GDPR compliance and Flo Forms
As you’re all probably aware, how you collect data is about to change significantly with the introduction of the GDPR (General Data Protection Regulation) Compliance being implemented on May 25th, 2018. GDPR applies to anyone that deals with clients or collects information about clients in the EU, which will be a large portion of you.
In preparation for the GDPR regulation release, we will be rolling out updates to our Flo Forms plugin available now. In version 1.6 we will have now added a message block allowing you to put a disclosure on your contact form stating that you will be collecting their information.
It will also allow you to link to your privacy policy that will outline what you do with this data.
Disclaimer, we are not lawyers and this is not strictly legal advice, for full details on how to comply we highly recommend speaking with a lawyer that deals with GDPR regulations to make sure that your site is compliant. What we offer is some steps that should mean your site is compliant.
What is GDPR
The General Data Protection Regulation (GDPR) is the replacement for the Data Protection Directive 95/46/EC. Originally enacted in 1995 while the internet was still young, they’re definitely due the update. The change is much more than a simple update/upgrade of existing policy, however. At its core, the GDPR is a move towards enshrining control of your personal data as a fundamental human right.
The GDPR gives EU citizens control of their digital data by empowering them with the right to know when personal data is being collected, what data is being collected, access to that data, and to purge it on request. And that’s just a general overview; we’ll get into the nitty-gritty of the details below.
In short, the GDPR is a data privacy regulation that modernizes and normalizes data privacy laws across Europe and applies to any organization collecting data on EU citizens.
Impact and Scope of the GDPR
The GDPR makes several key changes to privacy law and introduces basic data subject rights for all EU citizens. We’ll look at each in turn below.
Increased Territorial Scope
The reach and applicability of the GDPR is not limited to the EU, but instead impacts any website/organization that handles the personal data of any EU citizen. This means that essentially any WordPress website must comply with the GDPR no matter where in the world the servers or administrators are physically located. If you accept traffic from the EU and collect information from EU citizens, GDPR compliance matters.
In technical terms, the GDPR applies to any processing of personal data by both controllers and processors of that data. Article 4 defines controllers as anyone that is involved in determining how personal data is handled regardless of whether they directly collect that data or not. Processors are defined as anyone who actually processes personal data on behalf of the controller. This is a key point to note as it broadens the scope of the GDPR to anyone involved in not just the collection but the handling of personal data as well, including cloud services.
Explicit Consent Requirement for Data Collection
- Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other texts.
- Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
- Have a means for users to request access and view the data you have collected on them.
- Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”.
Penalties and Fines
Penalization for noncompliance comes in the form of tiered fines that scale to the severity of the violation. Fines cap at 4% of annual turnover or €20 million, whichever is greater.
Data Subject Rights
Basically, a data subject is any EU citizen from which you are collecting personal data. GDPR compliance requires data subjects to be granted certain rights. What follows is not an exhaustive list, but those rights that are relevant to the collection, processing, and storage of personal data on your WordPress website.
Right to Access. Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.
Right to Be Forgotten. Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged.
Data Portability. Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time.
Breach Notification. If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, notification must be made within 72 hours of becoming aware of the breach.
Flo Forms and GDPR
Strictly speaking, your regular contact form does not store information about clients, so our of the box the standard contact blocks do not require any additional modification. However, those of you using Flo Forms to collect your client's information will be required to make a few updates to comply.
Using eCommerce or some other forms to collect and store information about users, you’ll want to make sure that you also review options to comply here also.
How to make Flo Forms Comply
Watch the video below for more details, if you prefer to read, continue below.
Step 1. Update Flo Forms
Make sure you update your Flo Forms plugin to version 1.0.17. This will add new block options allowing you to add some further information to your forms.
Step 2. Request for Consent
You must explicitly state that you are collecting a users information before the user submits any information on your site. They should also be made aware that you will intend to store this data. You must also let them know how it is to be stored and used. Thankfully it’s not that difficult to implement.
First things first, you’ll want to create a privacy policy. The Right to Access states that a user must be informed if data is being collected, what data is being collected, how, where, and for what purpose. To keep things simple and easy in your form, use your privacy policy to fully disclose your data collection and storage practices, and then link to that privacy policy from the form when requesting consent.
To make your Flo Form compliant, you’ll want to add the ‘Single checkbox‘ field:
Then edit the message stating what information you are collecting and that full details are in your privacy policy, and add a link to your privacy page. Note in order to add a link it is necessary to use HTML code. To do that use a code similar to:
<a href="<em>http://mysite.com/privacy/</em>"><em>link text</em></a> <img src="https://docs.flothemes.com/app/uploads/2018/03/chkbdesc.jpeg" alt="" width="1368" height="697" srcset="https://docs.flothemes.com/app/uploads/2018/03/chkbdesc.jpeg 1368w, https://docs.flothemes.com/app/uploads/2018/03/chkbdesc-300x153.jpeg 300w, https://docs.flothemes.com/app/uploads/2018/03/chkbdesc-1024x522.jpeg 1024w, https://docs.flothemes.com/app/uploads/2018/03/chkbdesc-768x391.jpeg 768w" sizes="(max-width: 1368px) 100vw, 1368px" style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border-width: 0px; border-style: initial; border-color: initial; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; font-size: inherit; font-family: inherit; vertical-align: baseline; height: auto;">
We recommend to make the checkbox field required.
What it can look like for your clients:
With this setup, your users will have to check the box to confirm that they are consenting to sharing information with you, this should cover you with GDPR regulations.
Making Data Organized and Accessible
Flo Forms can collect and store data via submissions. To comply with GDPR you must:
- Be able to provide a user with all personal data you have on them on request
- Be able to purge all personal data you have on them on request
We recommend that you collect the users email addresses, making the field required, as this the easiest way to search and find user information. You can then export any data about them if they request, or delete the information.
Allow users to request information
You must offer a way for users to request information about themselves. We recommend using a simple form for this.
A simple consent withdrawal/request to view form on your privacy policy page would be ideal (which is linked to by any form which collects personal data).
Thats it folks. Follow these simple steps and get your site compliant in no time. If you’re still unsure, we highly recommend that you speak with a lawyer to confirm if your site is in order.