WordPress GDPR Compliance Just Got a Lot Easier

If you haven’t seen the last update to WordPress and Ninja Forms with GDPR compliance related features, you need to right now!

This week, Friday May 25th, the EU’s General Data Protection Regulation (GDPR) officially takes effect. By now you’ve probably already gotten a good idea of the scope of the regulation and what you need to be doing for WordPress GDPR compliance. If you’re not thrilled with the process you have in place right now, or your ideas for last minute implementation, we have good news for you.

With the latest WordPress and Ninja Forms updates, new GDPR compliance features will make accepting data export and deletion requests trivial.

If you’ve not updated yet, do it now. We’ll get into details below, but in a nutshell there is now:

  • a stock form for allowing users to request an export of all personally identifiable information
  • a stock form for allowing users to request the deletion of all personally identifiable information
  • a way for you to grant both those requests with the press of a button for registered users

Read on for details! We’ll also be highlighting a few other new features we’ve bundled into Ninja Forms to make WordPress GDPR compliance easier.

If you’re unsure what all this GDPR business is about, check out our previous article on compliance. We’ve also written a bit on how we feel about the GDPR in general if you’re interested. Don’t let it catch you by surprise!

The latest WordPress GDPR Compliance update (4.9.6) adds a new feature for data export and deletion requests

The WordPress team has come through for us in a big way with the 4.9.6 update. Two of the core elements of  GDPR compliance are being able to, on request:

  • provide to a user all data that you have collected about them (Right to Access)
  • delete all data that you have collected about a user (Right to Be Forgotten)

The newest update provides a dedicated spot in the dashboard to perform both these tasks. Under Tools you will now see two new options:

  • Export Personal Data
  • Erase Personal Data

The two screens are virtually identical, and look like this:

These options give you a way to search by email address or username for all the data within WordPress associated with either. The export option allows you to generate a digital document that can be sent to the user. The erase option… erases all of it.

This gives any website admin a clean way to search for personal data and export or delete it. While this is great, taken alone there are two major deficits:

  1. There’s no way for users to actually make the request. You’re left on your own to figure out how to do that.
  2. Natively, the personal data returned is only that data collected by core WordPress functionality. Data collected by plugins (like form submissions) won’t be included unless the developers of that plugin have hooked into the Export/Erase feature themselves.

Don’t worry, neither of those deficits will be an issue for you. Here’s why!

Ninja Forms now hooks into the new WordPress Export/Erase feature with user-facing request forms & actions

The newest update to Ninja Forms (3.3) introduces 2 stock WordPress forms:

  • Delete Data Request
  • Export Data Request

These forms both hook directly into the WordPress Export/Erase feature. What does this mean?

  • You have a front-end, user-facing way to collect requests via your WordPress forms
  • These requests appear under Tools> Export Personal Data or Erase Personal Data in your dashboard.
  • With the push of a button, you can grant that request.

We’ve taken the extra step already to ensure that all form submission data is included when the request is processed for all users. Right now non-registered user submission data will still need to be searched for and removed manually under Ninja Forms>Submissions. An upgrade to this is coming very soon, so keep an eye on near-future updates!

UPDATE: Associate every form submission with a user email address using this new feature!

To help you organize user data for automated compliance with export and erase requests, we’ve upgraded the Store Submission action. Using this feature, Export Data Request and Delete Data Request is now fully automated for both registered and non-registered WordPress users. Check it out under your Emails & Actions tab!

You’ll now find a setting within this action that will link the submitter’s email address to the form submission when using the new export/delete data request forms introduced in the next section.

Just map the email field of the form to the Designated Submitter’s Email Address. You have the option to map it to other fields if necessary, but we recommend associating by email. With this done, the feature described below will fully automate export and erase requests!

You’re not limited to using these two forms. Add Export/Delete request options to any WordPress form!

If for any reason the stock forms don’t meet your needs, we’ve made the Export/Delete request options portable. They take the shape of a simple action that can be added to any of your WordPress forms from the Emails & Actions tab:

Just map the action to the form field you’re collecting the email address in, and you’re set. There’s nothing more to it than that. WordPress GDPR compliance doesn’t get any easier than this!

UPDATE: Mark any field as Personally Identifiable Data, easily anonymize that data when Delete Data Requests are processed

Each field now has a toggle to mark that field as Personally Identifiable Data. It’s on my default for certain obvious fields, and can be toggled on for any field:

Delete Data Requests can now be set to anonymize personal data rather than delete it. Any field marked as Personally Identifiable Data will be anonymized. All other fields will be left intact.

The anonymize option can be toggled on under the Advanced settings of the Delete Data Request action:

What other GDPR related features are included or coming soon to Ninja Forms?

Glad you asked, because there’s several! You’ve been making requests in our support channels about what will make your life easier under the GDPR. We’ve been listening, and working to implement them. The following isn’t the full list of what we’ve done/plan to do. These features are only the ones that are either live with this update or those that will be available very soon.

Decide which form fields you want to be saved, and which you don’t

Some forms are going to contain fields that ask for personal data. Other fields on the same form may not. What if the user does not consent to having personal data collected? That shouldn’t bar you from collecting the non-personal data items on the form that may still be useful.

You can now, on a per-field basis, select which fields will be saved to the database, and which will not.

Set submission data to expire on a timer

Per your request, we have added functionality that will force submission data to expire after a set number of days. You can find this feature under the Store Submission action on your Emails & Actions tab:

Just expand the Advanced settings of the action and toggle it on. By default submissions are set to expire after 90 days. You can adjust that as needed. Expired submissions will be sent to Trash under Ninja Forms>Submissions, so be mindful to take out your trash regularly if you don’t want that data present at all.

Coming soon: Global submissions search

Currently searching submissions for an email address or other bit of data requires a manual search through each form’s submissions. If you have a lot of forms, that’s a pain. We realize that and are very close to having a shippable global search feature to release. Look for it to be ready in the near future.

These tools give you a way to practically automate data access and erasure

While you still need someone with a pulse to grant incoming requests, that’s virtually all that’s left to you. All users now have a front-end, user-facing way to make a request. Submission notifications via email, SMS (Twilio/ClickSend), or even Slack will let you know when a request has been made. The only thing that’s on you  is logging in to grant the request with the push of a button!

Remember, the WordPress forms features we talked about above all began as user requests. What else can we do with Ninja Forms that will make WordPress GDPR compliance easier on you?