Moodle’s GDPR approach and plan

December 21, 2017 By

Here we outline Moodle’s approach and plan for the implementation of support for the EU General Data Protection Regulation (GDPR).

Our work to date

Earlier this year we reached out to the community through our forums and social media to gauge the needs of different organisations on how they would need to comply with GDPR. We received direct input from a number of Moodle institutions, our Moodle Partner network and developers.

During the summer (northern hemisphere) we put together an initial plan on what developments are needed to enable organisations using Moodle to comply with GDPR and then sought more feedback. In the last few months we have processed this feedback.

We have also engaged a specialist lawyer from Europe on a consultancy basis who has a strong background in data protection and data privacy to examine the specifications and make recommendations on where they can be improved to better enable organisations to be GDPR compliant.

We now have a plan to meet those needs and are scheduling the development within our Open Source team under the lead of Sander Bangma, our new Open Source coordinator.

The Plan
We have a set of features now in development which will meet those compliance needs covering the following areas: onboarding of new users, privacy statements, the tracking of consent and handling of subject access requests.

The features will initially be implemented as plugins, with the following functionality:

1. The onboarding process of new users, including:

  • Displaying all required privacy statements
  • Listing and requesting consent for all 3rd-parties who may receive user data
  • Establishing a process for consenting minors
  • Capturing and recording each specific consent given by a user

2. Processes to comply with subject access requests (SARs), for a particular user, including:

  • A request to retrieve all user data on Moodle
  • A request to erase all identifiable user data on Moodle
  • A request to modify user data

We will be releasing these plugins, scheduled for March 2018, which will enable those using Moodle 3.3 and 3.4 to become compliant with the new regulations by installing and configuring the plugins in addition to implementing the required organisational procedures and processes.

These features will then become part of Moodle 3.5 release which is a Long Term Supported (LTS) version of Moodle.

Status Update

March 2018

In March we released the first iteration of the GDPR feature set in the form of the two plugins.

These continued to be updated as we worked towards the Moodle 3.5 release.

May 2018

On May 17th we released Moodle 3.5.  This major release incorporates the full GDPR feature set in the standard distribution.

The same GDPR features are also available as downloadable plugins for Moodle 3.3 and 3.4.

What to do now?

Upgrade to Moodle 3.5!  If you are still on Moodle 3.3 or 3.4 and not ready yet for Moodle 3.5 we recommend you upgrade to the latest minor release and install the GDPR plugins.

Upgrading to Moodle 3.5 or installing the plugins alone is not going to be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required and you should engage with your IT and legal department on what is required.

If you need help with your upgrades from our Moodle Partner teams or for installing and configuring the plugins please get in contact at