GDPR Compliance and WordPress Forms: Everything You Need to Know

Change is on the horizon with the approach of the GDPR (General Data Protection Regulation), the EU’s sweeping new suite of data privacy regulations. As it applies to data collection that impacts any EU citizen, whether you’re based in an EU country or not, the reach of the GDPR does affect you. These new regulations take effect on 25 May 2018, meaning we have less than a year remaining to prepare for GDPR compliance.

Are you ready? Have questions? Hundreds of thousands of Ninja Forms users put their WordPress forms to work every day collecting information about their users that falls under the scope of the GDPR. We want you to be comfortable and prepared for the new regulations so that you don’t have to worry. To that end, we’re providing this article as your go-to resource for GDPR compliance where WordPress forms are concerned.

We’ll hit three major topics for you:

  1. What is the GDPR?
  2. What is the scope and impact of the GDPR?
  3. How can I be compliant with Ninja Forms?

GDPR compliance for Ninja Forms users is 100% free and requires no additional plugins!

We’ll be keeping this article updated with any new changes as we move closer to the regulations taking effect, so keep checking back!

A Quick Word Before We Get Started…

First, an obligatory disclaimer so that our lawyer doesn’t throw me out a metaphorical window: we’re not lawyers and what follows isn’t legal advice. We have a vested interest in your success under the GDPR, but if you need concrete legal counsel, talk to a lawyer.

Now that we have that out of the way, a bit of perspective: new regulation can be scary. There’s already a fair bit of anxiety out there about the GDPR, and the usual mix of misinformation and misunderstanding that accompanies new regulation on this scale.

We can speak with a high degree of certainty where data collection through your forms is concerned. The GDPR isn’t looking that scary. The EU’s intention largely looks to be a paradigm shift in the way the world thinks about and treats privacy and data collection. Enforceability is probably going to look very similar to VAT. Corporations and government agencies will likely be expected to comply immediately, and that will create a ripple effect that sets a new standard for how we handle data worldwide. It’s extremely unlikely that the EU authorities are going to start dropping noncompliance fines on small businesses in Montana fresh out of the gates next May.

In that light, it’s a cause that we can get behind 100%. Safeguarding your personal data, and helping you to safeguard your users’, is extremely important to us. Using Ninja Forms, compliance shouldn’t be difficult. Let’s begin exploring the GDPR and how to make this transition as painless as possible in the months ahead!

What is the GDPR?

The General Data Protection Regulation (GDPR) is the replacement for the Data Protection Directive 95/46/EC. Originally enacted in 1995 while the internet was still young, they’re definitely due the update. The change is much more than a simple update/upgrade of existing policy, however. At its core, the GDPR is a move towards enshrining control of your personal data as a fundamental human right.

The GDPR gives EU citizens control of their digital data by empowering them with the right to know when personal data is being collected, what data is being collected, access to that data, and to purge it on request. And that’s just a general overview; we’ll get into the nitty gritty of the details below.

In short, the GDPR is a data privacy regulation that modernizes and normalizes data privacy laws across Europe and applies to any organization collecting data on EU citizens.

Impact and Scope of the GDPR

The GDPR makes several key changes to privacy law and introduces basic data subject rights for all EU citizens. We’ll look at each in turn below.

Increased Territorial Scope

The reach and applicability of the GDPR is not limited to the EU, but instead impacts any website/organization that handles the personal data of any EU citizen. This means that essentially any WordPress website must comply with the GDPR no matter where in the world the servers or administrators are physically located. If you accept traffic from the EU and collect information from EU citizens, GDPR compliance matters.

In technical terms, the GDPR applies to any processing of personal data by both controllers and processors of that data. Article 4 defines controllers as anyone that is involved in determining how personal data is handled regardless of whether they directly collect that data or not. Processors are defined as anyone who actually processes personal data on behalf of the controller. This is a key point to note as it broadens the scope of the GDPR to anyone involved in not just the collection but the handling of personal data as well, including cloud services.

Explicit Consent Requirement for Data Collection

Strengthened consent requirements are the core of the new regulation. If you collect or manage any EU citizen’s data, you must:

  1. Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
  2. Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
  3. Have a means for users to request access and view the data you have collected on them.
  4. Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”.

Penalties and Fines

Penalization for noncompliance comes in the form of tiered fines that scale to the severity of the violation. Fines cap at 4% of annual turnover or €20 million, whichever is greater.

Data Subject Rights

In plain English, a data subject is any EU citizen from which you are collecting personal data. GDPR compliance requires data subjects be granted certain rights. What follows is not an exhaustive list, but those rights that are relevant to the collection, processing, and storage of personal data on your WordPress website.

Right to Access. Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.

Right to Be Forgotten. Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged.

Data Portability. Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time.

Breach Notification. If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, notification must be made within 72 hours of becoming aware of the breach.

GDPR, #WordPress, and Ninja Forms. Everything you need to know for forms compliance in one place!Click To Tweet

GDPR Compliance and Ninja Forms

Forms exist to collect data offered by your visitors, guests, and members. How can you maintain GDPR compliance while using Ninja Forms? Let’s dive into the details of what this new regulation means for you and your WordPress website specifically.

What Forms Do We Need to Worry About?

First, not all your forms are necessarily going to be impacted by the GDPR. Running an anonymous survey? Quiz? If you’re not collecting personally identifiable information on users, your form’s not impacted. However…

Are you asking for a name? Email? Address? Phone? The GDPR impacts that form. If you’re using any email marketing or CRM extensions in a form, it’s affected. Save Progress? It’s affected. Most likely any form that deals with commerce of any type through Stripe, Paypal, or Recurly is affected. If you’re collecting any personally identifiable information whatsoever, GDPR compliance becomes important. So, how to comply?

How Can We Comply?

It’s actually not that burdensome to make your WordPress forms compliant if you’re a Ninja Forms user. We have several avenues to explore here, so let’s take a look at options.

To Store or Not to Store?

Drop dead easy way to comply: if you don’t need a record of the data collected via your forms, then simply don’t store the data. This eliminates any question of GDPR compliance. Just zip on over to the Emails & Actions tab of the form and toggle off (grey) the Store Submission action and make sure that if you’re using an email action that the email doesn’t include form fields with personally identifiable data.

ninja forms gdpr compliance store submission toggle off

Now this obviously isn’t going to work for most of us. Many of us use our forms expressly for the purpose of collecting data, and having a record of submissions is mission critical. Let’s look then at how we can collect data and still comply.

1. Request Consent

Explicit consent has to be obtained before data collection can take place. In other words, before the user submits the form. They must be made aware that this form is collecting personal data with the intent to store that data. You’re also responsible for letting the user know how that data will be stored and used. Don’t sweat, it’s easier than it sounds.

First, you need a privacy policy. The Right to Access states that a user must be informed if data is being collected, what data is being collected, how, where, and for what purpose. That’s a load of info. To keep things simple and easy in your form, use your privacy policy to fully disclose your data collection and storage practices, and then link to that privacy policy from the form when we request consent.

Informing the user that a form is going to be collecting personal data and requesting consent is as simple as two fields: the humble HTML and Single Checkbox fields.

Enter informational text & link to your privacy policy in the HTML field:

gdpr compliance using an html field

Request consent in the Checkbox field and make it a required field:

gdpr compliance via checkbox field

The user eye view:

html + checkbox field user view

This setup prevents data from being submitted unless consent is explicitly granted. If for any reason you would want the form to submit without consent being granted (the checkbox field not being required) you can do so and still remain compliant. Just use Conditional Logic to toggle on the Store Submission action only if the checkbox has been ticked. Data won’t be stored unless consent has been granted. Fringe use case perhaps, but still there if you need it.

2. Make User Data Organized and Accessible

Ninja Forms can collect and store data in 2 ways: submissions and email. What we’re about to cover here is applicable to both forms of stored data.

You must:

  1. Be able to provide a user with all personal data you have on them on request
  2. Be able to purge all personal data you have on them on request

The responsibility of being able to associate submitted data with the submitter falls to you. There are probably a number of ways to pull this off. Our recommendation? The simplest means would likely be to always collect an email address when you collect personal data of any type. Submissions can easily be searched by email address:

submissions view

This will allow you to easily pull together submissions from a given user and either provide an export or delete them on request. Emails can similarly be searched and dealt with. You should probably also state somewhere (privacy policy?) that this is how you’re handling things for transparency’s sake.

3. Have an Open Channel for User Requests

GDPR compliance requires that you be reachable and responsive to user requests for data that you’ve collected on them either to view or delete. There are a number of ways to handle this also, but obviously we recommend a form!

A simple consent withdrawal/request to view form on your privacy policy page (which is linked to by any form which collects personal data) will do the trick nicely. If you’re a Conditional Logic user, one form would easily serve both purposes. From there it’s just up to you to be responsive. We recommend setting up an email action that notifies you each time this form is submitted.

If you’re extra paranoid about missing one of these, we have a number of extensions that will add an extra layer of peace of mind, pinging you by different means when a form submits: Zapier (to use a notification service of your choice), Slack, Twilio, and ClickSend.

We Know You Have Questions…

Our intention here is to inform. We want each and every one of our Ninja Forms’ family to transition into the GDPR landscape as effortlessly and as painlessly as possible. We’ve done our absolute best to parse these new regulations and provide the most accurate information as possible. We’ll also continue to update as the regulation moves towards implementation in its final form in May of 2018. Continue to check back with us here for those updates.

We can and will address your questions to the best of our ability. We certainly don’t have all the answers, but there’s a lot we can tackle with a high degree of confidence. Especially as relates to your forms. What questions do you have about the GDPR? Fire away!