Floris van Geel

Zelfje in IRC

Drupal Entrepeneur
work ~60% for clients
~40% product developent.


Table of Contents

  • What rules we have now.
  • What is, and when do we GDPR.
  • Processing.
  • 12 step program.
  • Opportunities.

What is GDPR

GDPR is a regulation, not a directive It’s taken automatically into use in all member states, without local legislation.

However, it needs local legislation to be whole and compatible and allows a lot of locally adjusted details.

What we have now

    We’ve had a directive since 1995 (Directive 95/46/EC
    → Outdated
    → Needs to be reformed
    Dutch Privacy Legislation (comparable to German Legislation)


EU Citizens are worried how corporations use the collected personal data.


EU citizens are worried of mobile apps collecting data without their consent.



Currently in a two-year transition period.
Details are scheduled to be released by the end of 2017.
Some local legislation may appear as late as May 2018

You have 366 days !

€ 20.000.000
or 8% of global turover [*]

Does it apply to me?


most probably...

"Personal data"
Any information relating to an
identified or identifiable natural person.
(aka: "data subject")

For any citizen of the EU regardless where it is stored.

Sensitive Personal Data

  • Personal data, revealing:
    • racial or ethnic origin
    • political opinions
    • religious or philosophical beliefs
    • trade-union membership.
  • Data concerning health or sex.
  • Genetic data or biometric data.


What changed?

  • Responsibilities for the data processors.
  • Fines directly to the processors of data.
  • Technically and legal tricky matter.
  • Fines can reach up to 20M euro or 8% of year revenue.

Processing personal data basics:

  • Consent from data subject.
  • Contractual necessity.
  • Compliance with legal obligation.
  • Vital interests.
  • Legitimate interests.

Processing awareness

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Twelve step program


What data?
Who is in charge?

Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

Become Accountable

Communicating privacy information.
Review your current privacy notices.
Put a plan in place for making any necessary changes in time for GDPR implementation.

Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

Legal basis for processing personal data

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.


You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.


You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Within 72 hours of detecting.

Data Protection by Design and Data Protection Impact Assessments (DPIA)

You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.

Data Protection Officer(s)

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.


If your organisation operates internationally, you should determine which data protection supervisory authority you come under.


Next year many companies have stress.

Drupal must be ready,

so we make better business.

Opt out, archive

Right to be forgotten

Safeguard and protect User profiles.
Keep uid and put the data a secure vault.

User informed consent

We need to have consent groups on user profile fields.
And explain the privacy implications.
Site must work if user revokes or disallows.

GDPR Drupal distribution

Together we can make the missing modules,
Together we can do the marketing.
Together we can share the legal documents.