I’m smiling because I know how this stuff goes. There have been TONS of emails and headlines about GDPR – the European Union’s new General Data Protection Regulation.
You’ve seen it on Facebook. You’ve seen it on Google Analytics.
You’ve seen it everywhere. Right?
Well, if not, that’s even better. ‘Cause this is super simple and not an issue, really.
It means that Web Developers (and CTOs) have to ensure that their websites are protecting user data, specifically encrypting form submissions.
Per usual, amazing companies like Mailchimp and Gravity Forms are making this super simple for WordPress Designers and Web Developers.
Your client will ask, so here’s the answer.
If using Mailchimp, reference their GDPR friendly forms. They basically ask the user for consent, covering the business related to complying with the new GDPR regulations.
Mailchimp is just simply providing embed code for this new form. So, use it instead of the old one. 🙂
Boom, that was easy.
Gravity Forms, one of our very favorite, tried and true WordPress Plug-ins, is providing some more details and options for how to handle GDPR Compliance on your website.
From this article:
The easiest way to comply would be to add a required checkbox to any forms that need to be compliant. Adding a simple checkbox field that states something along the lines of “I consent to my submitted data being collected and stored” will usually do the trick.
Be sure to make it a required field, and the first part is done. This way, you’ll know that every submission is compliant because without providing consent, the submission would not complete.
If you are also using a feed based add-on with your form, such as MailChimp, you can configure conditional logic on the feed so it will only be processed if the user has checked a checkbox field. See the Conditional List Subscriptions article for more details.
Part of GDPR compliance also requires that users are able to request access to their data at any time. To handle this, the data could be requested manually or automatically using either a bit of custom code, or an add-on such as GravityView. Data modifications would be as simple as editing the form entry.
The following third-party plugins can help with GDPR compliance, they also have integrations for Gravity Forms:
Can I prevent the IP address being saved in the entry?
The gform_ip_address filter can be used in the theme functions.php file or a custom functionality plugin along with the WordPress __return_empty_string function to replace the IP address with an empty string e.g.
If you would prefer not to use custom code the Encrypted Fields add-on by PluginOwl can be configured to remove or not store the IP address.
Can I encrypt the field values before they are saved to the entry?
We recommend the using the Encrypted Fields add-on by PluginOwl to configure encryption of the field values.
Can I prevent Gravity Forms saving the entries to the database?
It’s important to note that GDPR does not prohibit saving of personal data to the database, it just requires that you to gain consent before doing so.
While you can’t currently prevent Gravity Forms saving the entries you can use custom code or a third-party add-on to delete them during submission, after the notifications and add-on feeds are processed. There are also add-ons which can automatically delete entries on a schedule. See the Delete Entry Data after Submission article for more details.
Can the user view or edit their own submissions?
Allowing the user to view or edit their own submissions is not a built-in feature of Gravity Forms but is made possible by third-party add-ons such as GravityView by Katz Web Services, Inc. or Gravity Forms Sticky List by 13pixar.
Are the entries sent to gravityforms.com?
No. The form submissions (entries) are saved to your sites WordPress database. The data would only leave your site if you configure a notification email or an add-on to send it elsewhere.
Okay, so point being, if you’re a client or a web developer, you can keep doing what you’re doing, but starting May 25, 2018, you’ll need to account for GDPR in one of the above ways.
The simplest is to ask for the user’s consent via your form. But as you can see, you have other pretty simple options.