Simplenews and the EU General Data Protection Regulation (GDPR)
We have been building a new module to integrate GDPR requirements with Drupal’s Simplenews module in a bid to make Simplenews subscriptions compliant. In this post I’ll outline some of the achievements so far - and also some of the remaining challenges ahead...
Even though the European Union’s General Data Protection Regulation (GDPR – more info at https://ec.europa.eu/info/law/law-topic/data-protection_en) was approved on 27 April 2016 [1], it seems few people in the Drupal community (including us) took much notice until April 2018, with the regulation coming into force on 25 May 2018. Unsurprisingly, we have been a bit busy ever since.
Some of the key changes brought in by the regulation are:
- Consent for the processing of data must be explicitly given, and the purpose for which the data is being used must be clearly stated.
- You must be able to prove that consent has been given, and what a person consented to.
- Each person has a right to access the data held about them, meaning you will need to be able to provide them with a copy of the data you hold.
- The regulation also establishes the “right to be forgotten”, so you must be able to also delete any data you hold about someone.
There are additional requirements in the case of data breaches and also about privacy by design.
This regulation has some impact on almost every website, for example user accounts (login names and email addresses constitute personal data), or – the topic of this blog post – newsletter subscriber data.
For Drupal, development of a module facilitating GDPR compliance began in January 2017 (https://www.drupal.org/project/gdpr). The GDPR module – in its Drupal 8 version – includes several components helping a web developer to comply with the GDPR:
- A GDPR checklist module, which assists web developers to comply with the GDPR (but doesn’t actually do it for you).
- A GDPR Consent module, which helps you track consent based on user accounts and consent agreements.
- Drush commands which help to anonymise data when exporting the database.
Other submodules are still planned – such as GDPR Tasks.
While this module provides some tools and infrastructure for GDPR compliance, it is really focused on Drupal user accounts.
As we use Simplenews on several websites we developed, we started thinking about this when an issue about GDPR compliance of Simplenews was opened on drupal.org (a similar issue has been opened for Mailchimp, which is also often used, but as Mailchimp does not save subscriber data in Drupal, this needs to be handled differently).
When we started to look into how to address the requirements of GDPR for Simplenews subscribers, we thought that using the GDPR module might be a good way to go, enabling us to make use of the existing functions provided by this module. The functionality we were interested in was:
- The management of consent agreements.
- The ConsentResolver infrastructure (which in GDPR Consent is limited to Drupal users)
As a first step we implemented a ConsentUserResolver for the simplenews_subscriber entity. That was reasonably simple, but has an important limitation: you can only use it if all your Simplenews subscribers are also Drupal users, which in most cases is simply not true.
That meant more work. The good news is that Simplenews subscribers are Drupal entities, as are users. So we adapted the code of the ConsentUserResolver (a plugin manager, plugin, field, widget, etc) to create a ConsentSubscriberResolver which allows the tracking of the agreements (and any revision of an agreement) a subscriber has consented to.
Some problems had to be solved along the way. For example, when someone fills in the subscription form, the subscriber entity does not yet exist. That’s created later, and updated when a subscriber confirms their subscription. In the present implementation, we update the subscriber entity and relate it to the consent agreement when a subscription is confirmed. This also means we won’t have consent agreements for subscriptions that have never been confirmed (bot subscriptions) – which is probably a good thing.
The work is presently available as a Sandbox project at https://www.drupal.org/sandbox/andreasspeck/2973749. The aim is to get it into the main Simplenews module as a submodule, but a bit more work is required to achieve this, such as adding unit tests.
1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN↩