The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on 27 April 2016. It becomes enforceable on 25 May 2018, after a two-year transition period.
This is an an extensive description or list on how to comply with GDPR. For more information please read the official website.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Strengthened consent requirements are the core of the new regulation. If you collect or manage any EU citizen’s data, you must:
Penalization for noncompliance comes in the form of tiered fines that scale to the severity of the violation. Fines cap at 4% of annual turnover or €20 million, whichever is greater.
A data subject is any EU citizen from which you are collecting personal data. GDPR compliance requires data subjects be granted certain rights. What follows is not an exhaustive list, but those rights that are relevant to the collection, processing, and storage of personal data on your website.
Right to Access. Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.
Right to Be Forgotten. Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged.
Data Portability. Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time.
Breach Notification. If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, notification must be made within 72 hours of becoming aware of the breach.
Not all your forms are necessarily going to be impacted by the GDPR, as long as they are anonymous. In other words, if you’re not collecting personally identifiable information on users, your form’s not impacted. However most of your forms will collect name, email, phone numbers,... and GDPR will impact those forms.
It’s actually not that hard to make your Contact Enhanced forms compliant. Let’s take a look at options.
If you don't need to keep a record of any data from our forms, then simply don’t store/record the data (form submission). This eliminates any question of GDPR compliance with Contact Enhanced.
Most of us need to collect the form data and disabling this setting is just not an option. Let’s look then at how we can collect data and still comply with EU GDPR. Follow these steps:
Explicit consent has to be obtained before the form is submitted and any data collection can take place. You must notify the user that this form is collecting personal data with the intent to store that data. You’re also responsible for letting the user know how that data will be stored and used.
There are two ways to ask for user consent:
Add only one option with the Consent Request and under the General Parameters tab set to Hide the Form Field Label. Example:
How it will look like in the front-end:
You are responsible to associate submitted data with the submitter.
The simplest means would likely be to always collect an email address when you collect personal data of any type. Submissions can easily be searched by email address in the back-end:
This will allow you to easily pull together submissions from a given user and either provide an export or delete them on request.
You can also create a Contact Enhanced → Recorded Messages front-end Menu item, so your users can access their Messages and check for themselves which information you have on them. For example you can view your Recorded Messages on our website.
If you don't need to keep Recorded Messages for a long period you can remove them periodically using the Contact Enhanced Cron Plugin (included in Contact Enhanced PRO package only).
Joomla 3.9 introduced the Privacy Component, which allows you to easily respond to user data requests and data removal. Contact Enhanced released a new Privacy plugin to add compatibility with this new component.
This plugin is included in Contact Enhanced PLUS and PRO version.