Drupal and GDPR: Everything You Need to Know

A lot has been written in and around the EU’s new data privacy compliance - General Data Protection Regulation. As we near 25th May, the search around GDPR compliance is breaking the internet. 

In my previous blog What is GDPR? User Rights and Business Guidelines we covered a comprehensive guide on what GDPR is. Understanding in details the guiding principles and the data subject rights. In this blog, we will cover how EU GDPR will affect your business. And what can you do if your website is built on Drupal? 

In the later part, we would be answering the questions like ‘How does Drupal comply with GDPR?’ and most importantly - Is Drupal ready for GDPR compliance?

A Quick Recap on GDPR 

The EU General Data Protection Regulation (GDPR) would replace the 1995 EU Data Protection Directive (95/46/EC) and is devised to “harmonize” data privacy laws across Europe. GDPR is focused on the way the information is taken by the businesses and utilized thereafter. 

The regulation will come into force on 25th May 2018 and was adopted in April 2016 after first being proposed in January 2012. The two year period has given time to the businesses and public bodies to prepare for the coming change.

Its aim is to protect and most importantly empower all the EU citizens’ with a major focus on the consent of the user while being stringent on the data privacy and reshape the way organizations across the region approach data privacy.  

How Does it Affect My Business? 

The new data protection regulation puts the consumers in the driver’s seat and the errands of conforming fall on the businesses.

TL;DR

1. Non-EU established organizations will also be subject to GDPR if their data subject is from EU.
2. Every data collection step should involve the clear consent of the user.
3. It affects SMEs too.
4. Need to appoint a Data Protection Officer.
5. It will affect the way the customer engagement and sales and marketing occur in your organization.
6. The penalties are quite harsh.

Companies processing the personal data of data subjects residing in the Union, regardless of the company’s location also come under the scope of GDPR. This means that non-EU organizations not previously caught under the DPA for targeting an EU market or EU citizens will now be caught by the GDPR.

No more will the “we use cookies” message suffice. To comply with the new EU data privacy law, the website needs to put out a clear message as to where and how they will be using the information. They also need to give the user a clear way to opt out of it. 

A lot of people think that GDPR will affect only the bigger organizations but GDPR will also apply to any business that processes the personal data, including those with fewer than 250 employees. However, it is acknowledged that SMEs have fewer resources or that the fact that they process lower volumes of both sensitive and non-sensitive data when compared. For this reason, an SME may be exempt from some of the more rigorous steps (such as the need to appoint a data protection officer). 
GDPR affects your marketing and customer engagement

Since a fair share of focus has been given to the “consent of the consumer” and transparency and so the conditions for obtaining consent are stricter. The individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities. 

The statistics shared below from Statista.com make it quite evident that a large number of agencies are preparing for the new regulation by changing the way they work. 

Simply put, non-EU established organizations will be subject to GDPR, if their data subjects are from EU.

While 44% agencies are updating their contracts and data protection policies, 26% have reviewed and changed their product/s. At the same time, 22% are altogether devising new marketing strategies and 15% changing the way they sell their product.

It wouldn’t be wrong to say that GDPR would be affecting the way the organizations work and market their products. 

Be GDPR compliant with Google Analytics

Under GDPR, using Google Analytics on your website makes you a data processor. Since you are in control of which data to be sent and which not. Google in its official statement declared its commitment to compliance with GDPR. Where it went on to explain that certain measures have been put in place relating to privacy and data processing. 

However, Google also encourages “data controllers” to be vigilant about how they collect and handle data. 

HowTo: Make Your Drupal Website GDPR Complaint?

The community is aimed at bringing people from all walks of life together and work as a team. Here are some of the modules that can help you out. Here are the following ways to make your Drupal site GDPR compliant.

1. Drupal GDPR Compliance Team

   One of the best things about Drupal community is you don’t have to wait long to fight off an issue. The same goes for GDPR. Drupal GDPR Compliance team, is intended to serve as a locus for the Drupal community to discuss and coordinate efforts to improve Drupal's framework for GDPR compliance. 

   You can add to the work of other members by ensuring the duplicacy of efforts doesn’t happen, bring cooperation and help the agencies and businesses tackle the new EU data privacy law swiftly. A piece of warning which has been put up is - this module project will not produce any software tools. 

   Drupal has some awesome tools and modules aimed to help you achieve the aforementioned goals.  

2. Module - General Data Protection Regulation
   The General Data Protection Regulation module aims to help site admins follow the guidelines and legislation set by the Union.

   Installing and using this module does not mean your site becomes GDPR compliant. Since GDPR affects the whole organization, this module aims to help understand its Drupal relations and (tries to) provides helper tools to make your site GDPR compliant.

   A Checklist for site admin is provided which includes automated content, module, configuration discovery (e.g. cookie consent, check if there is privacy policy page etc), along with the status line on the status report page.
   

   A GDPR consent submodule which allows setting up "agreements" and track the consent per user is also available. Currently, it is only for Drupal 8.

   A GDPR fields submodule (currently only for Drupal 8) to mark personal data on the field level is also available. This is for documentation purposes, handling of incoming requests. Say for deletion of data which will be handled by the upcoming GDPR tasks submodule.

   Drush command (drush gdpr-sql-dump) is used to obfuscate data. The primary goal here is to prevent developers from accessing user data.

   It also uses Hidden Author, a  module, which allows users with the proper permissions post nodes and comments (through NodeComment) without revealing their username. This is in sync with the guidelines and only users with permission "see original author" will access such information

3. Module - General Data Protection Regulation Compliance 
   Since the responsibility of conforming with the regulations fall on companies, it is a great help if the businesses have a checklist ready without missing out on minor details. The General Data Protection Regulation Compliance module helps you comply with the regulation by giving you the following features:

   * Form checkboxes
   * Pop-up alert
   * Policy Page

   For a clear consent from the user, it is important that the user knows everything about the collection and processing of the data. For this, it is important that as an organization it is easy for you to change your form settings create user registration and login, add and edit contact form, and node add form, all so easily. 

   The module also complies with the eu_cookie_compliance and is easy to use with 
   * User / Guest display
   * With a translatable pop-up template

   Since the regulations define different conditions for a guest user and an authenticated user, it is important that each user has the best experience.  

   With this module, you can also create your own Policy Page or replace the link & clear cache, in case you don’t like it.
   

4. Module - GDPR Consent
   GDPR Consent Module lets you collect the GDPR Data processing consent from logged-in users using the site.
   However, the module is in beta version (not in final state) and applicable only for version 7.
    
5. Module - Commerce GDPR
   The Commerce GDPR is available for only for version 7. It adds data anonymization features so the data will still be available for statistical and historical purposes but will not allow identifying a user and the store will comply with the GDPR directive.

Security by Design

Putting all the clauses and guidelines aside, GDPR is more than just data regulation. It’s a policy to secure the information giving the users a definitive edge. One of the core practices that should be followed regardless of any regulation is ‘Security by Design’. 

Security by Design implies designing the software up by the ground to be secured to minimize the impact when the security vulnerability is discovered. Pacing up your security from the start. It implies following the best security practices at the architectural level instead after building the website. 

This ensures that the design remains secure regardless of a reasonable approach adopted later to tackle the issue. A uniform methodology needs to be adopted to protect the assets from the threats. 

Once the requirements have been collected, the architecture can be laid out and other elements can be discussed later like trusted execution environment, secure boot, secure software update among others.

Some Data Protection Practices You Need to Follow
GDPR will affect almost all the site owners. The best you can do is keep every step from data collection to processing transparent. You can take following steps to comply with the new regulation

Make user consent your top priority: Article 12 of the official document says “The information shall be provided in writing, or by other means, including, where appropriate, by electronic means..” your Drupal website needs to provide one such form along with the cookies popup message. This should include the possible use of information and the opt-out message. 

Keep your communication transparent: Article 15 which covers rights of access by data subjects also states that the consent should be clear and this should include the possible use of information. The cookie consent form should also include where the information will be used. 

Keep the information transparent: A user has a right to manually request data erasure from the website as well as for data portability. Not only switch-off the account, but totally delete data from the database. Review your current privacy policy and mention clearly for making any necessary changes after the implementation of GDPR.  

Breach notification: Let the users know about the breach in 72 hours. Where you have to, as an organization, appoint a data protection officer who will be responsible for the security of the data.

Is Drupal ready for GDPR compliance?

Although the community is equipped to take on the big data privacy regulation, a sense of uncertainty still looms over not just the web development community at large but, for Europe as well. Until the regulation comes into practice, these are just the ideal scenarios where you can do what needs to be done. 

If you still have some doubts over the implementation let us know, we are here to assist you. Drop a mail at [email protected] so our Drupal experts can help and guide you.