The internet is buzzing with panic about GDPR compliance at the moment, and rightly so, the deadline is nearly here. But is GDPR compliance really that hard? We've got the info you need to make your Formidable forms GDPR compliant!
GDPR compliance is all about protecting privacy
This is something that we at Formidable support 100%. But protecting privacy in an information-driven world has its complications!
Before you continue reading, start with part 1: how to make GDPR Compliant WordPress forms. You'll learn more about how to get "explicit consent" from users submitting your forms and the basics of the "Right to Access" and "Right to be Forgotten". Today I want to delve deeper into those last two points, and give a step by step guide to meeting those specific requirements.
Please note that GDPR does not apply to forms that do not collect or store personal data. If you're running an anonymous form like a poll or quiz that does not collect personal data, your forms are not affected.
What do these GDPR requirements mean?
Right to Access. You must provide a way for users to request access to, and view the data you have collected from them.
Right to be forgotten. You must also give users a way to withdraw consent and delete personal data collected from them.
GDPR may be European law, but its reach extends worldwide. GDPR compliance isn't limited to companies within the EU, but also to any company collecting data from users inside Europe. If you are a California-based company, but have users from France filling out your forms - GDPR affects you!
6 steps to improve GDPR compliance
Formidable's front-end editing is allows you to setup ways for logged-in users to easily edit or delete their data. This covers the "Right to Access" and "Right to be Forgotten".
1. Allow front end editing
On the settings page for your form, scroll down to 'Permissions'. Check the Allow front-end editing of entries box. Determine which user role can edit their own submissions and which user role can edit responses submitted by other users.
2. Build a data management View
This View will be used to display all data submitted via your form. It gives your users a simple overview of their data and allows them to manage it.
You should create an "All Entries" View and select the correct form to display data from. In the content box, insert fields that allow a user to recognize different submissions at a glance. Fields like a title, date or address should be used so each submission is immediately identifiable from the list.
3. Filter your View by the current user
Your View needs to be filtered by the current user, so that each user only sees their own entries.
**Pro Tip** If you haven't already got a UserID field in your form, go to the form builder page for the form that is connected to your View and add one now.
Scroll down to the Advanced Settings for your View. In the 'Sort & Filter' section click the '+Add' button next to "Filter Entries". Set up the filter so it says 'User ID is equal to current_user'.
4. Allow editing of submitted data
First you will need to make a note of the page ID where your form is published. Your permalinks structure may show the numeric page ID in the browser bar. If not, edit that page, and the ID will be visible in your browser address bar.
Once you have that page ID, add an edit link to the View's Content box - Replace 'y' with the Page ID where your form is published:
[editlink label="Edit" page_id=y]
5. Allow users to delete their data
Formidable also allows users to delete their own entries. Simply add the deletelink shortcode into your View Content box like this:
[deletelink label="Delete"]
This shortcode automatically retrieves the appropriate entry ID from the View or form where it is inserted.
6. Publish your View on an "Account" page.
Once your View is complete, create an "Account" or "Data Management" page on your website. Insert your View shortcode on this page, and link to this page from your privacy policy. You can even add this page to your main navigation if you like. Since the page only loads data for the current user, there is no risk of private data being visible to logged-out or unregistered visitors.
Your users can visit this page and see a list of all their previous submissions. They can click the "Edit" link to update any entry they choose or the "Delete" link to remove that data permanently.
Bonus steps
Don't save IP addresses - Did you now that many forms which do not appear to collect personal information still are not GDPR compliant? This is because many forms save IP data by default and Formidable is no exception. IP address saving can be disabled easily though. Simply go to your Formidable -> Global Settings page and scroll to the bottom. Check the box for "Do not store IPs with form submissions." - and you're done!
Don't save entries - If you have a contact form that emails the data or a form that sends the data to another site, there may be no reason to store entries on your server. In this case you can disable storing of entries completely. Just check the box on the settings page for your form.
Auto delete entries - Did you know you can auto-delete entries after 30 days with the Form Action Automation and API add-ons? This step may help GDPR compliance in cases where users submitting forms are not logged-in. If users cannot manage their own entries, auto deletion of data can help you comply with GDPR.
The GDPR deadline is almost here so don't delay. Make your WordPress site and data collection 100% compliant today!
Not using Formidable Forms yet? Make the switch to the WordPress forms builder with the GDPR compliance solution you need.
The post 6 steps to GDPR compliance: right to access and be forgotten appeared first on Formidable Forms.