Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The initial purpose of the GDPR Checklist is to be as helpful and guiding as possible. Therefore I propose to add many more options as well.
- Let's get started!
(An opening section including introductional points.)
Responsibility Agreement: before the site owner starts the checklist process, they should acknowledge that installing and using this module pack does not mean sharing responsibility. Neither the Drupal Community nor module maintainers can guarantee full compliance with these regulations in case of potential control or audit.– Committed.Quick Resources: a manually curated list of a few (max. 3-4) articles briefly summarizing what GDPR pertains to. Include possibly a link to relevant Wikipedia article?– Committed.
- Content analysis
(Automated search performed on uploaded content of the site.)
- A somewhat automated search looking for a limited set of keywords in search of published Privacy Policy, Terms of Use, About us, Impressum, etc. pages – see #2941325: Automated content discovery
Warn if they are found, but unpublished– Committed.Warn if they're published, but not found in any menu added to– Committed.
- Module analysis
Automated search performed on installed modules of the site. I see two options: A) manually curated list of machine names to look for (eg. Address, Smart IP, etc.); B) searching through D.org module categories (eg. Location, Statistics, User management, etc.).
- Extended tracking/data gathering modules: pay attention especially on popular traffic tracking modules being used on the site; for instance: Google Analytics, Google Tag Manager, Piwik, Hotjar, etc.
- 3rd-party integration modules: just like the above group, it also can done easily by its dedicated category.
- "What else can I do?"
(Optional points that should not count into the 100% of the scale, because not all site owners needs them.)
- Consult with legal counsel: some site owners above a certain organizational size generally have in-house or private practice legal counsel. This optional checkpoint could suggest to look after an affordable lawyer to consult with on GDPR compliance.
- It's recommended to enable and configure all sub-modules of the GDPR module family (kinda "self-promotion" :)
- Reference to the original text of GDPR law: the European Parliament officially published the raw text of the law in its EUR-Lex portal. Legal consulting can be quite beneficial if site owners do not need to search for it on the internet, but having this link is handy.
Just as a memo, currently, at the time of this issue is created the Checklist consists of only three key points to review:
| Comment | File | Size | Author |
|---|---|---|---|
| gdpr-checklist-three-boxes.png | 256.77 KB | baluertl |
Comments
Comment #2
baluertlComment #3
baluertlComment #4
baluertlComment #5
baluertlComment #6
pedrop commentedHow about creating a section in the status report? Points 2 and 3 would go there along with a percentage of the completed steps (checkboxes) og the checklist.
Comment #7
baluertlMoving this issue into the dedicated component.
Comment #8
baluertlThanks @Pedro, I moved your idea into a separate issue: #2938657: Add an extra line to Drupal's status report page
Comment #9
baluertlAssigning to Riley for proofreading the texts of the Checkpoint suggestions.
Comment #10
Rjcunni77 commentedComment #11
Rjcunni77 commentedComment #12
baluertlComment #14
baluertlComment #17
lbesenyei commentedComment #18
baluertlIn order of less confusing naming I remove "(D8)" prefix from issue title as these improvements were added to both branches:
Comment #19
baluertlAlso, the remaining five checkpoints are still waiting for proofreading with @Riley.
Comment #20
baluertlComment #21
baluertlComment #22
pedrop commentedArticle 33 of the GDPR regulation is about Notification of a personal data breach to the supervisory authority.
Let's add a point to the checklist:
I declare that I am able to notify the supervisory authority within 72 hours in the case of a personal data breach.
Later a submodule could be developed to create a contact form for this purpose: https://www.drupal.org/project/gdpr/issues/2942371
Comment #23
pedrop commentedArticle 30 of the GDPR regulation is about Records of processing activities.
Let's add a point to the checklist:
I declare that my organisation has fewer than 250 employees, so I don't have to create records of processing acitivities or my organisation has 250 or more employees and I have prepared the records of processing activities according to Artcile 30 of the regulation.
Comment #24
baluertlComment #25
pedrop commentedThe right of access (Article 15)
A possible text label for an additional checkbox:
I confirm that individual users on my site have have the right to obtain confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and information about why and how are they processed, whether they are disclosed and how long are they stored.
Comment #28
baluertlDMA has published a quite detailed list of action points in a form of checklist, which may worth to review and implement some additional useful points from too: https://dma.org.uk/uploads/misc/58f881147dcd0-gdpr-checklist-copy_58f881...