Getting Your Drupal Website GDPR Compliant
BY chithra.k
3 months ago
comments comment

As the GDPR regulation comes into effect, businesses are scrambling to take measures to become compliant with the regulation. If you are maintaining a Drupal website and would like to know how easily you can make your website a GDPR compliant one, read on.

This article focuses on the contributed modules available in, which are aimed at helping website owners become compliant with the new rule.

EU Cookie Compliance

Module: EU Cookie Compliance

Versions: 7.x-1.23, 8.x-1.0

Satisfies: Article 72

This was released after the EU Directive came into effect on May 2012. However, this is useful under the GDPR regulation too.

With the new GDPR regulation, you should inform your visitors the cookies you are using on your website and give an option for them to opt-out from the same. This module provides

  1. A cookie banner which can be shown to visitors
  2. Option to set cookies using JavaScript. Option to set cookie expiration
  3. Ability to customize the banner - position, color, role
  4. Option to restrict the banner to EU countries. However, this requires additional modules to be configured

What this module doesn’t cover? - Ability to opt-out from or unset cookies

With the new GDPR law, it is mandatory for the visitors to be able to withdraw their consent easily. This means that, if they have accepted the cookies, then using a similar way, they should be able to undo the same. This module doesn’t provide an option for the same.

If your website does not collect personal information of visitors and only uses needed cookies, you can use this module to display the cookie banner to the visitors. Configuring the module is just a matter of a couple of minutes.

General Data Protection Regulation

Module: General Data Protection Regulation

Versions: 7.x-1.0-alpha5, 8.x-1.0-alpha11

Satisfies: Article 61, Article 72

The module comes with the following:


Site admin can review the checklist manually and ensure that necessary measures are taken to comply with GDPR. The checklist items include whether there is a privacy policy page, modules enabled are using relevant information, a user has the option to cancel his/her account etc.

Drush command

The ‘SQL Dump settings’ module provides a Drush command to obscure the fields which contain sensitive personal data. The aim is to prevent developers from accessing sensitive information of users.

GDPR consent

User agreements can be set up and tracked using this module. This is only available for Drupal 8.

GDPR fields

Fields that contain sensitive personal data can be marked as GDPR fields. Currently only marking is supported and more development is in progress. This is also available only for Drupal 8.

The page for this module explains that more development is on the way. It allows the user to initiate the “forget me” action by site administrators, GDPR views data export to track data flowing out from Drupal etc are added as future tasks and development progress looks promising. Once all those features are deployed, you might only need this single module.


Module: Scrambler

Versions: 7.x-1.0-beta4

Satisfies: Article 61

By configuring what data to scramble, you can prevent exposing sensitive information from your database. It also contains the Scrambler Field submodule which allows it to administer which scramble methods to apply per field. The default scrambling methods available are emptying values, shuffle characters and words. You can also define your own custom sanitizing methods.

General Data Protection Regulation Compliance

Module: General Data Protection Regulation Compliance

Versions: 8.x-1.7

Satisfies: Article 61, Article 72

The features available in this module are:

Form checkboxes

It provides the option to display GDPR warning in the form of a checkbox that can be added to the user registration, login or node forms.

Pop-up alert

Similar to the EU Cookie Compliance module, a configurable cookie banner settings page is provided. The popup can be configured to display for guests or authenticated users.

Policy Page

The module ships with its own ‘Policy Page’ with detailed information on cookies and an option to clear browser cookie. The content of the page can be edited for your suitable need.

GDPR Consent

Module: GDPR Consent

Versions: 7.x-1.0-beta4

Satisfies: Article 61

This modules allows you to collect data processing consent from logged in users. Administrator can view the consent history. The module is still under active development and has some known issues to start with.

Mask User Data

Module: Mask User Data

Versions: 7.x-1.0-alpha9 , 8.x-1.0-alpha5

Satisfies: Article 61

This module will mask all the current data in your database related to the users. You can easily define a map with the fields to map and the Faker function to use for the mapping. You can either use a Drush command or wait for the cron to run to perform the function.

Commerce GDPR

Module: Commerce GDPR

Versions: 7.x-1.0-beta1

Satisfies: Article 61

If you are using Drupal Commerce, then this module might be helpful for you. The module provide the following features :

  • Manual user account anonymization ("I want to be forgotten") along with orders and customer profiles connected to the account.
  • Optional automatic anonymization after a certain period of inactivity set in days.

GDPR Export

Module: GDPR Export

Versions: 7.x-1.0-alpha1

Satisfies: Article 153, Article 204

The module introduces a button in user edit page which will export and provide zipped data of a user. If additional fields or 3rd party modules are used, these may be handled via custom code.

GDPR Tag Manager

Module: GDPR Tag Manager

Versions: 8.x-1.0

Satisfies: Article 61, Article 72

The module implements Google Tag Manager and IP Country Code lookup. GTM dataLayer variable is set with continent code value which allows you to trigger or disable tracking scripts to help make the site GDPR compliant.

This module also provides a cookie consent popup with an option to disable pop-ups for North American countries.

Kindly note that just enabling any one of the modules will not make your website GDPR compliant. The above modules only satisfies certain conditions and you might still need to take care of other aspects of the regulation. If you would like development assistance with the GDPR compliance of your site, get in touch with us.

Reference 1. Article 6 2. Article 7 3. Article 15 4. Article 20



on 17th December 2018 / by chithra.k
You would have heard about the European Union Data Protection Regulation(GDPR) law that will take effect on May 25th 2018. The aim of this regulation is to give EU citizens the right to control what information is being collected from them by various businesses. GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. GDPR will replace the prior EU directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995. What is "personal" data? Any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. For example: social security numbers, names, physical addresses, email addresses, IP addresses, behavioral data, location data, biometric data, financial information, and much more. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual. Sensitive personal data such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. How is GDPR different from the “Directive”? GDPR has introduced several changes in the privacy law. The below are the major changes that are relevant to the site owners and developers. Definition of personal data: As explained above, personal data is well defined and any processing of personal data of EU citizens would require to comply with the GDPR law. Broader scope: The scope of data protection law is expanded beyond EU and all organizations that process personal information of EU citizens regardless of whether the processing takes place in EU or not. Rights of the data subject/Individual: GDPR provides new rights to data subjects or individuals which you should accommodate while processing personal data of EU citizens. Following are some of the significant new rights : Right of access: Individuals have the right to know about the processing of his personal data - the purpose of processing, categories of personal data concerned, recipients with whom his personal data is shared, period till when the personal data will be stored. Right to rectification: Individuals shall have the right to rectify the incorrect data or complete the incomplete personal data. Right to erasure (right to be forgotten): Individual can request to delete all of his personal data collected by the organization. Notification obligation regarding rectification or erasure: The individual must be informed about the rectification or erasure of personal data. Right to data portability: Individual shall have the right to receive his personal data from one organization and transfer it to other without hindrance. Right to object : The individual has the right to object to the processing of his personal data for certain uses - for marketing purposes or profiling. Strict consents: As per GDPR, organizations must ensure that proper consent from the individual is received before processing their personal data. This doesn’t mean that you should only ask them for their consent, an individual should also be able to withdraw their consent at any time. Breach notification: If there occurs a data breach and if the personal data of the individual is compromised, then the supervisory authority should be informed of the same within 72 hours. Penalties: Any individual who has suffered as a result of violation of this regulation is subjected to receive compensation from the organization. Heavy fines will be imposed especially for severe violations of the regulation. You can download the full pdf from here. Ignorance is no longer bliss Be Careful about the excuse that you don’t know the GDPR regulation. Ignorance about the law doesn’t make you escape from the huge penalties of non-compliance. If you would like to know more about how to become GDPR compliant, get in touch with us. References GDPR Information MailChimp Document on GDPR GDPR Leave a reply Your email address will not be published. Required fields are marker *

on 17th December 2018 / by nisha
As we fast approach May 25th 2018, organizations all across the European Union (and organizations that deal with European citizens and their data) are working to ensure that their business processes are compliant with the General Data Protection Regulation (GDPR) that comes into effect on that date. What is GDPR? The latest regulation in EU law on data protection and privacy, GDPR concerns data usage of all citizens within and outside of the European Union. It explains in detail all the rights and rules that EU citizens have over their personal data. Why GDPR compliance is of vital importance? The main reason for GDPR is about giving back to the people the right to be informed about the data that organizations are gathering of them and the right to know how it is being used and for what. Up until recent times, consent was considered to be given by default. Secondly and more importantly for you as an organization is how you react to the new regulations. By complying and being proactive in your GDPR compliance process you are giving your visitors and clients the message that you have the users best interest in mind and that you play fair and square. You are then well on your way to creating loyal and happy promoters. It also gives you an added advantage as you take a strong strategic position favoring GDPR that sets you apart from your competitors in the industry. The third and definitely not one that can be taken lightly at all are the penalties stated- fines that can go upto €20 million or 4% of the company’s annual turnover whichever is applicable. How to become GDPR compliant? The European Data Protection Regulation was adopted on April 14th 2016 but the regulation will fully come into effect on May 25th, 2018. Organizations will now have to review the systems and processes they have in place especially any data affecting people of the European Union. While it is going to take time for organizations to be fully compliant and effective, companies already dealing with personal data will need to prioritize getting consent from the users before the date. Some key points to consider One of the main things to focus on is to ensure that you do not gather data from visitors on the first page load. Even when gathering information, explicit consent checkboxes (that are not pre-ticked by default) should be there on all data gathering forms. Right to Access This is the basic right around which all other rights like ‘right to update and right to be forgotten are based; where the user should also be able to view all their information that has been collected. This could be through logged in access or through written or verbal means within a stipulated one month period. Right to be Informed Any form on the site with fields for personal information should explain how the information is going to be used. The information provided to the user includes why the information is collected and for what, with whom the information is shared (if any) and get explicit permission to do so for every piece of information. The user consent forms would need to be preserved too. Right to Erasure or to be Forgotten The user should be able to withdraw consent at any time and the user should be able to withdraw consent without any hurdles i.e the process of withdrawal of consent should be quite straightforward. When a person withdraws the consent to use their individual data, the removal of data, involves removing all data that is given and derived from the person’s usage of the services rendered. The consent withdrawal might be just a form for the registered user, but at the back end the submit button once clicked should activate the deletion of all data related to that unique ID. Compliance of cookies With the introduction of GDPR, all third-party integrations and cookies that have access to a site user’s data including IP address and other associated data are to be in compliance with the permission granted by the user. So your ability to comply will be affected by your third party’s ability to comply. While complying with GDPR might be a tough task that must be overcome, it is possible by sticking to two simple rules. Do not ask for private information that you do not need and do not keep the data longer than you need it. All these involve a clearly defined data flow process (data lineage) and a few more fields in the ‘Contact Us’ section. Get in touch with us for setting up GDPR compliant forms and workflows on your Drupal site. References GDPR Information Wikipedia on GDPR GDPR Leave a reply Your email address will not be published. Required fields are marker *

on 17th December 2018 / by chithra.k
It is high time to make your website GDPR compliant, as the regulation is going to be effective from May 25th, 2018. If you would like to revisit our article on what GDPR is and how it can affect a site owner or developer, you can read our previous article here. What do you have to do to comply with GDPR? Now that you know what GDPR is and what it is about, here are the steps to follow to be compliant with GDPR. Update your ‘Privacy Policy’ and ‘Terms and Conditions’ These pages are one of the key items to being GDPR compliant. The page should inform the user: How you are using their personal data With whom are you sharing their data What cookies are used in your site and its purpose Consent to email about order notification Consents For more information on 'Consents', click here. Simply visiting a site is no longer considered as a consent. A user consent must be collected by means of an opt-in checkbox or choosing settings. It is equally important that the users must be able to withdraw the consent easily. If the consents are asked via opt-in boxes in settings menu, user should be able to return to that menu and update his preferences. Unless a user explicitly says that he would like to be included in the list, don’t add them. Silence is not considered as a consent. Suppose a user gives his consent to process his personal data, it doesn’t mean that you can process data for a long period. The consent should be collected or renewed every 12 months from the time of the user’s first visit to the site. A cron job can be set up for automatically sending emails to the users and to collect consent. Cookies Cookies are considered as ‘personal information’ therefore you have to disclose all of the cookies which are set by your site, why they are set and option to opt-out before they are set. However, there are different types of cookies which can be exempted from the consent requirement. For example: Cookies used in a merchant website, Session ID cookies for the duration of session, authentication cookies etc. These are mentioned in the ‘Guidance on Cookie Consent and Expiration ‘ by French Data Protection Authority1. Be it a third party or a custom cookie, which ever cookies you are using, you should make the information visible to the user in simple words. For eg: Say you are using Google Analytics , a sample privacy statement can be : This website uses Google Analytics to help analyse how visitors use this site. No personally identifiable information is collected about you unless you explicitly submit that information on this website. The information collected is used to create reports of activities on this site. We use this to provide relevant content to our visitors. For more information on 'Cookies', click here. Cookie Banner Instead of using the old disclaimer ‘By browsing the site you accept cookies’, you have to be more clear on the cookie policy. The disclaimer should specify the exact purpose of the cookies and the fact that by continuing to browse the website, the user accepts the use of cookies. You can add the types of cookie that are used in the site. For instance: Necessary, Marketing, Analytics etc with checkboxes. The cookie banner of 'The Marketing Eye'4 can be taken as a reference. Also there should be a link to the ‘More information’ page which should display information on how to opt-out or refuse cookies. For more information on 'Cookie Banners', click here. Unfilled Checkboxes You must make sure that no checkboxes added to collect personal information from the user is ticked by default. For more information on 'Unfilled Checkboxes', click here. Right of Access A user should be able to easily access his personal information collected by the website. In the context of a Drupal website, he should be able to access his user profile page which displays all of his information. For more information on 'Right of Access', click here. Right to Rectification A user should be able to update or correct his personal information. He must be able to edit his own profile data. Care should be taken to ensure that users are only permitted to access information as per their role. For more information on 'Right to Rectification', click here. Right to Erasure A user should be able to request for deletion of his personal information. He can either do this by sending out an email to site admin or via a button in the user profile page. For the latter, a call-to-action button can be added to his profile for the same. Once the request for erasure is received, data should be deleted within 1 month. Upon deletion, the user should be informed about the erasure. For more information on 'Right to Erasure', click here. Now what happens to the contents or orders of your site if you are to delete the entire user data? The law does not further describe how data should be deleted. If you want to keep the data for audit purposes, you can either mention this in privacy policy or remove all the personal information of the user and the data of the fields can be replaced with pseudonyms. If you are sending the personal data of users to any third parties like Salesforce or Hubspot, you are obliged to inform all the third parties to delete the personal information of the user via an API call or similar. This again comes up with another issue - backups. You should separate the list of forgotten user IDs so that when a restore process occurs, you re-forget the forgotten users. Right of Data Portability User should be given an option to export all of his personal information. The ‘Export Data’ button can be included in the user dashboard. The exported data can be in the form of a CSV or spreadsheet. If your website only stores the information like favourites, bookmarks etc then it is not mandatory to provide this feature, as this does not fall under personal information. For more information on 'Right of Data Portability', click here. Right to Object The user should be able to object to the processing of his personal information. This can be in the form of a button in the user settings page. Once the user objects to processing of personal information, you should make this profile hidden from public and other users. Such profiles can be marked as “restricted” and can be made visible only to the site admin. For more information on 'Right to Object', click here. Age Checks You should check your user's age and if the user is a child below 16, then the law states that the parental consent should be obtained. How to obtain this is not well defined, but an option will be to provide a field to accept email id of the parent and verification of the same. For more information on 'Age Checks', click here. Delete Data that are No Longer Needed You should explicitly mention the amount of time that the user’s personal data will be stored in your site and delete the same after the time period. If you are an e commerce site owner, then you should create a cron job to anonymise the order information, once the delivery is complete. Technical and Security Measures Audit logs should be kept and you should be careful about potential data misuses such as employee logins, unprotected servers and insecure connections. You should ensure that the access permissions given to a user is correct and he is not authorized to access sensitive information. As an additional note, we would like to highlight the part that you don’t have to include everything which is mentioned above unless you are processing personal data of EU citizens. To know more, get in touch with us References ‘French Data Protection Authority Issues Guidance On Cookie Consent And Expiration’, blog, published December 18, 2013, Hunton Andrews Kurth, accessed May 2018. Heather Burns, ‘How GDPR Will Change The Way You Develop’, blog, published February 27, 2018, Smashing Magazine, accessed May 2018. Bozho, ’GDPR- A practical Guide For Developers’, blog, published November 29, 2017, Bozho’s Tech Blog, accessed May 2018. Neal Dyer, ’GDPR: B2B vs B2C-Can you still email your database?‘, blog, published December 19th, Marketing Eye, accessed May 2018. GDPR Leave a reply Your email address will not be published. Required fields are marker *
Leave a reply
Your email address will not be published. Required fields are marker *

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type='1 A I'> <li> <dl> <dt> <dd> <h2 id='jump-*'> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
The content of this field is kept private and will not be shown publicly.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.