Posted on Tue, 04/03/2018 - 14:38
Drupal and GDPR
Disclaimer - this article is intended as a guide to how we may be able to help you comply with GDPR (General Data Protection Regulation). It does not in any way constitute legal advice. 


Data Protection law is changing on 25 May 2018. Organisations need to be ready for the EU's General Data Protection Regulation (GDPR). This article is a guide as to how we may be able to help you get your website ready for GDPR compliance. 
It relates mainly to clients with Drupal and/or CiviCRM websites and also to clients using the Realitymail email newsletter platform or Google Analytics.
For clients on legacy platforms (non-Drupal) please get in touch to discuss your requirements. We have set out some links further below to key information on the Information Commissioner's Office (ICO) website and, if you haven't already, would recommend further reading of ICO guidance along with articles and posts by GDPR specialists to work out what you need to do for your own organisation. 

Impact of the new regulations and how they may relate to your Drupal/CiviCRM website, Realitymail or Google Analytics

This is not legal advice
Country Requirements
GDPR regulations are subject to countries in the EU and also countries outside the EU that have customers or contacts inside the EU.
Consent of Personal Data
Personal data must be freely given with informed, specific and explicit consent.  Opt-ins must be clear. In other words data collected from users must have clear opt-in fields with precise information on how their personal data will be used, by whom, and for how long and that it is only used for the purposes defined. Privacy policies must clearly define what is done with the data.  
Right to be Forgotten
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Data from users is generally stored in User Profiles, webform submissions, order data, and any other module that gathers information about users. This is where it can get tricky and legal advice may be required as financial transaction data needs to be kept which conflicts with the right to be forgotten. Other data such as webform submissions can be deleted or user profiles deleted and contents changed to be anonymous.
Data Sharing
If you are passing data to 3rd party services (Realitymail, Paypal etc.) then the right to be forgotten requests need to be carried out with the 3rd parties as well. More on this here:

GDPR Modules

Modules to help with compliance are under active development. Here is brief info for Drupal, Drupal Commerce and CiviCRM:
Drupal GDPR Module
There is a module for Drupal in development which is planned to have the following features (correct at time of writing):
  • Checklist for site admin incl. automated content, module and configuration discovery (e.g. cookie consent, check if there is privacy policy page etc)
  • Allow logged in users to see all raw data stored about themselves
  • Allow a user to initiate “forget me” action from site admins
  • Make sure the user can rectify all data about himself/herself
  • Allow a user to remove the account (content is not removed)
Drupal Commerce Module for Ecommerce Websites
Adds data anonymisation features so the data will still be available for statistical and history purposes but will not allow to identify a user.
This module adds 2 functionalities:
Manual user account anonymisation ("I want to be forgotten") along with orders and customer profiles connected to the account.
Optional automatic anonymisation after a certain inactivity period set in days.
There hasn't been much uptake on the Drupal modules so far as they are a work in progress and is unlikely at this point to address all GDPR requirements but it shows that the Drupal community is actively working on it.
Drupal Site Security
Drupal security updates ensure that Drupal core and contributed modules are as secure and up-to-date as they can be at any given time. We respond to update alerts within 48 hours of patches being released. Emergency patches are dealt with as quickly as possible after the patch release.
SSL (Secure Sockets Layer) gives users a secure connection between the website and the server. It encrypts data when they are filling in forms ensuring privacy and data security. SSL activates the browser padlock and shows https in the address bar. Web browsers now show a warning for sites without this security in place. If you don't have SSL in place, get in touch with us to install an SSL certificate.
Read about the GDPR extension here:
Our 3rd party supplier is currently incorporating GDPR-compliant features to the platform to make sure your compliance obligations as a controller of your subscribers' personal data are met. These features are being rolled out and we are told will be in place by May 25th 2018.
Things to Consider:
1. Review consent for existing subscribers (no need to re-obtain consent if it was originally obtained in a manner that is in line with GDPR). This may mean re-permissioning your subscribers.
2. Review your signup forms to ensure any new information obtained about an individual is in compliance with GDPR:
  • Is it clear to the subscriber what information is being collected?
  • Is it clear to the subscriber why this information is being collected?
  • Is more information collected than is required? (e.g: if your subscribers sign up for a newsletter - do you need information about that subscriber’s gender to fulfil your stated purpose?)
Extensive info on consent and email marketing can be found on the ICO website:
Google Analytics
If you have Google Analytics on your website this article from Law Hound, a business compliance consultancy, sets out what you now need to consider:
Links to Key ICO Information.
Non-compliance of GDPR risks a fine of up to 4 percent of global turnover. Organisations will have to notify the ICO within 72 hours about a serious data breach.
ICO's Guide to the General Data Protection Regulation (GDPR):
ICO's 12 steps to take now to prepare for GDPR:
Find out about your obligations in your sector: 
Advice helpline for small organisations:
You may need to register with the ICO, take their assessment to find out: 
You may need to update your privacy policy. Guidance here:


For GDPR & Drupal, organisations must take a look at their processes of data storage and gathering. It is a great start that our suppliers are trying to address GDPR requirements with new modules and platform features. There is no one-size-fits-all solution though as each site will have different requirements. 
We are keen to help you implement new features, modules and changes which may involve essential work and updates on your website to ensure GDPR compliance. Our advice would also be to take independent advice from a legal and/or privacy expert to gain a complete understanding of the full impact of GDPR on your data processing practices.
If you have a Drupal and/or CiviCRM website, use RealityMail or Google Analytics and understand what needs to be changed then please get in touch for a chat and we can talk through how we can help.

Add new comment

Request a Free Quotation

Your Name