GDPR and Drupal
You’ve probably heard about GDPR. If you don’t know yet, you should, because it was applied from May 25, 2018 by each country within the EU. Here I am to give you some information, that I also learned at the Drupal HackCamp event in Bucharest.
First of all, GDPR (General Data Protection Regulation) is basically a law that must be followed in all European countries and the purpose is to expand the rights of individuals and how their data is collected and processed, ultimately returning control to citizens over the use of their data.
I would like to take a look into this from two points of view.
As a user (user of a site, client of a company) you have the right to:
- information about the processing of your personal data;
- obtain access to the personal data held about you;
- ask for incorrect, inaccurate or incomplete personal data to be corrected;
- request that personal data be erased when it’s no longer needed or if processing it is unlawful;
- object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
- request the restriction of the processing of your personal data in specific cases;
- receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
- request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.
These rights apply across the EU, regardless of where the data is processed and where the company is established.
As a Drupal Developer, you should be aware of:
- Identity and Access management: give your users access to their own account, also give the possibility to export or delete personal data. This is covered by Drupal core.
- Consent of Personal Data. This means that any forms that collect data from users have clear opt-ins fields with concise descriptions. Don’t use forms with already ticked checkboxes.
- Update your site in time (there could be automated attacks within hours after release).
- Enable https encryption if you have pages with forms in which users enter personal data: login and registration forms, contact form, newsletter, comment form etc.
- Use dev, stage and production environments but you should not use live data on dev and stage.
- Keep data for no longer than necessary (if you’ve collected the data for a specific purpose like shipping a product, you have to delete is as soon as you don’t need it.
- Don’t assume 3rd parties are compliant. You are responsible if there’s a data breach in one of the 3rd parties to which you send personal data. So when you send data via an API to another service, make sure they have at least a basic level of data protection.
Another important thing to mention is that in case of breach of data, this must be reported to the ICO within 72 hours of becoming aware of the breach.
GDPR compliance is mainly about organization and documentation. No module can create, provide, automate or guarantee legal compliance. However, there are some Drupal modules that can help you make a site to be GDPR compliant: GDPR, GDPR Form Compliance, GDPR Consent, GDPR Export.
As a short conclusion, the purpose of GDPR is to make you aware when processing personal data. It forces best practices in a legal way and is useful for everyone.
https://speakerdeck.com/andreb/gdpr-plus-drupal by Andre Baumeier