The General Data Protection Regulation (GDPR) (EU) 2016/679  is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on 27 April 2016. It becomes enforceable on 25 May 2018, after a two-year transition period.

This is an an extensive description or list on how to comply with GDPR. For more information please read the official website.

What types of privacy data does the GDPR protect?

Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. 

Explicit Consent Requirement for Data Collection

Strengthened consent requirements are the core of the new regulation. If you collect or manage any EU citizen’s data, you must:

  1. Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
  2. Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
  3. Have a means for users to request access and view the data you have collected on them.
  4. Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”.

Penalties and Fines

Penalization for noncompliance comes in the form of tiered fines that scale to the severity of the violation. Fines cap at 4% of annual turnover or €20 million, whichever is greater.

Data Subject Rights

A data subject is any EU citizen from which you are collecting personal data. GDPR compliance requires data subjects be granted certain rights. What follows is not an exhaustive list, but those rights that are relevant to the collection, processing, and storage of personal data on your website.

Right to Access. Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.

Right to Be Forgotten. Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged.

Data Portability. Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time.

Breach Notification. If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, notification must be made within 72 hours of becoming aware of the breach.

GDPR Compliance and Contact Enhanced Forms

Not all your forms are necessarily going to be impacted by the GDPR, as long as they are anonymous. In other words, if you’re not collecting personally identifiable information on users, your form’s not impacted. However most of your forms will collect name, email, phone numbers,... and GDPR will impact those forms.

How Can We Comply?

It’s actually not that hard to make your Contact Enhanced forms compliant. Let’s take a look at options.

1. Don't store any information.

If you don't need to keep a record of any data from our forms, then simply don’t store/record the data (form submission). This eliminates any question of GDPR compliance with Contact Enhanced.

How to disable option to store form submission data

Most of us need to collect the form data and disabling this setting is just not an option. Let’s look then at how we can collect data and still comply with EU GDPR. Follow these steps:

2. Request User Consent

Explicit consent has to be obtained before the form is submitted and any data collection can take place. You must notify the user that this form is collecting personal data with the intent to store that data. You’re also responsible for letting the user know how that data will be stored and used.

The Right to Access states that a user must be informed if data is being collected, what data is being collected, how, where, and for what purpose. That's a lot of information to display on your form, so we recommend to create a simple Free Text Form Field to include a link to your Privacy Policy on your form.

There are two ways to ask for user consent:

a. Create a Checkbox Form Field and set to required.

 Add only one option with the Consent Request and under the General Parameters tab set to Hide the Form Field Label. Example:

GDRP Checkbox Consent

How it will look like in the front-end:

GDPR Form

 

b. Configure Contact Enhanced to display the Checkbox for you.

GDPR: Ask for Consent Configuration

3. Make User Data Organized and Accessible

You are responsible to associate submitted data with the submitter.

The simplest means would likely be to always collect an email address when you collect personal data of any type. Submissions can easily be searched by email address in the back-end:

Back-end Recorded Messages

This will allow you to easily pull together submissions from a given user and either provide an export or delete them on request.

You can also create a Contact Enhanced → Recorded Messages front-end Menu item, so your users can access their Messages and check for themselves which information you have on them. For example you can view your Recorded Messages on our website.

If you don't need to keep Recorded Messages for a long period you can remove them periodically using the Contact Enhanced Cron Plugin (included in Contact Enhanced PRO package only).

For transparency, you should probably also state on your privacy policy that how you’re handling things.

4. Have an Open Channel for User Requests

GDPR compliance requires that you be reachable and responsive to user requests for data that you’ve collected on them either to view or delete.  You can create a simple consent withdrawal/request to view form on your Privacy Policy page. 

4.1 Use Joomla's Privacy component

Joomla 3.9 introduced the Privacy Component, which allows you to easily respond to user data requests and data removal. Contact Enhanced released a new Privacy plugin to add compatibility with this new component.

This plugin is included in Contact Enhanced PLUS and PRO version.