Setting Up Caldera Forms For GDPR Data Requests

Image of sparks flying from the opening of a volcano

The EU privacy laws known as GDPR. WordPress 4.9.6 introduces new tools for replying to requests for a report of collected Caldera Forms can add data to personal data exports requested through WordPress. In addition, entries containing personally identifiable information will be deleted as part of WordPress’ personal data eraser.

By default, no Caldera Forms data is reported by the exported and no data Caldera Forms is effected by the eraser. You must enable to exporter on a per form basis. This page will show you how to setup a form so that the export and erase is enabled and the right data is reported.

Background Information

Hey there, we are not lawyers! We are doing our best to help, you should not take any of this as legal advice.

You can learn more about the GDPR from the European Commission’s Data Protection page. For more information on other GPDR compliance tools in Caldera Forms, see our main GDPR documentation page.

According to Wikipedia “A processor of personal data must clearly disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any third-parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.”

A Beginner’s Guide to the EU General Data Protection Regulation (GDPR) Initiative

Caldera Forms aims to provide the tools to help you stay compliant with the European Privacy laws GDPR regulations. We can not say that Caldera Forms will make your site 100% GDPR compliant, but we aimed to give you the tools you need as part of a larger strategy.

What Is Personally Identifying (PII) Data ?

According to the regulation, personally identifying (PII) data “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

Using The Privacy Settings Page

Caldera Forms Privacy Page Without Form SelectedTo begin, go to the Privacy Settings submenu item of the Caldera Forms menu in the WordPress dashboard. When you load the screen, you will see a selector at the top with an option for each form.

Caldera Forms Privacy Settings Not Enabled

 

Once you select  a field, you will see its settings. By default, not much is there, as the exporter is not enabled by default. Click the Enable checkbox. Checking this box will add this form’s data to PII exports and will allow entries to be deleted by eraser requests.

Once you have enabled exports, you will see checkboxes for each of your forms fields that could be saved to the database:Caldera Forms privacy field settings

For every form that could be saved to the database, you will see an option called Personally Identifying Field. This asks if this field collects personally identifying information. Checking this box sets the field to be included in data exports. This designation can also be set in the field settings. For fields that are email fields or text fields, you will have an option called Email Identifying Field. You can use this field to indicate whose personal identifying information an entry belongs to.

When you are done, click the Save button.

How Caldera Forms GDPR Data Exports and Erasers Work

When a request for personal data export is created, data from any form with GDPR data export enabled will be included. Requests are made by email address. All entries of the form, that has that email address as the value of any field marked as an Email Identifying Field will be reported. The data included in the result will be the values of the fields indicated as Personally Identifying Field.

When an erase request is made. The same look up is done as the for the export, except all entries that match are deleted.