Note: This post does not constitute legal advice.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation designed to protect private Personally Identifiable Information (PII) for all European Union citizens. In short, it is designed to protect users from unauthorized data collection from the websites they use. To do this, the GDPR requires that users give explicit consent to having their data collected. The GDPR affects all companies that have users from the European Union, not only companies based in the E.U. If you have an online business or website, chances are that you will be affected by GDPR. Companies must be compliant by May 25, 2018. You can read more about the specifics of the GDPR on the official website.
What is Personally Identifiable Information (PII)?
Personally Identifiable Information is any information that can be used to identify a specific individual. This includes (but is not limited to):
- Name
- Address
- ID Numbers
- Web data such as:
- Location
- IP Address
- Cookie data
- RFID data
- Biometric data
- Racial, ethnic, or other demographic information
- Political views and opinions
- Sexual orientation and gender identity
Gravity Forms and Personally Identifiable Information
Any Gravity Forms field can potentially be used to gather the information listed above. Some information that can be considered sensitive and personally identifiable (i.e. can tie the entry to a specific person) is gathered implicitly:
gf_entry.ip
– A person’s IP addressgf_entry.user_agent
– The type of browser being usedgf_entry.transaction_id
– If making a purchase with the form, this is the payment ID connected to the payment processorgf_entry.created_by
– The WordPress user ID of the person
As such, if you are using Gravity Forms, you should be sure to make your website compliant!
GDPR and WordPress
The WordPress community is hard at work on some tools that help WordPress users get GDPR-compliant:
- The latest version of WordPress (4.9.6) includes a number of privacy tools, including a Privacy Policy page-creator, options for deleting and exporting data, and more. Read the full post here.
- This guide on WordPress.org is for developers writing plugins that handle personal data.
- These three plugins help make your website GDPR-compliant. Note that they don’t guarantee 100% compliance – you’ll need a lawyer for that!
- WP GDPR Compliance Plugin
- Codelight GDPR Framework. Currently doesn’t support Gravity Forms, but they have plans to add it soon.
- This add-on will make your Gravity Forms GDPR-compliant. Unfortunately, it’s not free.
How to Be GDPR Compliant with Gravity Forms
First, give this guide on the Gravity Forms site a read. In short, Gravity Forms recommends adding a required checkbox to any forms that need to be GDPR-compliant. This checkbox should make it absolutely clear that the user’s data is being collected.
The easiest way to comply would be to add a required checkbox to any forms that need to be compliant. Adding a simple checkbox field that states something along the lines of “I consent to my submitted data being collected and stored” will usually do the trick. Be sure to make it a required field, and the first part is done. This way, you’ll know that every submission is compliant because without providing consent, the submission would not complete.
As noted in the article, it’s very important to make this checkbox a required field. If your field is not required, any submitted entries that have not consented to data collection can be considered violations of GDPR.
User Data Requests and GravityView
Another part of GDPR-compliance requires that users are able to request and receive all of their personal information. While the regulation merely requires that businesses provide the data “within a month”, we recommend simply setting up a View in GravityView that allows logged-in users to view, edit and delete the data themselves. To do this, you’ll want to limit search results to only show entries submitted by the currently-logged-in user. Read this Knowledge Base article for instructions on setting this up.
Other Questions?
If your usage of user data is unique or doesn’t fall under the cases mentioned above, we recommend contacting a lawyer directly.