GDPR + Drupal

GDPR + Drupal

Some insights into GDPR and Drupal:
- the good, the bad, the ugly
- some ideas for tackling GDPR as a continuing project
- quick wins GDPR
- quick wins Drupal


Andre Baumeier

June 08, 2018


  1. 2.

    Andre Baumeier • (that’s me) • 10+years in web and

    software development • Head of technology at Burda Home and Burda Life covering roles such as team and tech lead, information security officer and data privacy manager • Certified Information Security Officer according to ISO 27001*1 • (Certified*2) Data Protection Officer (GDPR art. 37 #5) • Techie - not a lawyer! This presentation has not been reviewed by a lawyer. You should most def consult a lawyer. • Q & A at the end *1 took a formal test, got a certificate *2 there’s no test for this yet. But I got a nice certificate from a lawyer for attending a course
  2. 4.

    GDPR • Strengthens consumer rights in order to protect privacy

    of individuals being in the European union • Maximum possible fines: 2-4% or 10-20 million EUR (based on the type of failure, whatever is higher) • One month time to react to consumer request • 72 hours for a qualified notice to authorities upon data breach • These possible fines make this an important topic for almost every company
  3. 5.

    GDPR: data subject rights (the good) • (GDPR chapter 3,

    Art. 12 -23) • Art. 15 Right of access by the data subject • Art. 16 Right to rectification • Art. 17 Right to erasure (‘right to be forgotten’) • Art. 18 Right to restriction of processing • Art. 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing • Art. 20 Right to data portability • Art. 21 Right to object
  4. 6.

    GDPR: insufficiencies (the bad) • Vague law text • Confusing

    recitals • Last minute, partialy wrong* statements / interpretations of authorities * lawyers will battle about this for years
  5. 7.

    GDPR: insufficiencies (the bad) • No certification available • Fear

    of warning letters / law suits • No legal grounds, no court decisions yet – approximately 6 years till they arrive for a broad amount of topics
  6. 8.
  7. 9.

    GDPR: Last minute changes (the ugly) • Mandatory consent for

    tracking and personalization • Apparently consent required for setting cookies (this is still being debated)
  8. 10.

    GDPR: quick wins #1 • Check whether you need a

    dpo (10+ employees, main opera:on of your business is processing of personal data) Art. 37 • Have someone or a team of capable people to setup a project group- treat this as a project. Needed skills: • Basic understanding of IT (really helps!) • Project management skills • Capability of reading and understand (boring) law texts- this is a really dry topic. Don't give this job to someone who easily gets distracted.
  9. 11.

    GDPR: quick wins #2 • Setup a management system for

    data protection affairs • Can be software driven but not mandatory • This is really about how you setup structure in your organization to deal with data protection tasks • Communication flows • Who‘s the go to person • Regular reviews of tasks and events • Risk assessments • Review your stack under the aspects of state of the art • Plan for the future – disaster plans, have contact lists and contracts with security specialiasts ready • If you are familiar with ISO 27001 this could be similar to an Information Security Management System (ISMS)
  10. 12.

    GDPR: Create a list of personal data processing activities (Art.

    30) • Check each of them for their legal grounds • Evaluate if you can search, export, edit, lock and delete within the attached data stores in order to fulfill all of the consumer rights. • Check for their purpose - do you really need this? Can you avoid it? • Example: you are selling leads for holiday trip to a company, all you need for billing is a statistic about how many leads you generated – you do not need the list of attendees including all their personal details!
  11. 13.

    GDPR: Create a list of personal data processing activities company

    / department title description contact person data categories amount of datasets legal basis example ltd online riddles provide platform for customers to participate in online riddles – they can win goods so we collect data on them Steve steve@exam ple.tld +123123123 • contact data • address data 10k+ contract fulfillment This is just an example – the actual list probably needs more details – contact a laywer J
  12. 14.

    GDPR: Know what you are doing • Create an inventory

    of websites and apps and their use of personal data, including monitoring, analy9cs and tracking so;ware • Try to unify your web applica9on landscape (get rid of the stuff you don't need) • Those crappy wordpress blogs know one cares about anyways. • That one online marke9ng gig back from 2012 that‘s s9ll online.
  13. 15.

    GDPR: more quick wins • Have a way to reach

    your staff and give them information and updates, create roles and hubs rather than one time goto persons and documents. Intranet, wiki, shared folder, fully fleged document management system • Train your staff (all of them) and provide them with tools they can use right away • ways to safely transfer personal data • encryption options, safe devices or a guideline to make their device safe • data protection 101 / SOS card / contact details of a team or person to reach out for when in doubt • ways to safely delete/ destroy unneeded personal data- shredding machines • password manager – seriously: get one for your team and make them use it.
  14. 17.
  15. 18.

    GPDR: even more quick wins • Data processing contracts –

    get them, sign them, you‘ll need them
  16. 19.

    GDPR: mooore quick wins • Prepare and train for the

    worst! Assume a data breach will happen – it will. • Setup communication strategies (who needs to talk to whom when?) • Recovery plans, security specialists and contracts in place • Remember – you‘ve got 72 hours to provide authorities with a qualified notice!
  17. 20.
  18. 21.

    Drupal*: quick wins • Identity & Access management: provide your

    users with their own accounts, make sure you grant access only if needed and revoke access ones need is gone. => Covered by drupal core • Have a process to manage your site updates in time (automated attacks within hours after release - this is the world we live in) => Be it a manual process, or use something like dropguard. Acquia has RA environments as well... • Do you got forms on your page in which personal data should/ can be entered? (Login form, newsletter, contact form, comment form, order form- right about any form) => enable https encryption! • Use ghostly to check your page for external assets and trackers • Google fonts, social media buttons, embedded social media items, external js files from libraries - get rid of them or gather consent first (eu cookie compliance module has ways for this), use 2+ click solutions to toggle them on such as shariff) => * Can be applied to other systems as well
  19. 22.

    Drupal: quick wins • Privacy by default - profile options,

    forms with already ticked checkboxes are a nono =>profile2, gdpr module • Use double opt in to verify email adresses and their consent for you to contact them • Update your data protection statement • Update any forms gathering personal data and provide information about the data subject rights => gpdr_form_compliance • Have dev, stage and prod environments. • Don't use live data with personal data on dev and stage - treat it as toxic information => modules: Gpdr, mask_user_data, scrambler
  20. 23.

    Bonus: more advanced topics #1 • Penetration tests and site

    audits • What is state of the art according to GDPR? Art 32
  21. 24.

    Bonus: more advanced topics #2 • State of the art

    should be benchmarked periodically within your data protec7on management system: every 2-3 years for each solu7on/ system • Centralize Iden7ty and access management • Otp, 2fa, mfa
  22. 25.

    Bonus: current affairs • European Court of Justice ruling to

    have facebook site owners be responsible together with facebook about the processing of personal data on those pages (this ruling can and will be applied to other (social media) platforms as well) • • „The administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page“
  23. 27.
  24. 28.

    Additional informations • h"ps:// • GDPR-modules in Drupal - Sven

    Berg h"ps:// • Fun and profit from GDPR by Mikko Hämäläinen (Druid) - DrupalCamp Nordics 2017 h"ps:// • New EU privacy legisla]on (GDPR) and Drupal by Kalle Varisvirta (Exove) - DrupalCamp Nordics 2017 h"ps:// • Rob Humphries - Get ready for GDPR h"ps:// • GDPR Compliance with Google Analy]cs – Do You Need Cookie Consent h"ps://