Control of Personal Data (GDPR Compliance)

RSVPMaker now allows individuals to download a copy of their personal data or request that it be erased, in keeping with the provisions of GDPR.

The European Union’s General Data Protection Regulation (GDPR) is part of a broader trend toward giving individuals more control over how their data is secured and managed. WordPress 4.9.6 includes utilities for exporting and erasing user data on demand.

rsvpmaker personal data
Sample personal data export, including RSVPMaker registration info.

RSVPMaker piggybacks on those features, so that in addition to user data or comments associated with an email address, a data export can include event registration data. All registration data associated with that email address can also be deleted on demand.

In both cases, data will be retrieved or deleted based on a search for the person’s email address and all associated records. The website will send an automated email asking the user to confirm that request.

You will find the Export Personal Data and Erase Personal Data screens under the Tools menu of the administrator’s dashboard.

Adding a Privacy Policy

If you are running an independent WordPress site, you will see prompts suggesting you add a privacy policy to your website as soon as you update to version 4.9.6 or later. WordPress will suggest some default wording. You may also wish to consult my version from rsvpmaker.com for wording specific to the RSVPMaker.

Adding a Privacy Policy Consent Checkbox

GDPR’s requirement for informed, active consent is commonly interpreted as requiring an additional checkbox (not pre-selected by default) with which the user agrees to your privacy policy. The RSVPMaker settings screen allows you to specify that the checkbox should be displayed on all forms, with a message you can customize.

privacy consent checkbox
Error message when consent checkbox is not checked.

Since RSPMaker’s registration function is meaningless without data collection, the submission form submissions will fail if the box is not checked.

You might think that it would be obvious that the purpose of this form is data collection, but the idea is people should know the specifics of how you will store, protect, and use the data they share.

Use of Email Addresses

RSVPMaker includes built-in features to support sending confirmation, reminder, and follow up messages to individuals who register for your events. Registration information is retained indefinitely, but an administrator can delete it in response to a request using the tools provided by WordPress. However, site owners should be cautious about adding email addresses collected this way to a permanent email list.

Under GDPR, other regulations, and generally accepted best practices, consent is required to add an email address to a marketing email list.

If you use the integration with MailChimp, it’s possible to include an “Add me to your email list” checkbox on the registration form and let MailChimp take care of the double opt-in process. An email address will not actually be added to the email list until the owner of that email address confirms. That is, they will be sent a notification and must click to confirm before they are added to your list. If you are not using that integration, you should obtain consent some other way.