Looking for a way to make Gravity Forms GDPR compliant?
Put into effect in May 2018, the General Data Protection Regulation (GDPR) is a European Union law that governs data privacy and protection across the EU.
While the law has many provisions, the basic idea is that it governs the type data your website can store, how you store it, and how long you can keep that data for.
If you use Gravity Forms on WordPress, you’re almost certainly collecting personal data that falls under the GDPR at your WordPress site, including a form submitter’s name, IP address, email, location, and more.
To help you ensure Gravity Forms GDPR compliance in WordPress without losing the ability to save form entries, we’ll show you how to automatically delete Gravity Forms entries after a certain period of time to comply with the GDPR. We’ll also explain how you can ensure Gravity Forms HIPAA and CCPA compliance.
Storing Gravity Forms Entries is Essential for Proper Functioning
The easiest way to ensure Gravity Forms GDPR compliance in WordPress would be to just never store any form entries on your WordPress site or WooCommerce store.
But while that’s quick and simple, it can cause a number of issues with your forms:
- If you have email deliverability issues for your notifications, you might completely miss contact form entries or other submissions.
- Any files that were uploaded along with the entry are lost if you don’t save the entry.
- The Gravity Forms User Registration add-on won’t work because it requires the entry to remain while there is a pending registration.
- If you send form entries via a third-party API service and that API goes down, you’ll completely lose those entries. This applies to email marketing services (e.g. Mailchimp), CRMs (e.g. Hubspot), etc.
- Any add-ons that do asynchronous processing (Dropbox, Webhooks, etc.) won’t work.
So for those reasons, completely disabling form entry storage really isn’t the best strategy to ensure Gravity Forms GDPR compliance in WordPress.
…But Storing Form Entries Permanently Can Run Afoul of the GDPR
Storing form data is helpful to the functioning of your site and the integrity of your forms, but permanently storing that form data can get you into trouble with the GDPR.
According to the European Commission’s FAQ page on data storage, “Data must be stored for the shortest time possible.”
There’s no hard rule here, but you’ll want to keep in mind what you’re using the data for when you come up with your estimate. For example, for a simple contact form or form with asynchronous processing, a week might do the job.
On the other hand, if you’re processing contract information, there might be organizational or statutory reasons why you need to hold on to the data for a longer period of time.
What’s more, the European Commission also states that site owners “should establish time limits to erase or review the data stored.”
And these two facts lead to the point of this post:
You can store your Gravity Forms entries to ensure the integrity of your forms and integrations. But if you want to make Gravity Forms GDPR compliant, you should not store those entries permanently and you should also set up time limits after which you delete the data from your form submissions.
This ties in with the “right to be forgotten” in the GDPR framework and also ensures you don’t need opt-ins or a data request page for users because you’re not permanently storing any user data in Gravity Forms.
Below, we’ll show you how to automatically delete form data using the Entry Automation plugin from CosmicGiant.
How to Automatically Ensure Gravity Forms GDPR Compliance in WordPress
To automatically make Gravity Forms GDPR compliant by not storing data, you can use the Entry Automation plugin from CosmicGiant to automatically delete Gravity Forms entries after a certain period of time.
You can set your own automatic deletion schedule based on “the shortest time possible” for your website, with options to automatically delete entries hourly, daily, weekly, or monthly.
Once you’ve installed and activated the Entry Automation plugin, here’s how to use it to set up Gravity Forms GDPR compliance in WordPress.
1. Create a New Entry Automation Task
To get started, click on the Forms tab in your WordPress dashboard to open the list of all your forms. Then, hover over the form that you want to make GDPR compliant and click Entry Automation in the Settings drop-down.
This will open a list of entry automation tasks for that form. Click Add New to create a new task.
Enter an internal name for the task to help you remember what it does in the Entry Automation settings page. Then, select Delete Entries next to the Automatic Action setting:
2. Choose How Often to Delete Form Entries
Next, you can use the Start Running Task option to choose when to start deleting entries.
Below that, use the Run Task Every setting to choose how frequently to delete entries. For example, you could run the task every 7 days to delete your form entries after a week.
Remember, to ensure Gravity Forms GDPR compliance in WordPress, you’re supposed to store the data for “the shortest time possible”, so you’ll want to run the task as frequently as you can without negatively impacting your workflows:
3. Select Which Form Entries to Delete
Now, you can use the Select Date Range setting to control which entries the plugin will delete, using natural language.
This date range is relative to the time that your task runs. For example, if you enter “7 days” in the To date range, the task would delete all form entries up until 7 days before the task runs:
Any form entries that were submitted within the last 7 days would not be deleted yet, but any form entries that are older than 7 days would be deleted.
Again, the date range is relative, so every time the task runs it will delete all the new form entries that were submitted more than 7 days ago (or whatever time frame you specify).
4. Use Conditional Logic If Needed
Depending on your workflows, you can also use the Conditional Logic checkbox set up conditional logic to handle automatic entry deletion differently depending on how a user filled out the form.
For example, you could delete unimportant entries a day after submission while holding entries with important data for a longer period of time.
This granular control gives you another way to make sure you’re only storing data for the least amount of time possible.
Gravity Forms HIPAA and CCPA Compliance
In addition to GDPR compliance, you might also want to ensure Gravity Forms HIPAA (Health Insurance Portability and Accountability Act) and CCPA (California Consumer Privacy Act) compliance.
Here are some solutions we recommend:
- Create Gravity Forms HIPAA compliant forms using the HIPAA FORMS plugin.
- Use the CCPA Framework plugin to ensure Gravity Forms CCPA compliance in your web forms.
Using these plugins, you can make your Gravity Forms HIPAA and CCPA compliant in a few easy steps.
Ensure Gravity Forms GDPR Compliance Today
Saving form entries is important to the integrity of your data and functioning of your form integrations. But if you want to ensure Gravity Forms GDPR compliance in WordPress, you shouldn’t store those entries permanently because the GDPR specifically states to store data for “the shortest time possible” and “establish time limits to erase or review the data stored”.
To make Gravity Forms GDPR compliant while still initially saving form entries to your database, you can automatically delete entries after a certain period of time.
The Entry Automation WordPress plugin from CosmicGiant helps you automatically remove old Gravity Forms entries once you no longer need them to ensure Gravity Forms GDPR compliance in WordPress.
Purchase Entry Automation today and you’ll have Gravity Forms GDPR compliant in no time.