Gravity Flow & The GDPR


Headlines have long been circulating about the General Data Protection Regulation (GDPR). Talk began a few years back about Europe’s newest rule, a data protection law aimed at protecting consumers from massive data breaches. As of this past May, companies were expected to get on board with the changes.

The GDPR has completely overhauled how companies can collect and store personal data. Legislation began a few years back, giving companies ample time to prepare. The ruling isn’t all that different from the existing EU Data Protection Directive (1995). The older initiative was drawn up before this golden age of social media before the internet had made its imprint on how we live and work.

We’ve all enjoyed the ‘free’ services from the big names in tech– Google, Facebook, Twitter and the like. The downside is, those services have come at a price. Namely, in the form of the personal details like emails, names, political leanings, brand preferences and even your race or sexual orientation.

Additionally, things like easy to-miss opt-out boxes and confusing, terms and conditions have made it difficult for customers to grasp what they agreed to.


Facebook’s Cambridge Analytica scandal demonstrated the most notable example of the misuse of customer information. As a quick refresher, Cambridge Analytica was a third-party app that scraped profile data from millions of Facebook profiles, allegedly to influence the shakeout of the U.S. presidential election in 2016. Users were outraged, as this scandal brought to light just how their data was being used without their knowledge.

The GDPR is a regulation, not a directive. Meaning, it applies directly, without requiring EU members to turn it into law on their own terms as they could in the past. That uniformity makes it easier for companies to comply. They’re no longer required to create separate policies between say, France and Germany and the Netherlands. The EU believes the regulation could save a collective €2.3 billion each year.

Whew. Now, let’s look at how Gravity Flow can help make compliance easier.

What Counts As Personal Data? Click here for the GDPR Checklist

So What Does the GDPR Mean for WordPress Users?

Let’s shift the focus toward how we can make sure your WordPress site is compliant and ready to protect user privacy.

Before you dive in, you’ll need to perform a privacy audit on your website. The aim here is to reveal how consumer data is being processed and stored on your servers. From there, you will need to take steps toward compliance.

You’re likely already aware of the myriad ways your company collects customer data. Here’s a quick list:

  • Comments
  • User registrations — email signups, etc.
  • Tools and plug-ins
  • Analytics and traffic reporting tools
  • Contact forms

With that in mind, it’s important to understand that you can only keep personal details on hand for as long as necessary. As such, your archiving practices need to shift. Expectations and new workflows must be created to achieve compliance.

How Gravity Flow Can Make Compliance Easier

ForGravity showed how exporting and deleting all Gravity Forms entries on a schedule can help with compliance. Adding Gravity Flow can make compliance even easier. By adding workflows into the mix Gravity Flow gives site owners additional flexibility and can help ensure nothing slips through the cracks.

You can use Gravity Forms to ask all the right questions, enable double opt-ins, and deliver the messaging needed to let people know, “hey, we’re managing your data properly.” But you can use Gravity Flow to ensure that the data is held no longer than your process requires.

Delete an Entry

As we mentioned above, the GDPR dictates that a website cannot hang onto any user information for longer than is necessary. So, while that sounds vague, you’ll need to establish how long your company needs to keep data in the system. The “Delete an Entry” step is especially useful for organisations that must delete sensitive information after a certain amount of time elapses.

To implement this process, you’ll need the Update an Entry step included with the Form Connector extension.

Select “Delete an entry” and then schedule the step. You can choose between delaying the action for a specific amount of weeks—in this case, we went with five—or selecting a particular date. From there, you can opt to permanently delete the entry (recommended) or move it into the trash.

If the form has a date field you’ll also see the option to schedule the step before or after the value of a date field.

The length of time should match the amount of time specified in your updated privacy policy.


Erase Data: Update an Entry

Another way Gravity Flow can help users achieve GDPR compliance is through the “Update an Entry” step. This feature is a little different than the “Delete an Entry” step mentioned above.

For example, if you’re currently hanging onto customer data, you can keep records of orders placed past the “necessary” amount of time. But, it’s good practice to avoid keeping personal information longer than your process requires. For example, once a project is completed and delivered, do you really need to keep hold of the customer’s personal data? If not then you can set up Gravity Flow to delete it once the workflow is complete.

This way, you can keep a record of the project and all the deliverables but the sensitive information is removed after a reasonable amount of time.

Here’s how you can set that up:

  1. You’ll need the Form Connector Extension which includes the Update an Entry step.
  2. Select “Update an Entry,” as shown below.
  3. Select Entry ID (self) in the Entry ID field.
  4. Map each of the fields with personal data to a value which shows the value was deleted.

Double Opt-In

Another way to achieve GDPR compliance is by adding a double opt-in to your workflow. Gravity Flow can help you ensure everyone who signs up for your emails wants to receive updates. Double opt-in functions as affirmative consent. It asks users who have signed up for your newsletter to confirm in a separate email.

We’ve covered confirmation emails in the past, as you can see in our guide to setting up an email course, but here’s a quick refresher on adding the double opt-in, plus a reminder email down the road.

1. Start by building your initial opt-in form with an email field and perhaps a checkbox requiring consent.

Next, you’ll add an email confirmation step to your workflow. Head over to your workflow tab and select “Add New.”


Build your confirmation email. This email must include a link for new customers or subscribers to follow.

You want to ensure that the user did sign up for your list on purpose. Here’s an example of an approval step used as an opt-in confirmation:

Additionally, you’ll have the option of building a reminder step into your workflow, in the event a potential subscriber fails to open that first email. The below image shows “Notification Failed to Confirm” as a separate step.


One final thing we should mention here is the messaging in the opt-in email must be very easy to understand. Confusing language, like double negatives or practices like pre-checked boxes, is not allowed under the GDPR.

Final Thoughts

Finally, it’s safe to say the WordPress community has been abuzz with the GDPR. Failure to protect personal data can have server consequences.

Incorporating these safeguards—from double opt-ins to active consent, and automated entry and field value deletion can keep you safe from a piece of sensitive data falling through the cracks.

The GDPR is a long-overdue set of best practices for privacy in business and beyond. It’s about time we treat our users’ data with the same care and respect we treat our own.

So, what does personal data mean, exactly? Click here for your GDPR checklist.


Discover more from Gravity Flow

Subscribe now to keep reading and get access to the full archive.

Continue reading