Matomo GDPR Roadmap

The General Data Protection Regulation (GDPR), also referred to RGPD in French, Datenschutz-Grundverordnung, DS-GVO in German, will come into force on May the 25th 2018.
GDPR is a long step process which requires a robust working methodology. In order to do so, we decided to follow the one of the Information Commissioner’s Office of the United Kingdom.
On this page we are publishing our progress towards GDPR compliance.

STEP 1 – Lawfulness, fairness and transparency

  1. List all the personal datasets we are holding in our information systems. – DONE
  2. Identify lawful bases before we can process personal data and special categories of data. – DONE
  3. Review how we ask for and record consent. – IN PROGRESS
  4. Consent to process children’s personal data for online services. – NOT APPLICABLE
  5. Register to an information commissioner office. – IN PROGRESS

Step 2 – Individuals’ rights

For more information about what changes are coming in the Matomo platform, please check our issue:

  1. Provide privacy notices to individuals. – IN PROGRESS
  2. Provide children the same fair processing information as we give adults. – DONE
  3. Have a process to recognise and respond to individuals’ requests to access their personal data. – IN PROGRESS
  4. Have a process to ensure that the personal data we hold remains accurate and up to date. – IN PROGRESS
  5. Have a process to securely dispose of personal data that is no longer required or where an individual has asked us to erase it. – IN PROGRESS
  6. Have a process to respond to an individual’s request to restrict the processing of their personal data. – IN PROGRESS
  7. Have a process to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. – NOT APPLICABLE
  8. Have a process to handle an individual’s objection to the processing of their personal data. – IN PROGRESS
  9. Have identified whether any of our processing operations constitute automated decision making and have procedures in place to deal with the requirements. – DONE (NOT APPLICABLE)


Step 3 – Accountability and governance

  1. Have an appropriate data protection policy. – IN PROGRESS
  2. Monitor our own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls. – DONE
  3. Provide data protection awareness training for all staff. – DONE
  4. Have a written contract with any data processors we use. – IN PROGRESS
  5. Manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively. – DONE
  6. Implement appropriate technical and organisational measures to integrate data protection into our processing activities. – IN PROGRESS
  7. Understand when we must conduct a DPIA and has processes in place to action this. – IN PROGRESS
  8. Have a DPIA framework which links to our existing risk management and project management processes. – IN PROGRESS
  9. Have nominated a data protection lead or Data Protection Officer (DPO). – NOT APPLICABLE
  10. Decision makers and key people in our business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business. – DONE

Step 4 – Data security, international transfers and breaches

  1. Have an information security policy supported by appropriate security measures. – IN PROGRESS
  2. Ensure an adequate level of protection for any personal data processed by others on our behalf that is transferred outside the European Economic Area. – IN PROGRESS
  3. Have effective processes to identify, report, manage and resolve any personal data breaches. – IN PROGRESS

As you can see, we are working on all points regarding GDPR compliance and we plan to complete the work by May 25th.

More information

Our new GDPR User guide has been published and will be updated when Matomo 3.5.0 will be released.

For more information about what changes are coming in the Matomo platform, please check our issue:

Note: part of this document contains public sector information licensed under the Open Government Licence v3.0.