Many of the clients we help with developing web applications have been asking about General Data Protection Regulation (GDPR), the European Union’s new suite of data privacy law in 20 years. So we decided to provide information as clear as possible about - How does GDPR relate to a Drupal website? How to make Drupal site GDPR compliant? Are there any modules that will help me with it?
Unsure about GDPR? Let’s dive in to the basics.
According to EU GDPR, GDPR is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The new regulation, which will come into effect on 25 May 2018, applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the law. Have a look at the publication of the regulations in the Official Journal of the European Union in order to have a better understanding. The penalty for non-compliance can be 4% of annual global turnover, up to a maximum of €20 million.
So how does GDPR relate to your Drupal website?
Any information, such as name, address, email address, social security number, IP address etc., related to identifying a living person directly or indirectly is classed as personal data. Since most companies gather users information through forms for email marketing or CRM extensions in this case their site will be affected. Further, any form that deals with the commerce of any type is affected.
Steps to make your Drupal site GDPR compliant
Data collection and storage: Article 12 of GDPR, Right of access, states that before collection of data places or before a user submits the form, they must be aware of that the form on your Drupal site is collecting their personal information with the intention to store it.
Keep user data organized and accessible: According to Article 17 of GDPR, Right to erasure (right to be forgotten), users must have an option to erase personal data, stop further collection and processing of the data that concerns him or her. At the same time, users should be able to download their personal data for which they have earlier given permission. Further, on request, companies should be able to provide a user with a copy of all personal information they have on them, free of cost within 40 days and delete the info on request.
Individuals’ right: Through Drupal’s GDPR module, we ensure your website includes the following rights - the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling.
Breach notification: In case your Drupal website ever experience a data breach of any kind, the information on the same must be communicated to all of your users within 72 hours of becoming aware of a breach.
Google Analytics: As per the law, if you are using Google Analytics it means you are data controller, and can decide which data should be sent to Google Analytics and not. In order to be GDPR compliant with Google Analytics, you need to follow certain guidelines, like:
Auditing data for personally identifiable information (PII)
Turning on IP anonymization
Auditing collection of pseudonymous identifiers (hashed emails, user IDs)
Building an opt-in/out capability
Modules: While developing a website, we ensure that your site is integrated with different auditing modules, such as for performance, security, or a general review to check the overall status of the site. A security audit on your Drupal site reveals how data is being processed and stored on your servers, and steps that are required to comply with the GDPR.
Are there any Drupal modules that will help the website with EU compliance
In short, Drupal community has come up with General Data Protection Regulation module that gives users visibility to their stored data. As an owner of the site, it's your responsibility to deal with the organization inner workflow of dealing with customers data. Not to mention Drupal’s GDPR module can be a Kickstarter to go through checklist points to maintain the privacy and security of an individual. Further, configuring the site plays an important role.
With the integration of GDPR, users will be able to view what are the information stored about them, can correct all the stored data themselves, opt for “forget me” action from the site, can remove the account (but not the content). In addition, the updated version will have more items and recommendations on the checklist.
Okay, so now you know what GDPR is and how you can make your Drupal website GDPR compliant. Understanding how to adhere to these rules confounds many people, but it's an essential part when your customers are from EU. Our intention here is to inform. We will try our best to keep you updated as the regulation move towards implementation.
Still worried how you go about making your site GDPR compliant? Drop a mail at firstname.lastname@example.org and let our Drupal 8 experts help you with your queries.