GDPR Compliance: WordPress & Gravity Forms

Boring but somewhat important note: General Data Protection Regulation compliance (GDPR compliance) and how Gravity Forms GDPR compliance is implemented is a legal topic and it’s best to seek qualified legal advice regarding its implementation in your business. Although this article offers technical detail about some aspects of its implementation, it in no way constitutes or is a replacement for qualified legal advice and Rigorous can not be held liable for any legal issues as a result of its usage or interpritation.

General Data Protection Regulation Compliance (GDPR compliance) is coming to the EU and its remit covers any website or business who comes in to contact with data originating from an EU citizen. With Europe representing 10% of the Earth’s population, chances high are that at some point your business is going to have some data from one of them.

WordPress Contact Forms

Here at Rigorous, we often use Gravity Forms for our WordPress contact forms. Gravity Forms saves a lot of useful information and, in addition to sending it via email to you, it also maintains a log of entries in the WordPress administrator dashboard for you to view. That’s very handy if, for any reason, that email doesn’t reach you, and also allows you to export all previous entries together at a later date into an Excel-friendly format. Very useful!

But how does this relate to Gravity Forms GDPR compliance? Lets take a look at what might be in a normal contact form, and whether it’s considered “personal data” (and so falls under the remit of GDPR):

  • Name – Likely to be considered personal data
  • Email – Likely to be considered personal data
  • Message – Possibly contains personal data

Based on the above, it’s clear that we need to make sure our forms conform to the new rules of GDPR compliance.

How to improve Gravity Forms GDPR compliance

Gain consent to “process” the visitor’s data

First of all, we need to make sure the person filling in the form knows we’ll be “processing” (saving and sending on via email) their data. This is an important first step; GDPR compliance is built around the idea of protecting users from unauthorized data collection by requiring explicit consent on their part.

There are a couple of options here:

  1. Add in a required checkbox field with wording explaining what you’ll do with their data. Something along the lines of “I consent to my submitted data being collected and stored” will probably do. Ensure any third party feeds (such as the Gravity Forms Mailchimp addon) check that the user’s filled this field in before their details are sent on to any other databases or systems
  2. Install a GDPR plugin with a Gravity Forms integration. WP GDPR Compliance (available here) is one we’re using for our WordPress support clients. This does require a bit of further setup, but once installed it’s fairly straightforward

Filtering out unnecessary data

Gravity Forms also saves some other data against form entries that can be seen as “personal data”, including IP address (sort of like a house number for computers on the Internet) of the user filling in the form. The safest thing to do with that, unless you’re using it, is to block it.

Adding this to your theme’s functions.php file will do the trick (if you’re not sure how to do that we can help!):

add_filter( 'gform_ip_address', '__return_empty_string' );

What about encryption/HTTPS?

One of the things GDPR does is make an SSL certificate (the thing that gives you the little green padlock in your browser, sometimes called HTTPS) pretty much manditory. If your site sends personally identifiable data (name and email, for example) across the Internet from someone’s computer to your website as plain text, it’s probably going to be frowned upon.

The good news is there are lots of easy ways to get an SSL certificate now. You can often buy one from your hosting company; there’s even free ones available via companies like CloudFlare and Let’s Encrypt but they do require varying levels of technical ability. Our partners over at WP Buffs have an excellent guide to SSL if you want to read more indepth on the subject.

What about access requests and keeping data up to date?

There are a number of third party plugins that allow visitors to edit their entry data after they’ve submitted it and see it on the front end of your website. GravityView is perhaps the best known, but there are lots of others available. You’ll probably also want to update the emails and notifications that go to the visitor to make sure they point out that visitors can edit or update their data at any time once you’ve added this feature.

Can’t I get someone else to do it?

Of course! We’re implementing GDPR across our client’s sites so if you want us to, you just need to sign up for our monthly rolling WordPress Support and ask! Or, if you’ve got a specific question, just get in touch