GDPR compliant forms are 100% free and do not require an additional plugin. Learn how GDPR affects your WordPress forms.
The EU General Data Protection Regulation (GDPR) comes into effect on 25th May 2018
This new legislation applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company's location. We look at how you can make your Formidable forms GDPR compliant.
The disclaimer...
First, a disclaimer: I'm not a lawyer and this isn't legal advice. Of course we have a vested interest in your success and want to help where possible. But if you need definitive legal advice, please talk to a lawyer.
I should also stress that this article is a simplified overview of the main points of GDPR compliance, and not an in-depth study. I recommend you read the information on the official GDPR website carefully and take note of details that may not be covered here.
Many thousands of our users collect data in WordPress forms every day. GDPR applies to the vast majority or those forms. Do a little research now and be prepared for the enforcement date next year.
If you're in Europe like me, you're probably already used to privacy laws and GDPR compliance will only require small changes. Outside of Europe, this may be a new concept. But don't stress, compliance isn't hard work!
What is GDPR?
The GDPR website states, "​The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world." Protecting private data is something we are passionate about at Formidable and a cause we can get behind 100%.
GDPR applies to all companies processing personal data of people in the EU, regardless of the company’s location. This means that even if you're outside Europe, you need to take action.
The good news is that GDPR compliance for Formidable Forms is 100% free and does not require any additional plugins. Just a few simple tweaks to your existing forms and you're set.
The main GDPR requirements
Explicit Consent. GDPR requires that users give explicit consent BEFORE submitting personal data. This request for consent must be in clear, understandable, plain language, free from legalese.
It must be presented alone, not buried in with other "terms & conditions." Have a clear and accessible privacy policy that explains how this data will be used and stored. Consent must be as easy to withdraw as it is to give.
Right to Access. Provide a way for users to request access to, and view the data you have collected from them.
Right to be forgotten. Give users a way to withdraw consent and delete personal data collected from them.
How to comply
First, remember this does not apply to forms that do not collect or store personal data. If you're running an anonymous poll or quiz form that does not collect personal data, your forms are not affected.
Forms collecting information that can identify the person are affected. This includes information like names, photos, an email addresses, bank details, posts on social networking websites, medical information, or IP address.
If you are not using Formidable yet, you can install free forms on your WordPress site. The free forms can be GDPR compliant too.
In Formidable, IP addresses are collected by default. As of version 2.05, you have the option to disable this IP tracking. Visit the Formidable -> Global settings page to set IP addresses to not be saved.
Step 1 - Request Consent
Requesting consent is as easy as adding a required agreement checkbox to the bottom of your form. Explain what data you are collecting and why. You can also include a link to a more detailed privacy policy.
Mark the check box as a required field and label it with something like "I consent to having Compu-Global-Hyper-Mega-Net collect my details via this form". Now the form will only submit when consent is given.
Step 2 - Right to access
The responsibility of associating submitted data with the submitter is 100% yours. The simplest way to do this is to require users to login before submitting forms. When a form is submitted by a logged-in user it's easy to match their entries to their account. This can be used to filter a View, so users can see copies of all their form submissions. When the page is visited, a logged-in user will only see entries that they submitted. If they have permission to edit the entry, an edit link can be included too.
Step 3 - Right to Be Forgotten
Use a View to display a users' entries and include a delete link. This gives users the ability to login and delete any data they have submitted. With the power of Front-end Editing, users can easily manage their own data on your WordPress site and remove all of their submitted info without your assistance.
Get more detail in part 2: 6 steps to GDPR compliance: right to access and be forgotten.
What to do now?
Before making changes, read through the official GDPR website. Get your information from the source and make a plan that allows your online presence to move into compliance.
Do you have any tips and tricks to make GDPR compliance easier? Let us know in the comments below.
How to Create an Anonymous Survey in WordPress
How To Use the Mailchimp GDPR Marketing Options
6 Steps to GDPR Compliance: Right to Access and Be Forgotten
Nicely put Nathanael.
One thing re "If you're in Europe like me, you're probably already used to privacy laws and GDPR compliance will only require small changes."
Folks need to understand that how you collect and store personal details on or via your website is just part of the GDPR. It goes *much* wider than that to be compliant, and the fines can be up to €20m (or 4% of an organisation's GLOBAL turnover). The Supervising Authority in any of those European regions can shut a business down there too.
If, for example, you send your mail list to an email handler (e.g. MailChimp) for processing email campaigns etc - if they mess up / get hacked, then your organisation is liable for the fines! Unless you have a GDPR style agreement in place with them confirming exactly what they are expected to do in terms of protection, usage etc.
Your's is a very helpful article, and definitely a step in the right direction (and you do suggest they check it out properly), but just thought it was worth pointing out that the GDPR looks at more than just consent on forms (so that folks do then check it out properly).
🙂
Hey Adam, the first article I read about GDPR and you're the first commenter... how amazing is that? I said you should own this when we met in Exeter and it looks like you are.
My question is, how are small businesses and mom 'n' pop shops going to set up 'GDPR style agreements' with companies such as MailChimp? Is GDPR workable in the real world?
Just as you point out, this is not legal advice, but I've been attending some courses for non-profit organisations. And the GDPR applies to anyone who keeps address lists (either using computers or paper) for anything else than personal use. When using US based companies, and to comply to GDPR, the company must be registered as compliant to the EU-US Privacy Shield. This is the case for f.ex. Mailchimp. Companies registered can be viewed at PrivacyShield.
This will be true for as long as the European Court does not rule PrivacyShield invalid as what happened to SafeHarbour. Some lawyers states this may be expected.
If the court decides to do so, most US companies will not be compliant to GDPR and EU based organisations will be forced to stop using them.
I can add that the GDPR applies to information that can identify a singe individual by any means possible, either now or in the future.
Chris - I'm so sorry for not replying sooner, I never got a notification, so only when I happened to come in here did I see your post nigh on 6 months later. I promise I wasn't ignoring you!
Re your question re small businesses and agreements with suppliers like MailChimp, it won't necessarily need to be that all onerous. At a very high level - an email to them asking what their GDPR compliance status is is the first place to start. Likewise what specifically they are doing to be and remain compliant. Mostly you want to see that they are adequately and securely protecting your data and that they are not sending it anywhere without your consent.
If they are not compliant then ultimately you need to remove all your data from them (ensuring it really has gone) and move it elsewhere.
The middle ground is that they say they're not yet but have a roadmap to become compliant - you then have a decision to make as whether you should wait or not.
Finally, assuming they say they are, ensure that their privacy Policy and Ts&Cs reflect that (and then if you're happy in writing confirm you accept those Ts&Cs as dated whenever you do it.)
You can of course call them, but you ideally want a written record.
That's all very high level and all businesses are different - so general advice would still always be get legal advice confirming your own specific situation.
Oh and as Johnny points out - for US companies the privacyshield thing may well cover things (possibly). but not all your suppliers / vendors / service providers will be US based
One easy way: do not store collected data on the website but send the notification email instead for as many forms as possible. Personal data will only go to the email server.
Then if someone requests access / update / delete of personal data the web server itself will be one less variable to deal with.
I still have no idea how to find/process someone's personal data in the email server and all possible email clients. I think this is much more of a problem than dealing with web forms.
Sending to a Mail Server means that the data may stay on that server indefinitely - and then sent to the recipient of that email and then stored on their business or personal computer. To be GDPR compliant how is that handled?
Maybe we keep the data on the websites database (Wordpress DB) and only send a notification email that the contact info was submitted and we view the data on the site.
Hi, thanks for the article!
Just two points: The website you link to above as the "official GDPR website" is certainly not a offical EU site as it says in the footer.
And your comment form I'm writing in right now - it does not seem to be compliant 😉
You need to explain to me what you are doing with my data, and you need to consent. Your privacy policy does not contain the word "comment" though...
Cheers!
Hi Alex,
Thanks for bringing this up. WordPress is also working on an update (4.9.6) to cover comment forms in the blog, but updating the privacy policy is a good point.
There will be a lot more articles like this one coming out, and I think it's a good idea to get ahead of it. Once the time comes for FULL compliance, people will be scrambling for answers, and you will be one of the people they can turn to... well done.
Happy to know Formidable forms is GDPR compliant.
Hi,
I think we shouldn't add a checkbox so that people consent to our contact forms. The reason is that it probably falls under legitimate interest.
If you include a checkbox, you should also give people the freedom to use the service (in this case sending the message) without collecting their personal data. According to the regulations, you should not deter people from using the service if they don't consent. However, that's what you are dong when you include a checkbox before people send the message.
You just can't let people contact you without collecting their email, because it doesn't make sense. So, that's why I think it's legitimate interest.
What are your thoughts on that?
Hi Stefan,
Yes, Legitimate Interest is one legal way to collect data; however, always needs to be balanced with data subject's rights. And this is where some advise would be required as this is a key grey part of the Regulation.
Also, Article 6 part 1b allows for legal processing when the data will be used to enter into a contract. Hence, consent is not required nor do you need to specify a legitimate interest. In this case you only need to specify how you will use the data (to book a room, to place an order, etc.) in your privacy policy.
Cheers.
Hi Nathanael,
thanks for the article and how-to. However, one of your main statements - Explicit Consent - is not true, at least not in general terms.
The point is often misunderstood: Article 6 expressly does not say that consent must always be given. It states that "at least one of the following applies" … followed by 6 points. Only one of them responds to a voluntary consent of the user.
On the other hand, there are even a number of disadvantages once the user has given his consent (e.g."the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data", see Article 7).
Do not include more than one concept in an inquiry.
Hi!
I've liked Formidable Forms over the years, and am trying it out again. It's very nice.
As you described, I was able to make a consent statement and a checkbox. I was not, however, able to have the checkbox unchecked by default, even though the documentation appears to allow that(?).
It's admittedly a fine point, but if you're going by the spirit of the law as opposed to just "strongly encouraging" someone to click through without actually checking the box, I don't think that's exactly legitimate.
Your thoughts?
Thanks, Dave
Hi Dave,
You should be able to setup the checkbox so its not pre-checked.
Can you open a ticket in our helpdesk about this if you can't get this working on your site?
According to the current GDPR clusterf#ck, the checkbox below the contact form MUST NOT be pre-checked when first accessing the page.
This isn't currently possible with the pre-existing options within Formidable Forms as the checkbox always comes out pre-selected when only having one item in the list of checkboxes (and of course there is only one item since there is nothing but "I agree to the terms and conditions etc.").
Hi Chris,
It is an option to have a single checkbox unchecked by default. If you're having trouble setting this up on your site can you please open a support ticket?
Best,