Are Your Forms GDPR Compliant?
By Published November 26, 2018We’ve been talking about the GDPR for years at this point.
And while we’re sure that your site is already updated according to the new procedure, you might want to circle back and make sure that your web forms meet the new criteria as well.
From obtaining active consent to explaining why you need to collect personal data in the first place, there are a few things to consider when looking at your web forms.
Below, we’ll give you a quick refresher on the GDPR and why it matters, as well as some key elements you must include in all forms that collect personal data.
What is the GDPR and Why Does it Matter?
The General Data Protection Regulation, or GDPR, is a set of data collection regulations in the European Union.
To put it simply, this is a massive undertaking that has overhauled the existing data protection legislation governing how EU companies handle consumer data—this includes the collection process, consent, and what they do with the data once it’s in their hands.
The new law, which rolled out in May 2018, brings a standardized approach to how companies collect, control, and process data across the EU.
The GDPR also seeks to give residents more agency over who owns their data and how it can be used. Companies must now obtain consent before collecting website visitors’ data.
This rule replaces the existing EU data protection directive, an initiative created in 1995, before the internet era came into its own.
The law addresses a long list of concerns, from breach notifications to opt-in consent, and increases fines for those who violate privacy and protection practices, as determined in the law.
As a result, businesses will need to permanently change how they collect data from customers, store that information, and use it moving forward.
The main changes taking place here involve obtaining explicit consent from an individual. What’s more, informing visitors isn’t enough. Forms must also collect active approval from the user—so there’s proof of an informed decision.
Additionally, the GDPR gives web users the right to be forgotten. In other words, if someone requests their data be deleted, or there is no reason for an organization to keep data on file, then it must be removed.
Penalties of Violating GDPR
Fail to comply with the GDPR and you’re looking at a whole mess of trouble. Fines for noncompliance can top 4% of an organization’s total revenue or €20 million—whichever of the two is worth more.
That said, that is the maximum fine. There is a tiered penalty structure in place, with fines matching the severity of the offense. For example, if a company’s forms automatically fill in the consent checkbox, that fine likely won’t get anywhere near that 20 mil. mark.
In addition to the financial burden of GDPR fines, other consequences spell disaster for companies that fail to comply.
For one, companies who do not comply may see a reduction in public perception. In light of recent data breaches and lack of transparency on the part of companies like Facebook, lack of compliance could open the floodgates for public scrutiny. Customers don’t like knowing that their data is unprotected–and negative publicity can have a worse impact on the future success of your company than the fines.
With that in mind, there are a few things you should consider when looking at your forms.
1. Are You Obtaining Active Consent?
One of the most significant changes associated with the new law is that it is now mandatory to get consumer consent on your forms.
Consent must be obtained before asking for an email, a name, or any other personal information. This rule also applies to collect any tracking information such as location or cookies.
We’ve gone over this before, but the easiest way for visitors to give consent is by adding a checkbox to any forms that need to be compliant.
As we mentioned in a previous article on consent, the checkbox indicates agreement when checked. You’ll also need to include a consent title and a consent description.
In the below example, you’ll see the title, the checkbox label, and the description, which in this case, is a look at the terms and conditions.
A quick note about new contacts versus existing contacts: because older customers may have signed up before the rule change, you might want to send an update to your contacts letting them know the about the policy change.
You probably received several emails from every company you’ve made contact with since the inception of the internet.
The reason for this is, all companies—at least those with EU-based customers–are required to collect consent from all of those contacts in their database. If you haven’t already, you’ll need to make sure you send an email to everyone on your list that includes a link to update their account.
New contacts are pretty straightforward. Once you’ve updated your forms, new subscribers will be able to give explicit consent when they use your signup form.
2. Are You Handling Data Requests Properly?
Another aspect of GDPR compliance is making sure that consumers have access to their data at any time. This means customers can edit, delete, or view their account details.
We should mention that allowing users to view or edit submissions isn’t a core Gravity Forms feature. But, it is possible with third-party add-ons like GravityView by Katz Web Services, or Gravity Forms Sticky List by 13pixar.
Another workaround can be found inside the Personal Data tab in your WordPress Form Settings. This allows you to integrate form entries with the WordPress Export Personal Data tool. And from there, you can export the details to your customer.
As you’ll see in the image below, website owners can elect to retain, trash, or delete entries automatically.
Under the GDPR rule, websites are only allowed to keep data around as long as reasonably needed. So, you can choose to delete an entry after a certain number of days—as well as how long the entry stays in the trash after being removed.
3. Have You Stated Why You Need the Data?
Finally, you’ll also need to communicate to your users how you plan on using their data. Article 13 in the GDPR lays out the information you must provide at the point of collection.
To ensure compliance, you will need to include the GDPR policies on each form on your website. Write policies in clear, accessible language—outlining why you need that information and what you plan on doing with it.
4. Know What Forms You Need to Worry About?
Okay, we briefly touched on this in the above section. But, we should point out that not every form is subject to the GDPR. Only forms that collect personally identifiable information must comply.
If you’re asking for a name, email, or other personal details, you need consent. So, an anonymous quiz or a survey likely won’t need to be updated. However, anything that pertains to an e-commerce transaction or collects data–think marketing extensions–need to be compliant.
5. Consider the Storage Factor
Storage is one of the more complicated aspects of the GDPR. One easy way to achieve compliance is simply to avoid storing the data if you don’t need it.
However, that’s not a possibility in many cases.
If you do need to store information for further use, you must be able to provide a user with their personal data upon request and be able to wipe that record on demand.
As such, you’ll need to make sure your database is searchable and straightforward. You should always know where records go, and be able to prove compliance in the event a user wants to revoke consent or you’re being audited.
6. Establish an Erasure Process
Using Gravity Forms can help you stay in compliance with the GDPR, as you’re completely in control of where your visitors’ data is stored. For one, our forms do not set cookies. Second, when users send data through Gravity Forms, that data is sent to your WordPress account only.
So, if your data ever leaves that database, it’s likely going to your email marketing account or something similar. We recommend making a list of all of the tools you use to connect with your customers and getting acquainted with how to remove those records if needed.
In WordPress, the Erase Personal Data tool is going to be your best bet for, well, erasing personal data.
It’s important to note that the erase personal data tool doesn’t remove data from your backup files. You’re on your own there. Website users will submit a request to remove their data and receive a message like the one we’ve included below.
That request will then forward to the site administrator, who then confirms the request. Once data is removed, it is permanently deleted from the WordPress database.
Wrapping Up
In the end, we hope that we’ve clarified what it means to be compliant with the GDPR. While it may seem daunting, the key things to remember are obtaining customer consent, making sure you know where data lives and how to delete it, and that you inform your visitors of their right to access or delete their personal information.