Making your Drupal website GDPR compliant

Post by Drew J Picture of Drew J
Ixis Service
Reading time 6 mins clock

Well, after months of speculation and worry, the GDPR has finally arrived. Quite how effective it will be is a question that will only be answered in the coming years. How do you make sure your Drupal website is compliant with the GDPR? Well, the simple answer that preparation is key, but you wouldn’t be reading this if you wanted the simple answer.

Firstly, the wonderful Drupal community provides a GDPR module that you can install on your Drupal site. Whilst this doesn’t necessarily make your site compliant, the module aims to provide you with an understanding of how it affects Drupal and provides you with the help you need.

The Drupal community also put together a list with a vast number of Drupal specific and non-Drupal specific modules, articles and web pages which aim to make your website is compliant with the GDPR.

Cleaning up consent

One of the key issues of GDPR is consent, and what this meant for the existing contacts most companies had for marketing purposes. The ICO’s guidance on consent is “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Drupal has a GDPR form compliance module which will help you add a single mandatory checkbox to each form on your website. This can be easily configured to suit your forms needs and remain compliant with the GDPR.

The popular Webform module also has built in functionality to purge completed form submissions automatically after a set number of days - which can be a way to help you meet the directives set out in your companies GDPR policy.

It’s time to forget

It must be easy for website users to be able to remove consent to marketing activities if required and ultimately if they want to, it must be simple and easy for them to delete their information from a entirely. Whilst GDPR doesn’t provide a mechanism to do such a thing, you should tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. Meaning, you should have made sure to have a simple and effective way of withdrawing consent that is made available to your users. Your users also have the right to see what you store about them, and if appropriate, update that information if they feel it is incorrect. If a piece of information has been derived, perhaps from an algorithm, they have the right to challenge this and even to ask that a human determine the information instead.

For those e-commerce websites, the Commerce GDPR module will allow you to provide anonymity for a users data but it will still be available for statistical and historical purposes. This won’t allow you to identify a user and your store will comply with the GDPR. The module will add 2 bits of functionality, one being manual user account anonymisation which will allow customers be forgotten should they choose, the other is an optional automatic anonymisation which will forget a customer after a certain period of inactivity on your site.


Mailing lists

Whilst the GDPR may have meant you have lost a number of potential customers data that may have been used for marketing purposes, this doesn’t necessarily mean it’s a bad thing. By now we all should have sent out those emails asking customers to confirm that you have permission to use their data for specific purposes. Well, those customers who have updated their permissions and allowed you to continue to contact them are incredibly valuable. These are the customers who want your business, they want to keep up to date with you and for your business, this is fantastic news. Taking the people who no longer engage with your content will only serve to further enhance your reputation and enhance your engagement with your existing customers.

Everyone is different

The above advice is just a small number of things that could have been done to comply with GDPR regulations. There is no one size fits all approach, not every rule and regulation applies to every site. Also, automation is useful and you can make use Drupal to be responsible for certain tasks, however, you will still be accountable for compliance, so there should be a management system in place to check and measure compliance regularly.  If you are still unsure whether or not your website is GDPR compliant then you check your website against the ICO’s guide to GDPR compliance or if you think you need the support and guidance of a Drupal specialist to make sure you are abiding by the new regulations you can get in touch with us by giving us a call on 01925 320041, email us at or alternatively you can fill out our contact form and one of our experienced Drupal specialists will get in touch with you shortly.

Profile picture for user Drew J

Drew J

Digital Marketer

Digital Marketing Apprentice here at Ixis. I am responsible for all of the Ixis social media channels, often the writer of blog posts and forever trying to wrap my head around SEO.

Add new comment

Share this article

Sign up to our newsletter!

Our thoughts

Let's work together

Get in touch and find out how we can empower your organisation.
Back to top