WFFM, Sitecore Forms i GDPR (RODO) w praktyce

In previous article we became familiar with GDPR in Sitecore in general. In this post we’ll cover in details how WFFM and Sitecore 9 Forms may be affected by GDPR.

WFFM Data Storage and Export

For every form in WFFM it’s possible to choose whether you want to persist submitted form to the database. You do it with “Save Form Data To Storage” checkbox. By default it’s checked:

This will save all the fields to FormData collection for analyticsFormsDataProvider(default) setting in Sitecore.WFFM.Dependencies.config, or to WFFM SQL database for sqlFormsDataProvider setting.

Sample Form data persisted in FormData collection:

Data stored for selected WFFM form can be also exported directly from Sitecore Content Editor:

To avoid data redundancy and to keep personal data in xDB only, you can disable “Save Form Data To Storage” checkbox in WFFM form item and consider saving the data directly to Contact entity in xDB. There’s built-in “Update Contact Details” action, which maps form fields to contact’s facets. Mind that this actions works only for logged in users:

Sitecore 9 Forms Data Storage and Export

In Sitecore 9 Forms editor you are able to control if the data will be saved to the database by adding “Save Data” submit action to your submit button:

Additionally, in field’s settings, you can decide if a single form field should be saved to the database. This can be helpful if you don’t want to store personal data outside xDB, but still persist different parts of the form:

Form data persisted in SQL Forms database:

You can also export the data for selected form in Forms app:

Instead of saving personal data to Forms database you should consider storing it in xDB through xConnect. Sitecore prepared great tutorial how to create custom save action, which get the form data and update facets in xDB.

Summary

General rule is to avoid storing personal data outside xDB, so you can benefit from mechanisms prepared by Sitecore for GDPR (like “ExecuteRightToBeForgotten”, marking facets as PIISensitive, etc). Thankfully in both WFFM and Forms we can control where we want to save the data after the form is submitted.

If for any reason, you can’t modify where your forms data is saved, you can check my previous post about GDPR to check how to implement right to be forgotten and data portability with a custom code. With few adjustments it will be also valid for WFFM.