You are here : › Making a 2018 Drupal Site GDPR Compliant
Jun 28, 2018

Making a 2018 Drupal Site GDPR Compliant

What is GDPR? It is the regulation that is expected to set a higher standard for consumer data protection. It requires businesses to protect the privacy of EU citizens by protecting their data from transactions that are made within EU member states. Companies are now required to put their processes and systems in place to comply.

Being non-compliant can cost companies a lot. Here are the basics of GDPR compliance and what you should know if you’re doing business in Europe.

Requirements, Facts, and Deadlines

GDPR and Drupal website

The GDPR affects every company that processes or stores personal information about EU citizens within EU states. Companies are required to comply with criteria such as a presence in an EU country; no presence although it processes European residents’ data; more than 250 employees and processes data on a regular level.

GDPR protects private data, such as basic identity information (name, address, and ID numbers), biometric data, health and genetic data, web data (cookie data, IP address, RFID tags, and location), sexual orientation, political opinions, and ethnic or racial data.


Companies need to comply with GDPR by a May 25, 2018 deadline. According to this Solix survey from December, 22% of companies were unaware that they must abide by GDPR. The fines for non-compliance can go up to 4% of global annual turnover (as much as $6 billion in penalties and fines). If you are not compliant by the deadline, you won’t be alone.


There are several roles defined by the GDPR that are responsible for ensuring compliance: data protection officer, data processor, and data controller.

Preparing for the GDPR

Start a special task force that includes an in-house group that collects sensitive information, such as sales, finance, marketing, and operations. Involve all stakeholders and set a sense of urgency coming from the top management.

Making a Drupal Site GDPR Compliant

Any information related to identifying a person (such as name, address, IP address, email address, social security number, etc.) is considered to be personal data. Any form for data collection that deals with any commerce are affected.


First, inform the users that their data will be stored and disclose your storage practice in your privacy policy. They must know that the form on your Drupal site collects their personal information. Keep their data accessible and organized and give them an option to erase it or stop further collection.

Also, your Drupal site needs a form of consent withdrawal and a way to allow users to contact you easily. Communicate privacy information by explaining how you process the data after the GDPR implementation, and that they have a right to complain about the companies’ data-handling ways.

If your Drupal site experiences any data breach, it must be communicated to all users within 72 hours of becoming aware of it. You need to be compliant with Google Analytics, if you’re using it and follow some guidelines, such as:

  • Turn on IP anonymization
  • Audit data for PII (personally identifiable information)
  • Audit collection of pseudonymous identifiers
  • Building an opt-in/out capability
  • Updating contract, privacy policy on the website

While developing a Drupal website, Drupalgeeks can ensure that your website is integrated for auditing modules for security, performance, or a general review. It is the security audit on your Drupal site that reveals how you process and store the data. Contact us to help you with your Drupal website GDPR compliance.