GDPR compliance for Drupal websites
Pete Graylish

As we move closer to the launch of the new GDPR in May, here's an updated version to our original blog post about GDPR compliance for Drupal websites, originally published in September 2017:

The new GDPR - General Data Protection Regulation - comes into effect on 25th May this year and replaces the current Data Protection laws across the UK and Europe. It's important that all businesses are aware of the changes, and what it potentially means for your business, as the consequences of not complying with the new regulations could be severe, with, worse case, fines of up to 20 million Euros for larger companies.

The GDPR aims to give individuals more control over the personal data held about them by businesses and organisations and ensures that those businesses/organisations are storing and using that data in a responsible and accountable manner.

Here at Adaptive, we are currently preparing information and guidance with regards to ensuring that our clients' Drupal websites are compliant with the GDPR and that any changes/additions required to their websites are in place by the deadline of 25th May 2018.

For some websites, this may simply be a case of ensuring that a clear data protection policy is visible on the website and is signposted from any key areas of the website where data is collected from users, such as contact forms, newsletter signups and other online forms.

For websites that collect and use visitor data in a more complex way, further provision may be needed on the website to ensure you remain compliant. Other key changes within the GDPR include the need to ensure any marketing opt-ins on forms specifically require the user to tick to agree to communications - no more ticking to opt out, or having opt-in boxes which are pre-ticked.

Adaptive will be in contact with each of our clients directly in the next couple of weeks with more information relating to GDPR compliance on their Drupal websites.

Will my website be affected?

The details of the new GDPR effectively mean that almost every website will need to ensure they are compliant in one form or another. The definition of "personal data" in the GDPR includes any "online identifier" logged/stored by a website. For this, read "IP address". Drupal sites will typically capture and store a visitor's IP address for certain logging processes. Similarly, server logs will also record a visitor's IP address as will third-party tools on a website such as Google Analytics. This means that, even if your website doesn't openly collect user data via user-submitted forms, the GDPR is still likely to apply if you are capturing visitor IP addresses, even though those IPs don't directly identify an individual.

GDPR is an EU regulation that applies to any organisation that collects data from EU residents. This therefore means that it will still be applicable to UK businesses post-Brexit as websites will still be accessible by EU residents, even if the UK population is no longer amongst them.

As part of the GDPR, Adaptive also has a certain degree of responsibility towards each website that we host or support so we will be strongly encouraging each of our customers to ensure that they are fully aware of the new regulations and implement our recommendations on their website to avoid potential issues.

What sort of changes are likely to be needed?

The changes required to websites to ensure GDPR compliance will vary from site to site depending on the functionality and data collection methods in place on the site. However, some of the most common areas that many/most website owners will need to consider include:

  • Your online Privacy Policy should be clear, easy to find and detail exactly what data is captured/held by the website, where/how this is stored and for what purposes it is used
  • Any data capture forms should have a statement explaining what the data being requested will be used for
  • Any options to receive communications of any sort, such as marketing messages, need to be clear as to what the recipient will receive by opting in. Users must have to tick the option to opt-in boxes cannot be ticked by default. Users must not be asked to tick to opt-out.
  • "Bundled consent" is no longer permitted. For example, a website can no longer ask for a user's email address in exchange for access to a piece of content on the site and state that, by accessing the content, the user agrees to receive marketing messages. If such forms are used, a tickable option needs to be provided for the user to choose if they want to receive communications or not and the user can only be sent communications if they specifically tick this field.

So what happens next?

You can read more about the new regulations and what they potentially mean for your website in this excellent article from The Web Guild. We recommend taking professional advice on GDPR and the implications for each individual's business/organisation and website. For Adaptive clients, we're obviously here to help with the implementation of any changes that are required to your website to ensure you remain GDPR-compliant beyond May 25th.