GDPR Compliance and Joomla Forms: Everything You Need to Know

15 Apr 2018 19:54 - 19 Apr 2018 13:01 #1 by Demis [Fox-Labs]

Content index

1. What is the GDPR?
2. What kind of forms do you need to worry about?
3. How can you comply?
- A. Request Consent
- B. Have a channel for user requests
4. Questions?

Using Fox Contact, GDPR compliance is easy. Let’s begin exploring the GDPR and how to make this transition as painless as possible.

1. What is the GDPR?

The General Data Protection Regulation (GDPR) is a data privacy regulation that modernises and normalises data privacy laws across Europe.
It gives EU citizens control of their digital data by empowering them with the right to know what personal data is being collected, access to that data, and to purge it on request.
While it applies to any organisation collecting data on EU citizens, it is clearly written with Social Networks and Cloud Service Providers in mind, in order to regulate their automated decision-making algorithms and data profiling.

The GDPR makes several key changes to the previous privacy law, and introduces basic rights for all EU citizens. We’ll look at each in turn below.

Explicit Consent Requirement for Data Collection
User's consent requirement is at the core of the new regulation. If you collect or manage any EU citizen’s data, you must:
  1. Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
  2. Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
  3. Have a means for users to request access and view the data you have collected on them.
  4. Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the "Right to Be Forgotten".

Data Subject's Rights
A data subject is any EU citizen from which you are collecting personal data. GDPR compliance requires data subjects be granted certain rights. What follows is not an exhaustive list, but just those rights that are relevant to the collection, processing, and storage of personal data on your Joomla website.

Right to Access. Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.

Right to Be Forgotten. Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged.

Data Portability. Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time.

Forms can collect data provided by your visitors, both guests and members. How can you maintain GDPR compliance while using Fox Contact? Let’s dive into the details of what this new regulation means for you and your Joomla website specifically.

2. What kind of forms do you need to worry about?

When it comes to data collection through your forms, we can speak with a high degree of certainty: the GDPR isn’t looking that scary.
First, not all your forms are necessarily going to be impacted by the GDPR.

If you are OK with just receiving an email and don't need a record of the data collected on your server, then simply don’t store the data into the database. This eliminates any question of GDPR compliance.
Just go to the Actions tab of the form and switch off the "Save to database" action.

This case is equivalent to the situation when users send you an e-mail themselves of their own free will. You don't worry to comply with the GDPR for incoming email, right?
This is true as long as you don't collect data for automated decision-making algorithms and data profiling, which are the real targets that the GDPR regulation addresses.
You may also want to prevent Fox Contact from storing the attachments into the web hosting space. For this purpose, enable the option "Delete on completion" in the Attachments field.

On the other hand, if you collect enquiries on the database for automated processing or data profiling, or if you subscribe users to any newsletter together with the form submission, that's another story. In this case GDPR compliance becomes important. So, how to comply?

3. How can you comply?

Before you collect basic personal information (email addresses, names, financial information, etc.), you’ll need to get clear, unambiguous affirmative consent, while before collecting sensitive personal information (sexual orientation, health data, political/religious views, etc.), you’ll need to get explicit consent.

A. Request Consent

Explicit consent has to be obtained before the user submits the form. They must be made aware that this form is collecting personal data with the intent to store them.

Informing the user and requesting his consent can be achieved in different ways

Alternative #1: Using our exclusive "Acceptance" field
Enter your privacy policy into the HTML property of the field. It will be shown in a scrollable area just below the acceptance checkbox.

Alternative #2: Using a simple "Checkbox" field
If you want to keep it simpler, use a Checkbox field to ask for user's consent and make it mandatory. You can also link your privacy policy in the checkbox label. This is the solution used by the European Union official website , and is shown in our Demo page and it's described in this topic: How to link a privacy policy in a popup window .
This setup prevents data from being submitted unless consent is explicitly granted. If you want the form to submit without consent being granted (that is the checkbox field not being required) you can do so and still remain compliant. Just use our SKD plugin to store the enquiry action only if the checkbox has been ticked. Data won’t be stored unless consent has been granted. Fringe use case, but still there if you need it.

Alternative #3: Using an "HTML" field
In case of collection of non sensitive data, some people prefer to notice their users that submitting the form implies giving the consent to data collection. This is done by an HTML field, without the need of a Checkbox.

B. Have a channel for user requests

GDPR compliance requires that you be reachable and responsive to user requests for data that you’ve collected on them either to view or delete. There are a number of ways to handle this also, but obviously we recommend a form!

A simple form for withdraw the consent or request to view the data, placed on your privacy policy page (which is linked to by any form which collects personal data) will do the trick nicely.
From there it’s just up to you to be responsive and ensure that the user is really who is claim to be before disclose his personal data.

4. Questions?

Our intention is to inform. We’ve done our best to parse these new regulations and provide the most accurate information as possible. We’ll also continue to update as the regulation moves towards implementation in its final form in May of 2018. Continue to check back with us here for those updates.

We will answer to your questions to the best of our ability through our support ticketing system . We certainly don’t have all the answers, but there’s a lot we can tackle with a high degree of confidence. Especially as relates to your forms.

Please Log in or Create an account to join the conversation.