If your inbox is anything like ours at the Flying Monkey Treehouse, it’s recently been filled with emails with subjects like this one: Our company is updating its privacy policies. You’re probably going to receive many more before May 25 because of a new European privacy law called the General Data Protection Regulation (or GDPR). Companies are updating their policies to meet the new GDPR requirements and are sending all their customers notices about the changes.
Change is coming…
Do not doubt it people, change is coming very soon, with the imminent arrival of this GDPR (General Data Protection Regulation), the EU’s sweeping new suite of data privacy regulations. Because thsi new regulation applies to all data collection that impacts any European Union citizen, whether you or your company or your servers aree based in an EU country or not, the huge reach of the GDPR does affect you, have not doubt. These new GDPR regulations come into law on the 25 May of 2018, and this means that you only have about a a month to prepare for GDPR compliance.
Are you ready for this change?
Thousands of WordPress websites use various forms plugins to work every day collecting personal information about their users that falls squarely and firmly under the purview of the GDPR. We want all our clients to be comfortable, and more importantly, prepared for these new regulations so that they don’t have to lose sleep worrying if they are breaking any laws.
So, as a start, we’ve written this article as your newest , and hopefully easiest, resource for GDPR compliance where WordPress forms are concerned.
We’ll try to cover 3 of the major topics and questions here:
- What the heck is this silly acronym GDPR (General Data Protection Regulation) anyway?
- What is the meaning, reach, scope and impact to me of this new GDPR?
- How can I make sure that my WOrdpress website is compliant with the rules and regulations of GDPR?
A Quick Word from the Lawyers (who wrote the GDPR as well btw 🙁 )…
First, we all need to know this is legal stuff, and that we need to give out the obligatory disclaimer so that our lawyer doesn’t throw us out the metaphorical Treehouse: we are not lawyers and what follows is not legal advice. We have a big and indeed involved interest in your website’s success under the new GDPR, but if you need real legal counsel, talk to a lawyer/solicitor (depending on what country you are in 😉 ).
New regulation can be scary
Now that we have that out of the way, let’s bring a little bit of perspective to the subject: yes, new regulation can be a bit frightening. There’s already a lot of worried people out there worried about the GDPR, and the normal mixture of misinformation and misunderstanding that comes with any new regulation on this scale is as expected.
The low down
Now after reading a LOT about all this, we can speak with a fairly high degree of certainty where data collection through your WordPress sites are concerned.
The GDPR isn’t actually looking that scary if dealt with sensibly and correctly.
The EU’s intention mostly looks to be a shift in the way the world thinks about and treats privacy and data collection. Enforceability is probably going to look very similar to any tax regualtion or new budget announcement. The large companies and of course government agencies should expect to be required to comply immediately. That however will create a knock on effect that will set a new standard for how we all handle data worldwide, regardless of your size or location. I
Having said that said, it is highly unlikely that the EU GDPR authorities are going to start chasing or dropping noncompliance fines on SME businesses in Australia fresh out of the gates come 25th May 2018. Phew! 🙂
We support it, really!
In light of the Facebook data privacy debacle , and many worried clients and their customers, this is a cause that we should support 100%. Safeguarding your, your customers and website visitors personal data, and helping you to safeguard ALL your users’, is very important to us, and it should be to you too. Using any of the major form plugins available for WordPress, compliance shouldn’t actually be that difficult.
So let’s begin to see what the GDPR is actually all about and how to make the transition on your own WordPress website as painless (and hopefully as cost effective) as possible in the weeks ahead!
What actually is this GDPR?
The General Data Protection Regulation (GDPR) is the replacement for the Data Protection Directive 95/46/EC, a law in the European Union. Originally enacted in 1995 when the internet was still a tiny infact of its current self, these laws were definitely due for an update. However this change is much more than a simple update/upgrade of existing policy. At its heart, the GDPR is a move towards vesting control of your online personal data as a fundamental human right.
The GDPR gives EU citizens actual full control of their digital online data by empowering them with the right to know when personal data is being collected, what data is being collected, access to that data, and to purge it on request.
And that’s just a general overview; we’ll get into more of the detailss below.
In short:
The GDPR is a data privacy regulation that modernizes and stadardises data privacy laws across Europe and applies to any organisation collecting any personal data on any EU citizens.
What is the actual impact and reach of the GDPR?
The GDPR makes several big changes to privacy laws as we knew them, and introduces new basic data subject rights for all EU citizens. Here’s the top few:
Increased Scope – now wordwide
The reach and applicability of the GDPR is not limited to the EU, but instead impacts any website/organization that handles the personal data of any EU citizen. This means that essentially any WordPress website must comply with the GDPR no matter where in the world the servers or administrators are physically located. If you accept traffic from the EU and collect information from EU citizens, GDPR compliance matters.
In technical terms, the GDPR applies to any processing of personal data by both controllers and processors of that data. Article 4 defines controllers as anyone that is involved in determining how personal data is handled regardless of whether they directly collect that data or not. Processors are defined as anyone who actually processes personal data on behalf of the controller. This is a key point to note as it broadens the scope of the GDPR to anyone involved in not just the collection but the handling of personal data as well, including cloud services.
Explicit consent required for any data collection
User consent is at the heart of the new GDPR regulations. Strengthened the consent requirements are the heart of the new regulation. If you collect or manage any EU citizen’s data, which let’s be honest we ALL do, then you must:
- Always request the explicit consent of every single user before any personal data collection takes place, and do it every time on most of your forms. These requests must be in clear, plain, easily understandable, simple language free of any legal jargon. It also must stand alone from other matters or requests (no hiding the tick box!) and not be buried in other text.
- Have a clear and accessible privacy policy (easily understandable, simple language free of any legal jargon again) that informs any of your users how this specific collected data will be stored, shared and used.
- Have an easy way for users to request access and view the data you have collected on them. Not just email us, but an automated way…
- Provide users with a way to withdraw consent at any time, and to fully purge any or all personal data collected on them on your site; i.e. this is is so called “Right to Be Forgotten”.
Penalties and Fines
Penalties for noncompliance with GDPR is in the form of a set of tiered fines that scale depending on the severity of the violation. The fines are capped uner this regulation as 4% of your gross annual turnover or €20 million, whichever is greater. You can see this is aimed at the Big Boys!
Data Subject Rights
In simple English, a data subject is any EU citizen from whom you collect their personal data.
GDPR regulatory compliance requires that you grant these data subjects specific and legal rights. Here is a simple list, but it is by no means an exhaustive one, but we think it covers the rights that are most relevant to the collection, processing, and storage of your user’s personal data on your WordPress website.
- Right to Access
Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request. - Right to Be Forgotten
Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged. - Data Portability
Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time. - Breach Notification
If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, notification must be made within 72 hours of becoming aware of the breach.
How can you maintain GDPR compliance while using your Forms Plugin?
You have wesbite forms to collect personal data offered by your visitors, guests, and members. Let’s dive into the details of what this new regulation means for you and your WordPress website specifically.
Which of my forms do I need to worry about?
First of, we did have a scare that every single form would need to be modified, but it turns out this is not exactly the case. Not all of your forms are necessarily going to be impacted by the GDPR regulations.
For example if you are running an anonymous survey or quix, AND you are not collecting personally identifiable information on users, then this form is simple not impacted.
However if:
- Are you asking for a name?
- Email?
- Address?
- Phone?
Then for SURE the GDPR impacts that form without a doubt.
If you are using any email marketing such as Mailchimp, or CRM extensions such as Salesforce, in your form, then it is for sure affected.
Save Progress? It’s affected. Most likely any form that deals with e-commerce or payment of any type through Paypal, Shopify, Woocommerce or Recurly is affected. If you’re collecting any personally identifiable information whatsoever, GDPR regulatory compliance becomes important. So, how do you make sure that your forms comply?
How can you comply with GDPR on your WordPress website?
It’s actually not as hard as you think to make your WordPress forms GDPR compliant if you’re using one of the big forms plugins like Ninja Forms or Gravity Forms. To show you the basics let’s take a look at some options within these plugins:.
To Keep the Data or Not?
The really simple way to to comply: if you don’t need a record of the data collected via your forms, then simply don’t collect or store the data. This eliminates any question of GDPR compliance.
For example in Ninja Forms, head over to the Emails & Actions tab of the form and toggle off (grey) the Store Submission action and make sure that if you’re using an email action that the email doesn’t include form fields with personally identifiable data.
Now this obviously isn’t going to be an answer for most companies, because we use our forms expressly for the purpose of collecting this data, and having a permanent record of these submissions is critical to running our businesses. So with that in mind, lets look at how we can collect this data and still comply with GDPR.
1. Request Consent
This is the BIGGEST part of GDPR: Explicit consent has to be obtained before data collection can take place. In simple words, before the user submits the form they must consent. They must be made aware that this form is collecting personal data with the intent to store that data in a clear and simple fashion. Your and your company are also responsible for letting the user know how that data will be stored and used, not generally, but specifically. Don’t worry too much though, as it can be easier than it sounds.
First off, you need an up to date privacy policy, hence the flurry of emails we were talking about at the start of this article. The Right to Access says that a user has to be informed if personal data is being collected, what specific data is being collected, how, where, and for what purpose. That turns out to be a heap load of information they need to be made aware of.
So to keep things relatively simple and easy in your forms, use your privacy policy to fully disclose all your data collection and storage practices, and then link to that privacy policy from the form when you request consent.
Informing the user that a form is going to be collecting and storing their personal data, and explicitly requesting consent is as simple as two fields in any of the plugins: the humble HTML and Single Checkbox fields.
- enter informational text & link to your privacy policy in the HTML field,
- and then request consent in the Checkbox field and make it a required field
(to see how it looks in Gravity Forms see our own Contact page here…)
This simple setup prevents ANY data from being submitted unless explicit consent is explicitly granted.
2. Ensure that all User Data is organised and accessible by them
To cover this, you and your company WordPress site must:
- Be able to provide a user with all personal data you have on them on request
- Be able to purge all personal data you have on them on request
This responsibility of being able to associate submitted personal data with the submitter themselves falls to you/your company. There are a number of ways to do this of course. Our recommendation? The simplest means would be to always collect an email address when you collect personal data of any type, then you track every user by their email. This is how Google do it!.
This should allow you to easily pull together submissions from a given user and either provide an export or delete them on request. Emails can similarly be searched and dealt with. You should probably also state somewhere (privacy policy?) that this is how you’re handling things for transparency’s sake.
3. Have an open channel for User Requests
GDPR regulatory compliance requires that your company be easily reachable and responsive to data user requests for their data that you’ve collected on them either to view or if they want to, to delete (Right to Forget). There are quite a number of ways to handle this, one of the simplest is to just use another form.
A simple consent withdrawal/request to view form on, your new and updated, privacy policy page (which should of course be linked to by any form which collects personal data) will do the job perfectly. From there it’s just up to your company to be responsive to any request. The simplest way to do this is to set up an email action/notification that notifies you each time this form is submitted.
If you’re extra careful about missing one of these (such as if you ARE in the EU or have an office their etc), there are a number of extensions and add-ons for the bif forms plugins that will add an extra layer of security, notifying you by different means when a form submits:Slack, Twilio, Zapier (to use a notification service of your choice), and ClickSend.
Of course you have questions about this, we did…
Our purpose in this article is to inform you about GDPR as simply as possible. We want each and every one of our cleints at Teh Army of Flying Monkeys to transition into the post GDPR world as effortlessly and as painlessly as possible.
We’ve done our absolute best to read as much as possible about these new regulations and provide the most accurate information as we can here. We’ll also continue to do this and try to update you all as this regulation rolls out and is implemented in its final form on 25th May 2018.
Drop us a line and we can and will address your questions to the best of our ability, and help you make sure your forms and WordPress website comply as best we can.
We certainly don’t have all the answers in this new landscape, as it will for sure changes it gets implemented, but there is a lot we can tackle with a high degree of confidence. Especially as relates to your online data collecting forms.
Need some help implementing the above GDPR recommendations?
Just drop us an email or use our (now GDPR Consent compliant!) Contact Form 🙂
