Getting Your Drupal Website GDPR Compliant
As the GDPR comes into effect, businesses are scrambling to take measures to become compliant with the regulation. If you are maintaining a Drupal website and would like to know how easily you can make your website a GDPR compliant one, read on.
This article focuses on the contributed modules available in Drupal.org, which are aimed at helping website owners become compliant with the new rule.
EU Cookie Compliance
Module: EU Cookie Compliance
Versions: 7.x-1.23, 8.x-1.0
Satisfies: Article 72
This was released after the EU Directive came into effect in May 2012. However, this is useful under the GDPR too.
With the new GDPR, you should inform your visitors of the cookies you are using on your website and give an option for them to opt out from the same. This module provides
- A cookie banner that can be shown to visitors
- Option to set cookies using JavaScript. Option to set cookie expiration
- Ability to customize the banner - position, color, role
- Option to restrict the banner to EU countries. However, this requires additional modules to be configured
What this Module doesn’t Cover? - Ability to Opt-Out from or Unset Cookies
With the new GDPR law, it is mandatory for the visitors to be able to withdraw their consent easily. This means that, if they have accepted the cookies, then using a similar way, they should be able to undo the same. This module doesn’t provide an option for the same.
If your website does not collect personal information of visitors and only uses needed cookies, you can use this module to display the cookie banner to the visitors. Configuring the module is just a matter of a couple of minutes.
General Data Protection Regulation
Module: General Data Protection Regulation
Versions: 7.x-1.0-alpha5, 8.x-1.0-alpha11
Satisfies: Article 61, Article 72
The module comes with the following:
Checklist
Site admin can review the checklist manually and ensure that necessary measures are taken to comply with GDPR. The checklist items include whether there is a privacy policy page, modules enabled are using relevant information, a user has the option to cancel his/her account etc.
Drush Command
The ‘SQL Dump settings’ module provides a Drush command to obscure the fields which contain sensitive personal data. The aim is to prevent developers from accessing sensitive information of users.
GDPR Consent
User agreements can be set up and tracked using this module. This is only available for Drupal 8.
GDPR Fields
Fields that contain sensitive personal data can be marked as GDPR fields. Currently only marking is supported and more development is in progress. This is also available only for Drupal 8.
The Drupal.org page for this module explains that more development is on the way. It allows the user to initiate the “forget me” action by site administrators, GDPR views data export to track data flowing out from Drupal etc are added as future tasks and development progress looks promising. Once all those features are deployed, you might only need this single module.
Scrambler
Module: Scrambler
Versions: 7.x-1.0-beta4
Satisfies: Article 61
By configuring what data to scramble, you can prevent exposing sensitive information from your database. It also contains the Scrambler Field submodule which allows it to administer which scramble methods to apply per field. The default scrambling methods available are emptying values, shuffle characters and words. You can also define your own custom sanitizing methods.
General Data Protection Regulation Compliance
Module: General Data Protection Regulation Compliance
Versions: 8.x-1.7
Satisfies: Article 61, Article 72
The features available in this module are:
Form Checkboxes
It provides the option to display GDPR warning in the form of a checkbox that can be added to the user registration, login or node forms.
Pop-up Alert
Similar to the EU Cookie Compliance module, a configurable cookie banner settings page is provided. The popup can be configured to display for guests or authenticated users.
Policy Page
The module ships with its own ‘Policy Page’ with detailed information on cookies and an option to clear browser cookie. The content of the page can be edited for your suitable need.
GDPR Consent
Module: GDPR Consent
Versions: 7.x-1.0-beta4
Satisfies: Article 61
This modules allows you to collect data processing consent from logged in users. Administrator can view the consent history. The module is still under active development and has some known issues to start with.
Mask User Data
Module: Mask User Data
Versions: 7.x-1.0-alpha9 , 8.x-1.0-alpha5
Satisfies: Article 61
This module will mask all the current data in your database related to the users. You can easily define a map with the fields to map and the Faker function to use for the mapping. You can either use a Drush command or wait for the cron to run to perform the function.
Commerce GDPR
Module: Commerce GDPR
Versions: 7.x-1.0-beta1
Satisfies: Article 61
If you are using Drupal Commerce, then this module might be helpful for you. The module provide the following features :
- Manual user account anonymization ("I want to be forgotten") along with orders and customer profiles connected to the account.
- Optional automatic anonymization after a certain period of inactivity set in days.
GDPR Export
Module: GDPR Export
Versions: 7.x-1.0-alpha1
Satisfies: Article 153, Article 204
The module introduces a button in user edit page which will export and provide zipped data of a user. If additional fields or 3rd party modules are used, these may be handled via custom code.
GDPR Tag Manager
Module: GDPR Tag Manager
Versions: 8.x-1.0
Satisfies: Article 61, Article 72
The module implements Google Tag Manager and IP Country Code lookup. GTM dataLayer variable is set with continent code value which allows you to trigger or disable tracking scripts to help make the site GDPR compliant.
This module also provides a cookie consent popup with an option to disable pop-ups for North American countries.
Kindly note that just enabling any one of the modules will not make your website GDPR compliant. The above modules only satisfies certain conditions and you might still need to take care of other aspects of the regulation. If you would like development assistance with the GDPR compliance of your site, get in touch with us.
Reference
[1]. https://gdpr-info.eu/art-6-gdpr/
[2].https://gdpr-info.eu/art-7-gdpr/
[3].https://gdpr-info.eu/art-15-gdpr/
[4].https://gdpr-info.eu/art-20-gdpr/