Apr 30, 2018 - Justin Emond

Seven Must-Do Checks to Ensure Your Drupal Site Is Ready for GDPR

By now, you have probably heard of the General Data Protection Regulation (GDPR), the onerous new EU rule that goes into effect on May 25, 2018. You have probably also heard that the fines for GDPR violations are stiff—up to 4 percent of a company’s annual revenue—and that the requirements for compliance are just as frightening as the fines. While the regulations cover EU citizens, many U.S.-based companies will have to comply with the regulations (see our guide on determining your organization’s GDPR risk).


Once you determine if your site needs to comply,  it’s time to roll up your sleeves and get to work making changes to your digital experience. Here are our seven must-do checks to ensure your Drupal site is ready for GDPR:

Check 1: Make sure your implied consent flow does not gather data on the first-page load

Implied consent is when a new visitor comes to your site for the first time and has already accessed the content before accepting the terms and conditions.  Here is a common example:


But here’s the thing. Before users even click that button, the site has already gathered data.  That’s why it’s called implied consent because just by visiting the URL, a user’s data has been collected. Sure, they can leave immediately, but your site has already gathered their data. Many of our clients use this approach to comply with existing regulations, and this experience flow is common across mid-market and enterprise US-based organizations.

The problem is that GDPR invalidates implied consent. The new standard under the law is called affirmative consent, which must be given by the use. That means that any company using implied consent flow has to make a critical change to be GDPR compliant: Data cannot be collected until second-page load. This puts the choice in the hands of the visitor; they can stay and share data, or leave without sharing any at all.

To make the change in Drupal, you will likely need to have your engineering team write custom code to defer any cookie placements and other GDPR-covered data gathering to the second-page load for all traffic (as you can’t guarantee a visitor is an EU citizen by location).

Check 2: Make sure you have explicit consent checkboxes on all data-gathering forms

Here is a screenshot of our popular Drupal Magento integration white paper download form:

Screen Shot 2018-02-16 at 1.15.40 PM.png

This form is not GDPR-compliant because it doesn’t have an explicit checkbox or other form fields that explains to the user how the data will be used and asking for their affirmative consent. You will need to go into Drupal and add consent boxes and language to all of your forms that you use to gather data and market to people (which likely were built using the Webforms module).

Check 3: Audit every cookie created by Drupal code

GDPR protects all personal data, which can include IP addresses, cookies, and other non-obvious means of associating data with an individual person. IT Compliance puts it best: “When cookies can identify an individual via their device, it is considered personal data.”

Along with ensuring the compliance of your third-party apps and integrations, you also need to audit every cookie created by all of the custom and contributed modules of your site and refine the cookies as needed. For this, you will need to have your engineering team perform a source code-wide search for any JavaScript or PHP that creates or modifies cookies, and carefully document and evaluate it for compliance.

Check 4: Audit every third-party app

In a Drupal site, cookies can be created by Drupal core itself, contributed modules, custom modules written by your engineering team, and by any third-party app that’s integrated into your site. Third-party apps can potentially be integrated by Drupal admin users as well as your engineering team.

Every third-party app needs to be audited for GDPR compliance. Many popular apps are likely to be compliant, like Google Analytics, but many others may not be. You may have to defer their use until after you fix the second-page load (see check #1), refine the integration configuration, or find another altogether.

Your engineering team will need to perform code-wide searches and a deep review of the Drupal configuration to identify every third-party used. (You can’t just load the home page and use the network tab, because certain apps may only be embedded on certain pages or under certain use cases.)

Check 5: Make sure you have an easy-to-use deletion request page

An important part of GDPR compliance is providing a page visitors can use to request the removal of their data from your systems. ( It’s called the “right to be forgotten.”) This process for requesting data removal must be as simple and easy as the form they used to provide consent.

In Drupal, you will want to create a new deletion request page using the Webforms module that gathers the basic information you need for your customer service team to process the request. You can use Webform handlers provided by contributed modules to flow the data from the form submission to your customer support system (say, if you are using Zendesk or Salesforce) to ensure no request is missed.

Be sure to put a link to this page somewhere on every page of your site—in the footer, for example. If your Drupal site was built correctly, you should be able to do this directly in the Drupal backend.

Check 6: Review the data flow of any referral systems

If your site experience has any kind of referral system—like a feature to email an article to a friend —be sure to audit the data flow of the email address used to send the article. If your system sends the email to the friend and then doesn’t store the email address, you don’t need to do anything. However, if you store that recipient email address, or if you store it and send it along to another system for marketing purposes (like a drip campaign), you will need to obtain consent from the recipient.

In Drupal, check the configuration of the module that provides this functionality (your site probably uses the Forward module) to see how the recipient email address is handled. If you are storing or using the email address, work with the team that supports your marketing tech stack to build in an affirmative consent step.

Check 7: See if your data is being properly segmented

Whether to future proof your organization or to comply today, it is important to ensure you are collecting the data needed to segment your records for EU and non-EU citizens. You should consider refining the data gathering form flows you have to include a checkbox for citizenship. . (To reduce the friction added by GDPR compliance, you can use a progressive form that adapts to the affirmative answer of that question by adding additional fields for GDPR.)

Depending on how your Drupal site is built, you might be able to do this yourself in Drupal admin with the Webflow module, but you might also need to involve the engineering team. If you are using something like Marketo for your forms, skip Drupal and make modifications there.