As we move closer to the launch of the new GDPR in May, here's an updated version our original blog post about GDPR compliance for Drupal websites, originally published in September 2017:
The new GDPR - General Data Protection Regulation - comes into effect on 25th May this year and replaces the current Data Protection laws across the UK and Europe. It's important that all businesses are aware of the changes, and what it potentially means for your business, as the consequences of not complying with the new regulations could be severe, with, worse case, fines of up to 20 million Euros for larger companies.
The GDPR aims to give individuals more control over the personal data held about them by businesses and organisations and ensures that those businesses/organisations are storing and using that data in a responsible and accountable manner.
Here at Adaptive, we are currently preparing information and guidance with regards to ensuring that our clients' Drupal websites are compliant with the GDPR and that any changes/additions required to their websites are in place by the deadline of 25th May 2018.
For some websites, this may simply be a case of ensuring that a clear data protection policy is visible on the website and is signposted from any key areas of the website where data is collected from users, such as contact forms, newsletter signups and other online forms.
For websites that collect and use visitor data in a more complex way, further provision may be needed on the website to ensure you remain compliant. Other key changes within the GDPR include the need to ensure any marketing opt ins on forms specifically require the user to tick to agree to communications - no more ticking to opt out, or having opt-in boxes which are pre-ticked.
Adaptive will be in contact with each of our clients directly in the next couple of weeks with more information relating to GDPR compliance on their Drupal websites.
Will my website be affected?
The details of the new GDPR effectively mean that almost every website will need to ensure they are compliant in one form or another. The definition of "personal data" in the GDPR includes any "online identifier" logged/stored by a website. For this, read "IP address". Drupal sites will typically capture and store a visitor's IP address for certain logging processes. Similarly, server logs will also record a visitor's IP address as will third party tools on a website such as Google Analytics. This means that, even if your website doesn't openly collect user data via user-submitted forms, the GDPR is still likely to apply if you are capturing visitor IP addresses, even though those IPs don't direct identify an individual.
GDPR is an EU regulation which applies to any organisation that collects data from EU residents. This therefore means that it will still be applicable to UK businesses post-Brexit as websites will still be accessible by EU residents, even if the UK population is no longer amongst them.
As part of the GDPR, Adaptive also has a certain degree of responsibility towards each website that we host or support so we will be strongly encouraging each of our customers to ensure that they are fully aware of the new regulations and implement our recommendations on their website to avoid potential issues.
What sort of changes are likely to be needed?
The changes required to websites to ensure GDPR compliance will vary from site to site depending on the functionality and data collection methods in place on the site. However, some of the most common areas that many/most website owners will need to consider include:
So what happens next?
Adaptive customers should look out for more GDPR information coming from the Adaptive team in the next few weeks. In the meantime, you can read more about the new regulations and what they potentially mean for your website in this excellent article from The Web Guild.