GDPR Compliance

GDPR is the EU General Data Protection Regulation that will be in full force from 25th of May 2018. The best way to ensure GDPR compliance for your specific site is always to consult legal counsel.
In (very) short. GDPR states that if a website collects, store or use any data related to an EU citizen. You must comply with the following:
– Tell the user: who you are, why you collect the data, for how long and who receives it.
– Get a clear consent, before collecting any data
– Let users access their data, and take it with them
– Let users delete their data
– Let users know if data breaches occur
(source)
If you’re using the frontend submission form to collect testimonials, then you are probably collecting personal data from the person who uses the form.
If you’re collecting personal data (name & email) the form should have a ‘consent’ checkbox enabled (option available in the shortcode generator, since version 1.8). This checkbox needs to be unchecked by default. The plugin allows you to edit the label for that checkbox. Make sure you describe why you are collecting the data and what you’ll do with it.
Users also need to be able to contact you to get their data and should be able to ask you to delete it. You should have a contact form or some other contact information available for them to reach you. If you they ask their data in a portable way, you can use an export plugin, for example ‘Single Post Exporter‘, to export just their entry. If they ask you to delete their data, you can simply delete the testimonial entry.
WordPress will include personal data export and elimination features in the future. When these features exist, the plugin will also be incorporated.