Create GDPR compliant forms in Joomla! with RSForm!Pro

in RSForm!Pro on 26 Jan 2018 having 17
RSForm!Pro GDPR Compliant Forms

1. What is GDPR?

Let's start with the beginning, GDPR stands for General Data Protection Regulation. As the name implies this is related to the user data recorded by websites when someone navigates or uses their services. The purpose of the GDPR is to improve data privacy and also the way companies/businesses approach or plan this matter.

2. Will it affect my business?

Yes, as long as you record information that can uniquely identify an individual (for example: names, photos, email addresses or IP address) you will need to comply to the new standard. The only exceptions are anonymous forms like polls or quiz forms that do not collect any personal data.

This will affect both companies that are located in EU and also those outside of the EU that process personal information regarding EU citizens.

The new legislation will be imposed starting with the 25th of May 2018.

3. What are the GDPR requirements?

Explicit Consent

Explicit Consent: users need to give explicit consent for the website to collect their information. This consent cannot be masked in a lengthy 'Terms and conditions' text, but needs to be separate and very clear to the user.

Access to information

Access to the offered information: you need to allow users to view the information collected from them on your site.

Allow option to remove information

Option to remove the information: you will need to offer users an easy way to withdraw their consent and remove their information from your site.

4. How can RSForm!Pro help me with this?

Since RSForm!Pro covers all the main requirements of the GDPR, all you need to do is install the component and you will be able to build GDPR compliant forms in no time at all. One key factor in this scenario is the fact that you will need to allow access to your form only to logged in users. Since all your site content is accessed through menu items, you can easily control the Access level of an item in order to restrict it only to logged in users.

If you are using a normal link in your content, then you can restrict the viewing of the form to logged in users only through the Access setting found in the Form info tab of the form configuration.

Now let’s see how RSForm!Pro handles each of the main aspects of the GDPR standard. We will adjust the default Simple contact form example available in the new form wizard.

Simple Contact Form Example
a. Explicit consent

This can be resolved with the help of a Checkbox field.

Add Consent Field

The most important property of the field should be the required status, this way users will not be able to submit the form without explicitly offering consent. You can easily set a field to be required from the Validations tab of the field configuration, just set the Required property to Yes. The label of the checkbox field should be something similar to 'I consent to RSJoomla! collecting my details through this form'.

Make Consent Field Required Submit The GDPR Form

You can also include a link to a more detailed Privacy Policy that users can access to read about how their privacy is handled on your website.

b. Allow submitters access to the offered information

RSForm!Pro offers a specific listing in the frontend that can be used to view submissions recorded through your form, the Submissions Directory listing. Since privacy is of most importance you will need to ensure that the submissions listing will only list the submissions made by the currently logged in user. This is easily done by accessing the Submissions Directory menu item configuration and setting the Show submissions for the User ID property to: login.

Submissions Directory Menu Item
c. Allow submitters to remove the information

With RSForm!Pro you can provide this in two ways:

1. Through the frontend Submissions Directory listing. You have full control over this listing, from the fields that are displayed in the general listing, the fields shown in the details view of a submission to enabling CSV, PDF exports and also controlling the edit and delete permissions. As was the case for the general listing, each user should only be allowed to edit and delete his own submissions, this is controlled through the Permissions tab of the directory configuration. When accessing this tab you will see a list of user groups which can be used to grant edit and delete permissions, you just need to select the Edit own submissions and Delete own submissions options.

Submissions Directory Listing

After this is done you will also need to make sure that only logged in users can access this listing, this way the component will be able to uniquely identify the submissions made by the currently logged in user and provide him with a means to remove his data from your records.

Submissions Directory Permissions

2. Through the component specific emails. RSForm!Pro offers the possibility to send multiple emails during the submission process, the most noticeable being the User and Admin emails. In these emails you can use global or field specific placeholders in order to send information regarding the submission to the user.

Email Received

Since the goal is to offer users the possibility to remove their details from your site, we will be using the User email in our configuration. When editing the form you just need to navigate to the User Emails tab, configure the body of the email by clicking the Edit the email text button and including the following global placeholder: {global:deletion}.

Email Configuration

This will create an encrypted link in the body of the email that when clicked by the user will delete the submission from the database, thus removing the user information in accordance with the new GDPR standard. The advantage of this method is the fact that users do not need to be logged in on your site in order to remove the information, simply clicking the encrypted link will trigger the removal.

Submission Deleted

Closing notes

As you can see the modifications that need to be implemented are not exhaustive, but we strongly recommend better familiarizing yourself with this new standard. The best starting point for this is the official GDPR website.

We hope that this article has helped clear some of the confusion related to this subject and helps you easily migrate to the new standard once it is enforced.



Subscribe to our blog

Found this article interesting? Subscribe to our blog for more.



Gravatar
Anita - 01.06.2018 (08:08:19)
rsformpro blog GDPR

In your article you write:
You can also include a link to a more detailed Privacy Policy that users can access to read about how their privacy is handled on your website.

HOW can I do this? I cannot make any link in the textboxes.
Please advise

Quote
0

Gravatar
serge billon - 01.06.2018 (07:00:41)
french translation and +

hello, I have done the translation and added some sentences in french, just to say that your user must be logged when he fills the form if you want him to access to his own submissions, and that you must choose the field to display on the submission view page.
https://www.web54.fr/rgpd/creez-des-formulaires-conformes-au-rgpd-dans-joomla-avec-rsform-pro

Quote
0

Gravatar
Luca Orlandi - 19.05.2018 (16:14:34)
how to remove a joomla registered user activated by joomla integration?

Hi, if I activate the listing and follow your tutorial, I am able to edit and delete the user submission, but seems the related joomla user "registered " with RSformPro and your plugin "Joomla! User Registration" stay active.
How I can remove the joomla users?

Quote
0

Gravatar
Miles Reid - 25.04.2018 (04:22:33)
GDPR

I would like to join with so many and complement you on a very helpful and informative article.

I am sure that most people are concerned that the process of compliance will deter website visitors from completing and submitting a web form.
With this in mind, would I be complying with the GDPR if I allowed a visitor submission without a login process, and then include a username & password in the user confirmation email? This would allow them to login at later date and view their data if required.

I'd be interested to hear people's views on this
Best wishes
Miles

Quote
0

Gravatar
Catalin Teodorescu - 20.04.2018 (08:30:03)

Quote :
This guide is very useful and interesting but unfortunately requires all users to be registered before sending a form.
A user who wants to remove the data entered in a form will probably want to remove them from Joomla! too.
Regarding all websites that didn't require registration, the problem of data deletion now arises for the user's data stored in the database, and Joomla! provides no way for a user to remove his account by himself.


Please take a look at our newly released blog post regarding GDPR compliant forms without needing an user account or login: https://www.rsjoomla.com/blog/view/438-create-gdpr-compliant-forms-without-requiring-user-login.html

Quote
0

Gravatar
nick papadopoulos - 20.04.2018 (05:51:47)

Thank you for this guide.

I was wondering if there was another type of solution:-
As a registered user, surely users should be able to go into the core 'edit my profile' and the checkbox should be mapped to a 'custom field' ?

I just checked - not able to map an RS Form field to a user 'custom field', or am I missing something?

Quote
0

Gravatar
Fresco - 17.04.2018 (12:55:50)
Delete attachment

Hi, when users submit a form with attachment fields, they actually upload a file. Is there a way to delete that file automatically as well when requested, since it may contain personal data as well?

Quote
0

Gravatar
andrew connell - 13.04.2018 (07:37:14)

Quote :
This guide is very useful and interesting but unfortunately requires all users to be registered before sending a form.
A user who wants to remove the data entered in a form will probably want to remove them from Joomla! too.
Regarding all websites that didn't require registration, the problem of data deletion now arises for the user's data stored in the database, and Joomla! provides no way for a user to remove his account by himself.


There is a script that has been written her by Peter Martin that may be useful to others - https://gist.github.com/pe7er/47bf1020b12ef29df8603fa80d1fdccd

Could something like this be added to RSForm Core, where when the form data is stored on the database, there can be a selection for how long this is stored?

Quote
1

Gravatar
Simon Logan - 03.04.2018 (09:50:38)

I believe that the requirement for giving the customer what data you hold on them, and allowing them to request its removal, is non-specific about how this is done - so the process described in your post is useful in being able to allow users to do this themselves but raises the issue of requiring them to register, potentially even for something as simple as a contact form.

Would I be right in thinking that an alternative would be to simply create a page, perhaps with a form on it (which doesn't store their data!) which emails us a request which we can then *manually* fulfill?

Quote
0

Gravatar
Octavian Cinciu - 27.03.2018 (07:33:25)

Quote :
Will disabling the save of the form data to the database solve the GDPR problem?


You can set "Save Data to Database" to "No" from "Form Properties" > "Form Info"; this will prevent data from being stored on the server.
If you configure the User and Admin Emails so you have a copy of the data being submitted (and then it's your obligation to delete the email if requested), you should be good to go.

This will also circumvent the necessity of a user being registered on your website.

Quote
3

1000 Characters left