GDPR-compliant businesses or organizations are required to provide users with a way to request a copy of the information they store about them, and / or request it to be deleted.

The Personal Data settings on each of the site's forms can be set up to allow the form to export and erase this user data captured by the form. To update each form's personal data settings, first select the form, then navigate to Settings > Personal Data.

To make a form GDPR-compliant:
  1. Set a retention policy that only saves the data necessary. If the form is collecting personal data, entries should only be retained as long as necessary for the purpose it was collected.
    (See the Retention Policy section below for further details.)
  2. Select the email address field from the form as the Identification Field.

  3. Allow all fields to be exported, and any that contain personal data to be erased by enabling integration with the WordPress tools for exporting and erasing personal data.
    (See the Personal Data section below for further details.)

These steps should be repeated on any form that collects personal data.

General Settings

IP Addresses

By default, each form entry stores the users' IP address. Unless the site has the proper legal basis for storing this info, this should not be collected or stored. Check this box to keep the form from storing IP Addresses for any form submission.

Important Note:

Many of UXi's forms also use an automated Use IP field, so delete that field as well to keep the users' IP addresses from being collected or stored.

Retention Policy

As mentioned in the GDPR Overview, a compliant business or organization must have a legal basis for storing any personal data. The privacy policy on the site should clearly outline why data is collected, how it's used, and how long the data is stored.

The easiest way to make sure no data is un-necessarily stored on the site longer than needed is to set up a retention policy that can delete entries automatically.

Use these settings to keep entries only as long as they are needed. If entries do not need to be saved on the dashboard indefinitely, use the Retention Policy settings to delete entries automatically older than the specified number of days. The minimum number of days allowed is one. This is to ensure that all entry processing is complete before deleting/trashing. You could also manually delete each entry after responding to it.

Important Note:

The number of days setting is a minimum, not an exact period of time. The trashing/deleting occurs during the daily automated task so some entries may appear to remain up to a day longer than expected.

Exporting and Erasing Data

Check the Enable box to include data from this form when exporting or erasing personal data. Once you have checked the Enable box, you will be presented with a drop down to identify what to use to uniquely identify the data, and a list of available data to export/erase.

Identification Field Drop Down

The field chosen in this drop down will be used to identify the owner of the personal data. When an email address field exists on the form, the Identification Field drop down will be populated with the Email field as an option to select.

Personal Data

A list of fields that can be marked to be exported or erased will also be displayed. This list includes the form fields, along with several key pieces of data normally saved. Select all fields you'd like to export / erase upon user request.

If specific fields must be kept for one of the legal reasons outlined earlier in this article, simply leave them un-checked and it will not be exported / erased.