How to Create GDPR Compliant Forms

In this guide, we’ll discuss general considerations for GDPR compliance in your Joomla forms.

First, an obligatory disclaimer: We’re not lawyers and what follows isn’t legal advice. We have a vested interest in your success under the GDPR, but if you need concrete legal counsel, talk to a lawyer.

On May 25, 2018, new regulations will go into place within the EU that pertain to data collection. You can find the full overview via official sources, but here’s the gist:

In the simplest terms, what GDPR (General Data Protection Regulation) does is protect users from unauthorized data collection by requiring explicit consent. If data is being collected and stored, the individual providing the information needs to be aware of it and give permission before any action is taken.

Along with providing permission to collect data, the GDPR requires that users are able to request access to their data and have it removed if requested.

What Forms Do We Need to Worry About?

Not all your forms are necessarily going to be impacted by the GDPR. Running an anonymous survey or a quiz? If you’re not collecting personally identifiable information on users, your form’s not impacted. However, if you are asking for a name, email or address, the GDPR impacts that form. So, how to comply?

Before collecting or storing user data under GDPR, you would need to request their consent.

This can be easily resolved by adding a required checkbox field to any forms that need to be compliant. This way users will not be able to submit the form without explicitly offering consent.

To do this, first navigate to Components -> Convert Forms and create a new form or edit an existing form. Then, from the Add Field tab click on the Terms of Service field.

Convert Forms Add GDPR Field

Once the field has been added to the form, you can add text for user consent in the field settings panel. For this example, we’ll add “I consent to site.com collecting and storing my data“. You can also include a link to a more detailed Privacy Policy that users can access to read about how their privacy is handled on your website.

The most important property of the field should be the required status. Hopefully, the Convert Forms Terms of Service field is by default a mandatory field. This way, you’ll know that every submission is compliant because without providing consent, the submission would not complete.

Frequently Asked Questions

Can I prevent Convert Forms saving the entries to the database?

Preventing Convert Forms from saving the submission into the database is on the roadmap with a high priority and it will be available in a future release. Until then, there's a workaround by running a one-line PHP Script that deletes the created submission after it has been stored into the database. Delete submission from the database

It's important to note though that GDPR does not prohibit saving of personal data to the database, it just requires that you to gain consent before doing so.

Can the user view or edit their own submissions?

Currently, allowing the user to view or edit their own submissions is not possible with Convert Forms but it’s on the roadmap as well.

Does Convert Forms save the IP address of the user?

By default, the IP address is not being saved into the database unless you choose to do so using the appropriate {ip} smart tag.

Is there any penalty or fine for noncompliance?

Penalization for noncompliance comes in the form of tiered fines that scale to the severity of the violation. Fines cap at 4% of annual turnover or €20 million, whichever is greater.