This complete guideline is for ecommerce and Magento 2 stores with step-by-step instructions on general GDPR understanding, preparation, handy extensions and comprehensive compliance guide of GDPR.
Table of Contents
GDPR is the abbreviation of General Data Protection Regulation, which is a legal framework about privacy protection activated throughout the Europe Union since May 25, 2018.
The growing concern about privacy issues of customers urges eCommerce stores to come up with a solution that can make them relief while using online services. The fact that GDPR is the strong guarantee of protecting private data certified by international law will definitely help stores tackle those problems. Moreover, this law legislation is recent, which means that every single term of it is updated to be suitable for the current situation of the online business. Be provided with the knowledge about the new GDPR laws will help you understand what it is, what it relates to, and how to apply it to have the optimum results. To ensure that every action of your business complies to GDPR strictly, and to guarantee that the relationship among the personal data, the data controllers, and the data processors remain credible and transparent, understanding GDPR is essential.
Let me explain the necessity of understanding GDPR in details.
As we know, all of the information related to an individual identity including name, address, email, phone number, photo, etc. are considered to be private. Of course, personal data entirely belongs to the data owners but it doesn’t mean that they are the only ones who know about that private information. In the real world, individuals have to provide their information to some other people for many purposes such as buying things, registering for a service, attending school, and so on. That’s why we have data controllers - those who collect data, and data processors who deal with those data. The question is how you ensure that the personal data will never be misused or stolen by the people who are not the data owners? The answer can be found in GDPR, which is released in order to ensure that information to be protected by law. Knowing about GDPR will help you understand the rights and duties of different subjects when handling private information. Except for the data owner, every other person will only have limited interference with the data. Only by learning about GDPR can you be clear about what you should do with that information and to what extent.
It is the fact that GDPR regulates the privacy protection policy within the EU. However, you must be clear that even if you are a European or not, your store is located in Europe or not, you still have to comply with GDPR if you have customers there. Moreover, since it might be complicated if you set different regulations for customers who live in different nations, GDPR should be used as the privacy standard in your store. Your store can cut down a lot of workloads when setting privacy rules at the backend. Of course, it sounds reasonable that customers deserve to be treated fairly wherever they come from.
You should be aware of the more severe penalties coming along with GDPR violation. Unlike the Data Protection Directive which was applied more than 2 decades ago, GDPR is now more up-to-date and have stricter regulations. If the violation is unintentional, a warning will be announced. If there are any serious noncompliance evidence, the company or organization will be fined at a significant amount. The financial punishment can reach €20 million or up to 4% of the annual worldwide turnover, whichever is higher. Therefore, it is necessary to have a deep insight into GDPR to prevent these situations to happen.
Many stores or websites used to provide pre-ticked boxes or opt-out to ask for consent when collecting data. The ready-made agreement methods are considered to be no longer sufficient to protect customers’ rights, according to the new GDPR laws. Shoppers seem to be forced to say yes, and that seriously violates GDPR. You must replace those asking methods with a digital agreement, for instance, to ensure the data owners is thoroughly notified and actively permit you to collect their data.
Integrating GDPR into your store policy is a guarantee about privacy protection that you give to your customers. It is about the fact that you offer customers full rights to control their own data to the highest extent. To be specific, once individuals provide information, they must be allowed to access to those data every time they want. They have rights to keep track of everything that happens to their personal information. Moreover, since they can provide the data, they definitely could delete them permanently. Once it is wiped out in the data controllers’ system, it also has to be removed from the relating system of the processors. Sometimes, individuals want to hide their identities due to some concerns in privacy, then they could be allowed to go anonymous as they wish. Knowing about GDPR will help you satisfy your users by giving them the rights that they deserve to have.
In short, there are 5 main reasons why you should take GDPR into consideration.
You might be wondering how to start making your store follow these range of complicated principles. Why don’t we simplify the compliance process into steps that can help you understand what to do more easily?
Every day, your storage system receives a considerable amount of data from your employees, suppliers, and customers. It is your responsibility to prevent those data from being a mess that is accumulated day by day. Managing them in an organized faction will have many benefits not only in the daily operation but also in the unforeseen circumstances.
There are two clear reasons why you should organize your data properly. Initially, only with a neat and well-managed system can you provide the information you have to people as quickly as possible when you’re required to do so. Imagine your stored data is the books on the bookshelf. If you have already categorized those books in indexed names, or by authors, it is super easy for you to find them when in need. However, if they are messy and disorganized, it takes time and efforts to so. That situation is not so different from the electronic storage system. The second reason is that in case you are under a GDPR investigation, you will be able to show what information you have on everyone easily and quickly. A well-arranged storing place not only indicates your professional attitude about how you treat your customers, employees, and suppliers’ valuable data but also expresses your explicit data control process.
In short, remember to store the information in a well-organized way!
Tip: Don’t keep the unnecessary data
! Important: Keep in mind the reasons why you got your partners or customers’ private data including name, email address or phone number. Regulated in Art. 17, Chapter 3 of GDPR, if the data is no longer used for the reasonable purposes, there is no excuse for you to store them any longer. If you keep stubbornly storing that information, you can be under suspicion of having bad intentions towards data exploitation. So be aware!
Along with the development of technology, there are high risks of data being leaked, hacked or misused. The store must keep the data out of those security threats by providing numerous safety measures for digital data and hard-copied ones.
If you store the data digitally, it could be insufficient if you keep everything in your internal system. Nowadays, thanks to the help of the cloud computing, uploading information on the cloud can prevent the risk of losing your entire data. Cloud storage is enormous, so you don’t have to worry about the lack of storage capability. Besides, having a useful antivirus software equipped to the system is a must for any online store. This will keep your data safely secured to some extent. All of the methods above are for prevention; how about what you would react when the bad situation took place? For instance, if the data storage device is lost, you should prepare, in advance, that you will be able to eliminate the data remotely so nobody can access it. Whatever measures you employ, you must do everything you could to save all the information you have at the highest security level.
In case you have hard copies of the data, the medium to keep it safe might be different. The place you store your documents or physical equipment should be locked carefully to ensure it is uneasy to access the data. Also, it’s necessary to deliver a good risk management plan, in case unpredictable disasters like fire, flood or earthquake suddenly occur, which can severely damage the data. Of course, while processing the data, there is a handful of people who are allowed to access that information. Even if they are trustworthy, you still have to think about how you can manage those access thoroughly and transparently. Last but not least, don’t forget to record the safety measures you have put in place to make sure every team members knows what’s happening.
Your policy must clarify what private information will be collected and how they would be used. With that provided clear policy, when people give their information to you, they could be notified thoroughly about the fair process. Since the users trust you and hand over their personal data to you, it is your responsibility to let them know about what happens with those data credibly and explicitly in return.
In specific, the factors that should be included in your regulation are:
The new GDPR law stresses that you are required to provide the people the entire data you have on them. Every information you’ve got is not allowed to be hidden by any means and any purposes. This is understandable since individuals have their full rights to control their own data. They can give it to anyone and take it from them as they wish.
! Important: There is a time limit for the information providing a process according to term 3, Art 12 of GDPR. Remember that if a person acquires you to give him/her all of the information you have on them, you must do so within a month and totally free of charge.
The right to erasure has been regulated clearly in Art. 17 GDPR that allows individual to completely and permanently wipe out all private data related to them in the storage system. Following this regulation can ensure that you enable your customers and partners to fully control their data, which means that you treat them with respect. To comply with this principle effectively, the store has to manipulate a clear process for this.
Initially, to delete everything entirely, you have to know what all the information you have on someone is. This ensures that you didn’t miss a single thing, which can cause prolonged unwanted consequences. This was mentioned earlier in Step 1 when we discussed the data arrangement. In general, the thorough understanding of all of the data you collected is so vital.
Second, as discussed in step 1 and 2, knowing the exact place that you store all the data is essential. It won’t take you much time and effort to navigate the information that is about to be found and removed. Therefore, the deleting process will run more smoothly.
Last but not least, you should know what measures you could use to completely eliminate the data. There are many effective methods that are available for you to choose from. For example, if you run your online store on Magento 2, Mageplaza GDPR extension is highly recommended as a super useful tool which can help you not only eliminate the default addresses but also the entire customers’ account permanently with ease. You can Download FREE GDPR for Magento 2 on Github
Optin form is undeniably important for any e-stores to collect customers’ data. An opt-in form that includes multiple layers can simplify the data input process. The easier the process is, the more willing customers are to provide their individual data.
! Notice: Pre-ticked boxes are not qualified anymore. Before collecting data from any subjects, stores are required to ask for their consent in advance. Authorization needs a positive opt-in instead of pre-checked boxes or any kind of default consents that aren’t allowed individuals to actively choose what they really agree with. People have a right to actively tick the box to enable you to store their information and make use of it for your specific purposes
!Remember: To make your store trustworthy, a credible proof for people’s opt-in when giving data collecting permission is vital. Also, you should provide evidence that the information is used for the exact purposes that you already informed them.
Although the adjustment of security policy is for the better, it is still necessary to notify all of the contacts that exist before the take-effect date of GDPR about those changes. After announcing the new policy, politely asking them to positively opt-in again is a way to remain those contacts with high satisfaction. Without their consent to re-opt-in, you would have no longer rights to store their information, so you have to permanently wipe out all those related data. All of these actions will help show the stores’ respect towards their customers, partners, and employees.
Every store wants their visitors to subscribe to their pages through emails since they can easily notify them about your new products and services. However, customers might feel uncomfortable if you don’t allow them to unsubscribe if they no longer want to. Therefore, to satisfy them to the highest extent, if you’re using emails, you need to make sure people can deny receiving marketing content whenever they want. Similar to text messages and advertising phone calls, people have their rights to stop being annoyed by constant advertisements.
It is vital to keep in mind that the guidelines of the way to restrict emails, calls, or text messages should be easy-to-find, clear and concise enough for customers to follow. Or else, you can receive unwanted complaints and poor reviews from your users.
! Remember: A small print button shouldn’t be used. Moreover, it is necessary to have strict rules on the way you guarantee to help someone stop receiving marketing materials from your system. Art. 83 of GDPR regulates financial penalties for whom doesn’t follow the legal terms. To be specific, If you don’t make sure that your customers can get rid of advertising content, you may have to face an up-to-20-million-euro fine.
You want your e-shop to provide customers the highest level of privacy protection, then you have to follow the recent GDPR regulations term by term. Making every action of your business stick to that legislation would require you and your team members to be updated and understand every single principle in the palm of the hand.
! Bonus tip: It is a good idea to appoint a data protection officer (DPO) to be responsible for summarizing and simplifying all the must-know factors to all the staff. Having a person managed all of the training processes will assure things to work well.
If you are a data buyer from another business, GDPR will definitely have some influences on you. First, it is your responsibility to make sure that the data seller also complies with GDPR. If there is any evidence of an improper data trading, you should be aware and stop the buying process if you don’t want to have any troubles. If there is nothing wrong with the seller themselves, the second thing you must ensure is that whether the data you receive is permitted in opt-ins to be shared with third parties or not. Check these problems carefully before making the deal.
If you sell data to other parties, add an ‘Assignment clause’ to your fair processing notice. The people who opted in must have the rights to receive data from third parties for the identical purposes. Also, you have to make sure that your buyers will not use the data you shared for the unknown purposes. Every action of private data misuse can make you in trouble.
Mageplaza GDPR is a must-have free module that can help stores comply with GDPR without much effort. It protects customers’ right of erasure by allowing them to wipe out their default addresses and their accounts permanently by some simple clicks. Upgraded from the free plugin, the paid version even enables customers to manage their billing documents and restrict cookies with ease.
This is all you need to comply with GDPR thoroughly. Customers’ privacy will be guaranteed by a range of incredible features including cookie banners, authorization management, and internal privacy methods.
Siftery’s GDPR Checker is a helpful method that enables store owners to examine their SaaS vendors for GDPR compliance. Thanks to this tool, stores can keep the individual data of their customers safe anywhere, at any time.
This tool was developed to prevent users from being overwhelming with tons of GDPR terms. It not only simplifies the rules searching process but also arranges those complex regulations logically.
It provides useful email templates that are compliant to GDPR. With the help of this tool, e-stores can carry out outbound marketing effectively.
GDPR Form is an effective yet easy-to-use gadget to collects all requests, keep an eye on their monitor progress and send the response to data owners. All of the activities stick to GDPR rules in a strict way.
This tool plays the role of a GDPR guidance for managing tasks. It helps business keep the records of data processing activities and creates reports to send to the authorities.
This is absolutely helpful for marketers to be prepared for GDPR in advance. It provides a 3-week plan for businesses to follow and make sure that they understand GDPR deeply.
By using an ask-and-answer method, this tool is what you need to analyze to what extent your business complies with GDPR. Outstandingly, you can be provided with helpful tips on business improvement.
If you are compliant to GDPR and want to show that to your visitors in an attractive way, this is your best choice. This tool allows store admins to display a “GDPR Compliant” badge on the web page or app.
GDPR regulates a range of principles about how customer data can be protected legitimately. In order to comply with this EU data protection regulation, Mageplaza GDPR extension has been developed, which can ensure customers’ privacy rights to fully control their data. To understand how to customize the configuration, please follow the instructions below.
Navigating the Admin Panel, you could go to
Store > Settings > Configuration > Mageplaza Extensions > GDPR to start configuring this extension at the backend.
After these backend setups, the frontend display will be like below:
Delete your account enables customers to delete their accounts with ease.
Customers can remove their default address simply by clicking on the “Delete Address” button.
At the frontend, the encrypted information will be displayed as below:
See how Cookie text message is presented to users on the frontend: