fields, skip steps, and branch paths by describing the rules in plain English, with tips to avoid the common traps.
