Getting Your Drupal Website GDPR Compliant

Chithra.k | Updated 09 Sep 2021 | 5 min read

As the GDPR comes into effect, businesses are scrambling to take measures to become compliant with the regulation. If you are maintaining a Drupal website and would like to know how easily you can make your website a GDPR compliant one, read on.

This article focuses on the contributed modules available in Drupal.org, which are aimed at helping website owners become compliant with the new rule.

EU Cookie Compliance

Module: EU Cookie Compliance

Versions: 7.x-1.23, 8.x-1.0

Satisfies: Article 7²

This was released after the EU Directive came into effect in May 2012. However, this is useful under the GDPR too.

With the new GDPR, you should inform your visitors of the cookies you are using on your website and give an option for them to opt out from the same. This module provides

A cookie banner that can be shown to visitors
Option to set cookies using JavaScript. Option to set cookie expiration
Ability to customize the banner - position, color, role
Option to restrict the banner to EU countries. However, this requires additional modules to be configured

What this Module doesn’t Cover? - Ability to Opt-Out from or Unset Cookies

With the new GDPR law, it is mandatory for the visitors to be able to withdraw their consent easily. This means that, if they have accepted the cookies, then using a similar way, they should be able to undo the same. This module doesn’t provide an option for the same.

If your website does not collect personal information of visitors and only uses needed cookies, you can use this module to display the cookie banner to the visitors. Configuring the module is just a matter of a couple of minutes.

General Data Protection Regulation

Module: General Data Protection Regulation

Versions: 7.x-1.0-alpha5, 8.x-1.0-alpha11

Satisfies: Article 6¹, Article 7²

The module comes with the following:

Checklist

Site admin can review the checklist manually and ensure that necessary measures are taken to comply with GDPR. The checklist items include whether there is a privacy policy page, modules enabled are using relevant information, a user has the option to cancel his/her account etc.

Drush Command

The ‘SQL Dump settings’ module provides a Drush command to obscure the fields which contain sensitive personal data. The aim is to prevent developers from accessing sensitive information of users.

GDPR Consent

User agreements can be set up and tracked using this module. This is only available for Drupal 8.

GDPR Fields

Fields that contain sensitive personal data can be marked as GDPR fields. Currently only marking is supported and more development is in progress. This is also available only for Drupal 8.

The Drupal.org page for this module explains that more development is on the way. It allows the user to initiate the “forget me” action by site administrators, GDPR views data export to track data flowing out from Drupal etc are added as future tasks and development progress looks promising. Once all those features are deployed, you might only need this single module.

Scrambler

Module: Scrambler

Versions: 7.x-1.0-beta4

Satisfies: Article 6¹

By configuring what data to scramble, you can prevent exposing sensitive information from your database. It also contains the Scrambler Field submodule which allows it to administer which scramble methods to apply per field. The default scrambling methods available are emptying values, shuffle characters and words. You can also define your own custom sanitizing methods.

General Data Protection Regulation Compliance

Module: General Data Protection Regulation Compliance

Versions: 8.x-1.7

Satisfies: Article 6¹, Article 7²

The features available in this module are:

Form Checkboxes

It provides the option to display GDPR warning in the form of a checkbox that can be added to the user registration, login or node forms.

Pop-up Alert

Similar to the EU Cookie Compliance module, a configurable cookie banner settings page is provided. The popup can be configured to display for guests or authenticated users.

Policy Page

The module ships with its own ‘Policy Page’ with detailed information on cookies and an option to clear browser cookie. The content of the page can be edited for your suitable need.

GDPR Consent

Module: GDPR Consent

Versions: 7.x-1.0-beta4

Satisfies: Article 6¹

This modules allows you to collect data processing consent from logged in users. Administrator can view the consent history. The module is still under active development and has some known issues to start with.

Mask User Data

Module: Mask User Data

Versions: 7.x-1.0-alpha9 , 8.x-1.0-alpha5

Satisfies: Article 6¹

This module will mask all the current data in your database related to the users. You can easily define a map with the fields to map and the Faker function to use for the mapping. You can either use a Drush command or wait for the cron to run to perform the function.

Commerce GDPR

Module: Commerce GDPR

Versions: 7.x-1.0-beta1

Satisfies: Article 6¹

If you are using Drupal Commerce, then this module might be helpful for you. The module provide the following features :

Manual user account anonymization ("I want to be forgotten") along with orders and customer profiles connected to the account.
Optional automatic anonymization after a certain period of inactivity set in days.

GDPR Export

Module: GDPR Export

Versions: 7.x-1.0-alpha1

Satisfies: Article 15³, Article 20⁴

The module introduces a button in user edit page which will export and provide zipped data of a user. If additional fields or 3rd party modules are used, these may be handled via custom code.

GDPR Tag Manager

Module: GDPR Tag Manager

Versions: 8.x-1.0

Satisfies: Article 6¹, Article 7²

The module implements Google Tag Manager and IP Country Code lookup. GTM dataLayer variable is set with continent code value which allows you to trigger or disable tracking scripts to help make the site GDPR compliant.

This module also provides a cookie consent popup with an option to disable pop-ups for North American countries.

Kindly note that just enabling any one of the modules will not make your website GDPR compliant. The above modules only satisfies certain conditions and you might still need to take care of other aspects of the regulation. If you would like development assistance with the GDPR compliance of your site, get in touch with us.