Magento 2 GDPR Compliance Guide
GDPR stands for General Data Protection Regulation. It’s the EU’s new data protection legislation developed after four years of hard work. For instance, data usage in the UK was based on the 1995 EU Data Protection Directive until now. Is it normal to control something on the Internet in 2018 by rules created more than 20 years ago? How many things are entirely different now? The whole Internet became an entirely new dimension since that time, but the legislation of 1995 is still used. Luckily, it will be replaced by the new data protection legislation. Is GDPR good or bad for your business? Let’s try to figure out.
GDPR is good because it introduces stricter fines for non-compliance and breaches. Perhaps, it requires a new control system that will discover non-compliance and breaches more efficiently, but the push towards toughening will make the market better from the perspective of end users who will receive the new treatment concerning personal data security. How many people want to have a more secure Internet? Plenty of EU citizens dream about this, and soon their dreams will come true.
GDPR gives people more say over what companies can do with their data. And that’s a massive jump into the new more user-oriented and personalized experience for each individual. Besides, the new legislation makes data protection rules more or less identical throughout the EU requiring the same standard to be adopted by the Union. So if your Magento website is accessible in several EU countries, you no longer have to follow the unique data protection requirements of each of them since the legislation is going to be standardized.
Table of contents
What are the consequences of the reformation?
As we’ve just mentioned, the new legislation was developed with end users in mind. The EU gives people more rights regarding their personal information. As a Magento store visitor, you get all the necessary instruments for controlling how your personal data is used. Moreover, think of Google and Facebook: does everyone likes how these giants interact with data? This situation will be changed soon!
And it’s generally because the current legislation was created long before the appearance of cloud services and all these insane algorithms that exploit data. Do you still remember articles dedicated to Trump presidential campaign and the usage of Facebook? Some specialists claim that the new US president won the elections due to the use of the latest data processing technologies that analyze personal data of Facebook users. In other words, microtargeting paid a crucial role in his campaign.
Thus, microtargeting becomes a powerful instrument that can be used by politics. And you might have seen the right-winged movement rapidly gains popular in many EU countries. Can we consider GDPR the new instrument of political and social stability for the EU?
Unfortunately, we are non-experts in this area, so let’s return to the e-commerce aspect of the topic. While by strengthening data protection legislation, the EU wants to improve trust in the emerging digital economy, it also gives businesses a new clearer environment to operate in. Since all the countries get the same data protection law, this will save companies a lot of money. According to some estimates – approximately €2.3 billion a year collectively.
What is the GDPR deadline?
Unfortunately, you don’t have much time to make your business ready for the new data protection legislation. It comes into force on 25 May 2018. Despite the GDPR deadline, there are still many companies which haven’t start the modernization of their websites. The majority of security professionals know about GDPR, but more than half of them are not preparing for its arrival. If you are in the majority, please, keep reading the article, below, we shed light on implementing GDPR for Magento 2 and 1.
Do I need to abide by the GDPR?
There are two types of businesses which need to abide by the GDPR. They are data controllers that must state how and why the data is processed and data processors that must run the actual data processing according to the new standards. Any organization could be a data controller. The range is extensive from a profit-seeking business to a charity organization. As for a data processor – it is any IT firm doing the actual data processing. As a Magento merchant or an e-commerce store owner, you need to abide by the GDPR.
There is also one VERY IMPORTANT thing we must mention here. Even if your company is a controller and no data processing takes place in your office, you have the responsibility to ensure your processor abides by GDPR.
What about foreign businesses?
If the company is situated outside the EU but operates with the data of EU residents, it is still necessary to comply with the new data processing standards. So, non-EU merchants, welcome to the game and get your online store prepared for the new data processing epoch!
What is consent and how to get it?
Pre-ticked boxes or opt-outs are no longer useful. Now, you must make your website visitors more educated. Consent is active, affirmative action by the visitor (data subject). Therefore, passive acceptance is considered a GDPR violation.
As a controller, you must keep a record of how and when an individual gave consent. Furthermore, any individual may withdraw their consent anytime. Seems like a nightmare especially for e-commerce stores with thousands of daily visitors, doesn’t it?
Also, note that the term ‘personal data’ has the new definition under the GDPR. Even IP addresses are considered personal data. Besides, the personally identifiable information includes economic, cultural, or mental health information.
Even pseudonymized personal data is a subject to the new legislation. And it is not a joke. Here at Firebear, we are also surprised, but we understand the importance of the new definition since it makes individual digital space safer allowing people feel more comfortable both online and offline.
What about data storing?
If your website stores personal data, you must be ready to provide customers who ask for access to their data with a response within a month. It is also necessary to be transparent about many new aspects of your business.
- Firstly, you must inform visitors about how you collect the data.
- Secondly, it is necessary to provide a description of what you do with it.
- Thirdly, tell visitors how you process information about them.
Don’t forget to use plain language and avoid the usage of too complicated terms while describing the aspects mentioned above. Your clients should understand what you are talking about. If they don’t, it seems to be your problem according to GDPR.
What new rights do people get?
Below, you can see a list of new rights individuals get after GDPR comes into force.
- Access to any information a company holds on individuals;
- Right to know why that data is stored and processed;
- Right to know how long it’s stored;
- Right to know who has access to it;
- Right to get direct access to review the stored data;
- Right to ask for data correction if it is incorrect or incomplete;
- Right to be forgotten: an individual can ask you to delete the data if it’s no longer necessary to the purpose for which it was initially collected.
According to the last condition, you, as a controller, is responsible for telling other organizations to delete any links to copies of that data. The copies must be deleted as well.
What else should controllers do?
Two important aspects should be mentioned in our article. First of all, the data must be stored in common formats. For instance, you can entirely rely on CSV. Why is it necessary to do so? Because of the second aspect.
If an individual asks you to move data to another organization, you should do that. There is only one month to provide the specified organization with the data in commonly used format!
Magento GDPR Compliance Extensions
Now when you know some core aspects of GDPR and understand the influence of the new personal data protection legislation on your business, we’d like to draw your attention to several Magento GDPR extensions designed for the implementation of the new standards. Note that neither of the following modules provides the full integration.
Magento GDPR Support by ZERO-1
If you still use Magento 1, then this is a must-have module for implementing GDPR on your website. The extension is totally free, and it is designed to provide such services as Cookie Compliance and Customer Data Anonymisation.
Besides, it adds multiple vital features to make Magento GDPR-compliant. Unfortunately, the Magento platform doesn’t support the removal of customer data on request. But you will get this opportunity with the Magento GDPR extension by Zero-1.
Besides, you will be able to delete customer cart data quotes and customer order data for failed orders – the new laws require both procedures. And you will quickly avoid ALL non-essential cookies from operating UNTIL express consent has been granted.
Below, you can see an image of a customer account with new features. Under the Delete Account tab, a customer can view, edit, or delete his/her information following GDPR:
For any further information, follow this link:
Download Magento GDPR Support Extension by ZERO-1
AdFabConnect Magento 2 GDPR Compliance
If you already use the Magento 2 store to run your e-commerce business, then it is necessary to install the Magento 2 GDPR compliance module by AdFabConnect. The extension will add all the essential tools and features that provide successful GDPR implementation for Magento 2.
It adds a new huge backend section under Configuration -> Customers -> Customer Configuration -> Privacy (GDPR). Here, you can enable/disable all provided features, making your Magento 2 store GDPR-compliant. It is also necessary to mention that the Magento 2 GDPR extension does not affect any third-party modules, which can store personal data. Thus, the integration becomes more complex, since you should ask module providers for custom improvements.
Magento 2 GDPR Compliance by AdFabConnect is totally free, and you can get it here:
Download Magento 2 GDPR Compliance Extension by AdFabConnect
Final Words
Let’s summarise everything we’ve just said in the following steps:
- Inform everyone in your organization that the law is changing to the GDPR. People should understand the impact of the new law.
- Get ready to organize an information audit: everything should be documented and appropriately stored.
- Review your privacy notices and adopt the Magento store to the new requirements.
- Beware of the new rights individuals now have (we’ve just described them above).
- Create a mechanism for providing data on a request within the new timescales.
- Identify the lawful basis for processing activity and explain it via the updated privacy notice.
- Don’t forget about the new way of getting consent (and the new meaning of consent).
- Verify individuals’ ages and to obtain parental or guardian consent for data processing.
- Provide procedures for detecting, reporting, and investigating personal data breaches.
- Remember all your responsibilities related to third parties: data processing services and extensions you use in your e-commerce business.
GDPR Compliance Useful Links
For any further information about GDPR, check the following links: