What is GDPR?
GDPR stands for General Data Protection Regulation, and refers to the European Union regulation for data protection for all individuals within the European Union.
The regulation (Regulation (EU) 2016/679) becomes enforceable on 25 May 2018 and replaces the data protection directive (officially Directive 95/46/EC) from 1995.
Who needs to be GDPR compliant?
Any individual or organisation that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not) are affected by GDPR. GDPR rules also applies if the individual or organisation themselves is located in an EU member state.
How is Moodle HQ assisting with GDPR compliance?
Earlier this year we reached out to the community through our forums and social media to gauge the needs of different organisations on how they would need to comply with GDPR. We received direct input from a number of Moodle institutions, our Moodle Partner network and developers.
We developed a set of features (made available in Moodle 3.5 and through plugins and some minimal changes to core, for Moodle 3.3 and 3.4) which will assist Moodle sites meeting GDPR compliance needs. The features cover the following areas:
- Onboarding of new users, including; age and location check to identify minors, versioning of privacy policies and the tracking of user consents;
- Handling of subject access requests and erasure requests, and maintaining a data registry.
What can I do now to make my Moodle ready for GDPR?
Moodle 3.5 includes the GDPR feature set and has been released on 17 may 2018. The same features are also available as separately downloadable plugins for Moodle 3.4.3 and 3.3.6. There are two plugins that together comprise the GDPR features:
- The Policies plugin provides a new user sign on process, with ability to define multiple policies (site, privacy, third party), track user consents, and manage updates and versioning of the policies;
- The Data privacy plugin provides the workflow for users to submit subject access and erasure requests and for site administrators and privacy officers to process these requests. It also includes the data registry to define a purpose and retention period for the data stored in your Moodle site.
Hence we recommend you upgrade to Moodle 3.5, 3.4.3 or 3.3.6 to access these features.
If you are on an older Moodle site, we recommend that you read the section on site policy on the GDPR for Moodle administrators guide.
Is installing the Moodle plugins enough for GDPR compliance?
Installing the developed plugins alone will not be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required.
We at Moodle HQ highly recommend that you also engage your IT and legal departments on what is required for GDPR compliance.
GDPR version support
The GDPR features will receive the same level of support as Moodle's support for security issues, including backporting fixes to security supported releases (for GDPR this is currently Moodle 3.5, 3.4 and 3.3). Refer to the releases page.
- General Data Protection Regulation (GDPR) and badges forum discussion
- Re: Is there a way to completely delete users including all their data?
Any further questions?
Please post in the Security and privacy forum on moodle.org.