bookmark_borderWordPress, Gravity Forms, and GDPR Compliance
If you’re on this page, you’ve probably heard about GDPR compliance, but aren’t quite sure how your forms or WordPress site in general. Your best option is always to consult legal counsel, but we’ll try to get things clarified for you in the meantime.
What Is GDPR Compliance?
On May 25, 2018, new regulations will go into place within the EU that pertain to data collection. You can find the full overview via official sources, but here’s the gist:
In the simplest terms, what GDPR (General Data Protection Regulation) does is protect users from unauthorized data collection by requiring explicit consent. If data is being collected and stored, the individual providing the information needs to be aware of it and give permission before any action is taken.
Along with providing permission to collect data, the GDPR requires that users are able to request access to their data and have it removed if requested.
How Can I make Gravity Forms and My WordPress Site GDPR Compliant?
Once again, we’re not lawyers so you’ll want to confirm this with legal counsel, but here’s our recommendation:
The easiest way to comply would be to add a required checkbox to any forms that need to be compliant. Adding a simple checkbox field that states something along the lines of “I consent to my submitted data being collected and stored” will usually do the trick.
Be sure to make it a required field, and the first part is done. This way, you’ll know that every submission is compliant because without providing consent, the submission would not complete.
If you are also using a feed based add-on with your form, such as MailChimp, you can configure conditional logic on the feed so it will only be processed if the user has checked a checkbox field. See the Conditional List Subscriptions article for more details.
Part of GDPR compliance also requires that users are able to request access to their data at any time. To handle this, the data could be requested manually or automatically using either a bit of custom code, or an add-on such as GravityView. Data modifications would be as simple as editing the form entry.
The following third-party plugins can help with GDPR compliance, they also have integrations for Gravity Forms:
Can I prevent the IP address being saved in the entry?
The gform_ip_address filter can be used in the theme functions.php file or a custom functionality plugin along with the WordPress __return_empty_string function to replace the IP address with an empty string e.g.
add_filter( 'gform_ip_address', '__return_empty_string' );
If you would prefer not to use custom code the Encrypted Fields add-on by PluginOwl can be configured to remove or not store the IP address.
Can I encrypt the field values before they are saved to the entry?
We recommend the using the Encrypted Fields add-on by PluginOwl to configure encryption of the field values.
Can I prevent Gravity Forms saving the entries to the database?
It’s important to note that GDPR does not prohibit saving of personal data to the database, it just requires that you to gain consent before doing so.
While you can’t currently prevent Gravity Forms saving the entries you can use custom code or a third-party add-on to delete them during submission, after the notifications and add-on feeds are processed. There are also add-ons which can automatically delete entries on a schedule. See the Delete Entry Data after Submission article for more details.
Can the user view or edit their own submissions?
Allowing the user to view or edit their own submissions is not a built-in feature of Gravity Forms but is made possible by third-party add-ons such as GravityView by Katz Web Services, Inc. or Gravity Forms Sticky List by 13pixar.
Are the entries sent to gravityforms.com?
No. The form submissions (entries) are saved to your sites WordPress database. The data would only leave your site if you configure a notification email or an add-on to send it elsewhere.
We hope we’ve clarified things a bit for you on making your forms GDPR compliant. If you have any additional questions, feel free to reach out to support. Of course, for specific details on the legal requirements, it’s always best to talk to a lawyer.