GDPR is almost here.
We use:
- Lead form to capture leads (name, email, project info, IP-not shown)
- Google Analytics
- Hubspot
- Hotjar
- FB Pixel
Is it enough to:
- create a "legal notice" indicating the tools used on our website, accessible from our website
- create an internal document explaining where each data can be found (most of it is anonymous besides what is captured through the lead form)
Do we need to do anything else? Like a "checkbox" on our lead form page about communicating the lead data to us, etc?
You will need a privacy policy setting out the tools you use, the data they collect and the options to object to the collection. Additionally, you will need to give notice to the right to deletion and rectification as well as the contact point for data protection issues. If the GDPR applies to you then you must also enter into data processing agreements with your processors as well as maintain a processing register.
Of course, the first part of the process is to identify which personal information are you holding and for what purpose.
Based on that you'll have to do an impact assessment and map where all that info is going (I assume you use third parties like Google Apps or Dropbox). You need to collect Data Protection Agreements which should cover GDPR and of course update your privacy policy.
On the technical side, you need to have appropriate security for protecting such information (such using encryption in your laptop, or making sure you have "https" on you site when submitting information).
The process if of course, longer than that but that gives you an idea. Depending on your size it would be a good idea to bring an external consultant to help you with the process. The UK ICO has good information about you have to do.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/