7. Making your forms compliant
Chapter 7
In this chapter, we’ll take a look at the practical steps you need to take to make your forms compliant.
Data Minimization
One of the principals of gathering personal data under GDPR is data minimization. This means that you may gather only the data you specifically need for a specific processing purpose. So the first thing to do is review all the forms on your website and remove any fields that are not strictly necessary.
Tracking consent
If you’re gathering any personal data on the grounds of consent, the next important thing is tracking these consents. Remember – your visitors must also be able to withdraw any consents they have given. How to do this exactly depends on the way your forms are built.
Contact Form 7
Gravity Forms
Custom Forms
Withdrawing consent
Your visitors can withdraw each consent they have given on the Privacy Tools page. Depending on your theme, it might look something like this:
Exceptions
You don’t necessarily need to track each consent separately using the plugin. For example, if your visitor signs up to a MailChimp newsletter through your website, you’ll probably want them to use the “unsubscribe” button at the bottom of each email to opt-out instead. In that case, there’s no reason for you to track the newsletter consent or allow visitors to withdraw it from the Privacy Tools page.
There are also situations where you might need to track a visitor’s consent but not allow them to withdraw it. Agreeing to your Privacy Policy and/or Terms & Conditions is a good example. If someone decides that they no longer agree to your Privacy Policy, you should not process their data anyway (unless you have other legal grounds than consent). So if a user wishes to withdraw their consent to your Privacy Policy or Terms & Conditions, they should use the “Delete all data” button instead.