Moodle’s GDPR approach and plan

Moodle GDPR

Here we outline Moodle’s approach and plan for the implementation of support for the EU General Data Protection Regulation (GDPR).

Our work to date

Earlier this year we reached out to the community through our forums and social media to gauge the needs of different organisations on how they would need to comply with GDPR. We received direct input from a number of Moodle institutions, our Moodle Partner network and developers.

During the summer (northern hemisphere) we put together an initial plan on what developments are needed to enable organisations using Moodle to comply with GDPR and then sought more feedback. In the last few months we have processed this feedback.

We have also engaged a specialist lawyer from Europe on a consultancy basis who has a strong background in data protection and data privacy to examine the specifications and make recommendations on where they can be improved to better enable organisations to be GDPR compliant.

We now have a plan to meet those needs and are scheduling the development within our Open Source team under the lead of Sander Bangma, our new Open Source coordinator.

The Plan
We have a set of features now in development which will meet those compliance needs covering the following areas: onboarding of new users, privacy statements, the tracking of consent and handling of subject access requests.

The features will initially be implemented as plugins, with the following functionality:

1. The onboarding process of new users, including:

  • Displaying all required privacy statements
  • Listing and requesting consent for all 3rd-parties who may receive user data
  • Establishing a process for consenting minors
  • Capturing and recording each specific consent given by a user

2. Processes to comply with subject access requests (SARs), for a particular user, including:

  • A request to retrieve all user data on Moodle
  • A request to erase all identifiable user data on Moodle
  • A request to modify user data

We will be releasing these plugins, scheduled for March 2018, which will enable those using Moodle 3.3 and 3.4 to become compliant with the new regulations by installing and configuring the plugins in addition to implementing the required organisational procedures and processes.

These features will then become part of Moodle 3.5 release which is a Long Term Supported (LTS) version of Moodle.

Status Update
In March 2018 Moodle released the first iteration of its GDPR feature set in the form of the two plugins.

These continue to be updated as we work towards the Moodle 3.5 release on May 14th.

The final GDPR feature set will be available as downloadable plugins for Moodle 3.3 and 3.4 and will also form part of the Moodle 3.5 release itself.

What to do now?
If you are not on Moodle 3.3 or above we recommend you upgrade. This will enable you to install the plugins.

Installing the plugins alone is not going to be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required and you should engage with your IT and legal department on what is required.

If you need help with your upgrades from our Moodle Partner teams or for installing and configuring the plugins please get in contact at

Leave a Reply

Your email address will not be published. Required fields are marked *

})(jQuery); //]]>