What is GDPR?
The GDPR, or the General Data Protection Regulation, as the name infers, is a data protection law that passed in the EU Parliament in 2016. It brings data protection and privacy control of EU individual who is using your Website. It takes into account the extracting, handling and processing of personal data by your sites. Every business and various websites need a careful and thorough analysis the way they handle private information to be sure they comply with all regulation stated in GDPR Law.
Who needs to comply GDPR & when?
It considers both EU based and the other organization based outside EU that caters to EU audience or tracks the behavior of individuals in EU. This regulation comes into force on 25th May 2018 that means if you have to be GDPR ready by 25th May 2018 else your business can be in trouble
Why it’s important for you to consider?
If you are serving EU customer anyway & If found non-compliant with these regulations, fines can be up to €20 million or 4% of annual revenue. It’s simply not worth for companies of any size.
HOW TO MAKE YOUR MAGENTO STORE GDPR COMPLIANT
Based on the GDPR, we have summarised actions you can take as Magento Merchant in order to make your ecommerce store GDPR ready
1. Add cookie consent & Opt-out control to site visitors (The right to restrict processing)
2. Checkboxes Consent on for customer consent:
To ensure transparency, it is important to have unticked checkboxes at the registration and checkout pages to let them know that the personal information will be stored for registration and order processing.
3. Privacy & Dataflow
4. Authentic data collection(The right to be informed) :
It is important to collect data from the user only that is relevant to their business functioning, in case of inspection, your business must be able to justify that the collected data is necessary. It is also crucial to check if any old data set contains unnecessary non-obligatory information which will have to be deleted. This directly impacts on how magento handles orders quote tables because it stores users personal data even if the transaction doesn’t go through. They all should have been deleted frequently if they are not in use anyway. Also, visitors log tables should have been deleted by configuring log deletion frequency.
5. Customer Data can be deleted(The right to erasure) :
This ensures customer should have option to request delete account from logged in account area which should delete all associate personal information directly from database. You have to implement a secure way (email confirmation or any) for user to request Account deletion which should delete the data related to their transaction, orders, shipping details, subscription status etc and these details should be completely removed from their records.
6. Data portability (Right to access) :
To abide by the regulation, which also suggests customers must have access to what information about them has been stored and this must be responded to within a month. It will be worthwhile to have the option in customer account area to extract all the information stored for the customer in the CSV format or machine readable format. A feature can be implemented which allows the user to access all of his account data stored in a database which should be available to download (Put security validation here) within 1 month of the period. Information can include, transactions, orders, addresses, personal account info, subscription data, or any data with 3rd party extension.
7. Ability to remove or anonymisation personal data
You need to have the ability on your website for customers to delete or anonymisation their personal records, orders, quotes records from the database by login into their account. You can, of course, add an additional security layer to verify account authority of a user.
8. Data Flow (The right to be informed):
It is important to track the complete data flow. What and where at each point in the flow the data is stored. This complete flow should well documented & privacy document should be updated to justify when & why data either being collected by you or by any 3rd party from your sites.
9. Third party integration:
While you make sure you comply with the regulation, it is equally important to inspect and check whether the third party extension and other integration also make appropriate use of the data and have strict compliances with the regulation.
10. Data encryption & Database View/Action Control
To ensure the personal data is secure and safe, encryption of stored data is highly recommended. The access right to your data might sound very naive, but it is very important aspect to consider. Stringent access control rules and rights can protect your data from unauthorized access. In case of the site being operated by multiple persons, individual rights should be setup & restriction should be put in place to restrict unauthorized access to individuals personal data. Admin back-office should be restricted to limited IP addresses & should be placed on hard to guess unique server paths.
11. Children’s personal data
For business catering to children, to give special data protection to children under 16, it would be advisable to get consent from their parent or guardian by implementing a right directed action process.
It’s all about clarity & process how individuals’ data should be used & treated by online portals in service & ecommerce industry.
If you have Magento or Magento 2 store and want our highly skilled team to assist you in making your website GDPR ready then please contact us via email email@example.com or send us direct enquiry using our contact us form.