Get 15% off Mageplaza extensions & subscriptions! Use code HIMAY at checkout.

GDPR on Magento 2 - Comprehensive Step-by-Step Guideline

Summer Nguyen | 07-17-2018

The Most Popular Extension Builder for Magento 2

With a big catalog of 224+ extensions for your online store

This complete guideline is for ecommerce and Magento 2 stores with step-by-step instructions on general GDPR understanding, preparation, handy extensions and comprehensive compliance guide of GDPR.


GDPR for Magento 2

Increase trust, cybersecurity & data protection with GDPR compliance

Check it out!

Table of Contents

GDPR - What you need to know (TL;DR is provided below)

GDPR - What is it?

GDPR is the abbreviation of General Data Protection Regulation, which is a legal framework about privacy protection activated throughout the Europe Union since May 25, 2018.

Why should you know about GDPR?

The growing concern about privacy issues of customers urges eCommerce stores to come up with a solution that can make them relief while using online services. The fact that GDPR is the strong guarantee of protecting private data certified by international law will definitely help stores tackle those problems. Moreover, this law legislation is recent, which means that every single term of it is updated to be suitable for the current situation of the online business. Be provided with the knowledge about the new GDPR laws will help you understand what it is, what it relates to, and how to apply it to have the optimum results. To ensure that every action of your business complies to GDPR strictly, and to guarantee that the relationship among the personal data, the data controllers, and the data processors remain credible and transparent, understanding GDPR is essential.
Let me explain the necessity of understanding GDPR in details.

1. To clarify the rights and duties of different subjects when dealing with personal data

As we know, all of the information related to an individual identity including name, address, email, phone number, photo, etc. are considered to be private. Of course, personal data entirely belongs to the data owners but it doesn’t mean that they are the only ones who know about that private information. In the real world, individuals have to provide their information to some other people for many purposes such as buying things, registering for a service, attending school, and so on. That’s why we have data controllers - those who collect data, and data processors who deal with those data. The question is how you ensure that the personal data will never be misused or stolen by the people who are not the data owners? The answer can be found in GDPR, which is released in order to ensure that information to be protected by law. Knowing about GDPR will help you understand the rights and duties of different subjects when handling private information. Except for the data owner, every other person will only have limited interference with the data. Only by learning about GDPR can you be clear about what you should do with that information and to what extent.

2. To recognize the effects of GDPR on EU and non-EU residents

It is the fact that GDPR regulates the privacy protection policy within the EU. However, you must be clear that even if you are a European or not, your store is located in Europe or not, you still have to comply with GDPR if you have customers there. Moreover, since it might be complicated if you set different regulations for customers who live in different nations, GDPR should be used as the privacy standard in your store. Your store can cut down a lot of workloads when setting privacy rules at the backend. Of course, it sounds reasonable that customers deserve to be treated fairly wherever they come from.

3. To be updated with the stricter law

You should be aware of the more severe penalties coming along with GDPR violation. Unlike the Data Protection Directive which was applied more than 2 decades ago, GDPR is now more up-to-date and have stricter regulations. If the violation is unintentional, a warning will be announced. If there are any serious noncompliance evidence, the company or organization will be fined at a significant amount. The financial punishment can reach €20 million or up to 4% of the annual worldwide turnover, whichever is higher. Therefore, it is necessary to have a deep insight into GDPR to prevent these situations to happen.

4. To tighten the authorization regulations

Many stores or websites used to provide pre-ticked boxes or opt-out to ask for consent when collecting data. The ready-made agreement methods are considered to be no longer sufficient to protect customers’ rights, according to the new GDPR laws. Shoppers seem to be forced to say yes, and that seriously violates GDPR. You must replace those asking methods with a digital agreement, for instance, to ensure the data owners is thoroughly notified and actively permit you to collect their data.

5. To ensure that customers have full rights to access, erasure, and anonymize

Integrating GDPR into your store policy is a guarantee about privacy protection that you give to your customers. It is about the fact that you offer customers full rights to control their own data to the highest extent. To be specific, once individuals provide information, they must be allowed to access to those data every time they want. They have rights to keep track of everything that happens to their personal information. Moreover, since they can provide the data, they definitely could delete them permanently. Once it is wiped out in the data controllers’ system, it also has to be removed from the relating system of the processors. Sometimes, individuals want to hide their identities due to some concerns in privacy, then they could be allowed to go anonymous as they wish. Knowing about GDPR will help you satisfy your users by giving them the rights that they deserve to have.


In short, there are 5 main reasons why you should take GDPR into consideration.

  • Understanding GDPR will help you know which role you are playing in this data processing game. Are you a data controller or processor? From then, you can be clear about your duties and rights when dealing with individual data.
  • No matter what nationalities you are, or where you are, GDPR must be complied with if you have customers lived in EU. You must know about GDPR to satisfy all of your customers with the same security standards.
  • GDPR is the most up-to-date regulation till now with stricter regulations and harsher penalties. Having knowledge about it can help you strengthen your privacy policy and prevent from being punished.
  • Some old rules and methods of asking for consent are no longer legitimate. You must be aware of that by exploring GDPR to make suitable adjustments. Or else, you can violate some privacy regulations.
  • Knowing about GDPR will help you protect customers’ rights at the highest level by ensuring that they are able to access, eliminate their data, or keep them in secret if they want to.

10 steps to comply GDPR

You might be wondering how to start making your store follow these range of complicated principles. Why don’t we simplify the compliance process into steps that can help you understand what to do more easily?

Step 1: Arrange your data systematically

GDPR Arrange your data systematically

Every day, your storage system receives a considerable amount of data from your employees, suppliers, and customers. It is your responsibility to prevent those data from being a mess that is accumulated day by day. Managing them in an organized faction will have many benefits not only in the daily operation but also in the unforeseen circumstances.
There are two clear reasons why you should organize your data properly. Initially, only with a neat and well-managed system can you provide the information you have to people as quickly as possible when you’re required to do so. Imagine your stored data is the books on the bookshelf. If you have already categorized those books in indexed names, or by authors, it is super easy for you to find them when in need. However, if they are messy and disorganized, it takes time and efforts to so. That situation is not so different from the electronic storage system. The second reason is that in case you are under a GDPR investigation, you will be able to show what information you have on everyone easily and quickly. A well-arranged storing place not only indicates your professional attitude about how you treat your customers, employees, and suppliers’ valuable data but also expresses your explicit data control process.
In short, remember to store the information in a well-organized way!

Tip: Don’t keep the unnecessary data

! Important: Keep in mind the reasons why you got your partners or customers’ private data including name, email address or phone number. Regulated in Art. 17, Chapter 3 of GDPR, if the data is no longer used for the reasonable purposes, there is no excuse for you to store them any longer. If you keep stubbornly storing that information, you can be under suspicion of having bad intentions towards data exploitation. So be aware!

Step 2: Ensure the data is safely protected

GDPR Ensure the data is safely protected

Along with the development of technology, there are high risks of data being leaked, hacked or misused. The store must keep the data out of those security threats by providing numerous safety measures for digital data and hard-copied ones.

If you store the data digitally, it could be insufficient if you keep everything in your internal system. Nowadays, thanks to the help of the cloud computing, uploading information on the cloud can prevent the risk of losing your entire data. Cloud storage is enormous, so you don’t have to worry about the lack of storage capability. Besides, having a useful antivirus software equipped to the system is a must for any online store. This will keep your data safely secured to some extent. All of the methods above are for prevention; how about what you would react when the bad situation took place? For instance, if the data storage device is lost, you should prepare, in advance, that you will be able to eliminate the data remotely so nobody can access it. Whatever measures you employ, you must do everything you could to save all the information you have at the highest security level.

In case you have hard copies of the data, the medium to keep it safe might be different. The place you store your documents or physical equipment should be locked carefully to ensure it is uneasy to access the data. Also, it’s necessary to deliver a good risk management plan, in case unpredictable disasters like fire, flood or earthquake suddenly occur, which can severely damage the data. Of course, while processing the data, there is a handful of people who are allowed to access that information. Even if they are trustworthy, you still have to think about how you can manage those access thoroughly and transparently. Last but not least, don’t forget to record the safety measures you have put in place to make sure every team members knows what’s happening.

Step 3: Notify the fair process to the data providers

Your policy must clarify what private information will be collected and how they would be used. With that provided clear policy, when people give their information to you, they could be notified thoroughly about the fair process. Since the users trust you and hand over their personal data to you, it is your responsibility to let them know about what happens with those data credibly and explicitly in return.

In specific, the factors that should be included in your regulation are:

  • The kind of information that can be collected. This will make the customers clear about what they should provide to the stores and what shouldn’t in order to be well-aware. They can also know whether that store requires the data that violates the rules or not.
  • The data collectors identity. It is vital to know for sure who is the one that stores customers’ data. When the bad situation happens such as leaking or misusing data, customers can know who should be responsible for all of their issues.
  • The way the data is collected. Individual data can be gathered by various means but it must be sure that those methods are private and reliable. If the third party can access the collecting process easily, that could be a huge threat to the customers’ data privacy.
  • The reasons why is it being collected. The purposes of the data collecting process must be regulated clearly so that customers can keep things under control with ease. Specifically, it helps customers to recognize whether their data will be used for the purposes that they don’t allow.
  • The way the data is used. The data processing must be clear that allows data’s owners to keep track of everything that happens to their information regularly.
  • Other recipients of the data. This is absolutely important to ensure that customers will not misunderstand a legal data sharing with an improper trade without their consent. If the people/organizations are regulated in advance in the policy, customers can control their private information more easily.
  • The influences of this on the individuals. Clarifying the effects of collecting data on each related persons will help individuals understand what benefits they may receive and prepare for some unintended cases to happen. The prediction of some annoying and easy-to-be-misunderstood circumstances will help individuals prepare in advance physically and emotionally.
  • The likelihood of causing individuals’ objection or complaint with the data’s intended use. The regulations should make it clear to what extent the data use cause annoying experiences for customers, which somehow make them be more understanding, relief and keep calm in every situation.

Step 4: Have a process for providing the info you have on a person

GDPR Have a process for providing the info you have on a person

The new GDPR law stresses that you are required to provide the people the entire data you have on them. Every information you’ve got is not allowed to be hidden by any means and any purposes. This is understandable since individuals have their full rights to control their own data. They can give it to anyone and take it from them as they wish.

! Important: There is a time limit for the information providing a process according to term 3, Art 12 of GDPR. Remember that if a person acquires you to give him/her all of the information you have on them, you must do so within a month and totally free of charge.

Step 5: Provide a clear mechanism for data deletion

The right to erasure has been regulated clearly in Art. 17 GDPR that allows individual to completely and permanently wipe out all private data related to them in the storage system. Following this regulation can ensure that you enable your customers and partners to fully control their data, which means that you treat them with respect. To comply with this principle effectively, the store has to manipulate a clear process for this.

Initially, to delete everything entirely, you have to know what all the information you have on someone is. This ensures that you didn’t miss a single thing, which can cause prolonged unwanted consequences. This was mentioned earlier in Step 1 when we discussed the data arrangement. In general, the thorough understanding of all of the data you collected is so vital.

Second, as discussed in step 1 and 2, knowing the exact place that you store all the data is essential. It won’t take you much time and effort to navigate the information that is about to be found and removed. Therefore, the deleting process will run more smoothly.

Last but not least, you should know what measures you could use to completely eliminate the data. There are many effective methods that are available for you to choose from. For example, if you run your online store on Magento 2, Mageplaza GDPR extension is highly recommended as a super useful tool which can help you not only eliminate the default addresses but also the entire customers’ account permanently with ease. You can Download FREE GDPR for Magento 2 on Github

Step 6: Generate a layered opt-in form

Optin form is undeniably important for any e-stores to collect customers’ data. An opt-in form that includes multiple layers can simplify the data input process. The easier the process is, the more willing customers are to provide their individual data.

Step 7: Enable individuals to actively opt-in

! Notice: Pre-ticked boxes are not qualified anymore. Before collecting data from any subjects, stores are required to ask for their consent in advance. Authorization needs a positive opt-in instead of pre-checked boxes or any kind of default consents that aren’t allowed individuals to actively choose what they really agree with. People have a right to actively tick the box to enable you to store their information and make use of it for your specific purposes

!Remember: To make your store trustworthy, a credible proof for people’s opt-in when giving data collecting permission is vital. Also, you should provide evidence that the information is used for the exact purposes that you already informed them.

Step 8: Notify existing contacts to re-opt-in

Although the adjustment of security policy is for the better, it is still necessary to notify all of the contacts that exist before the take-effect date of GDPR about those changes. After announcing the new policy, politely asking them to positively opt-in again is a way to remain those contacts with high satisfaction. Without their consent to re-opt-in, you would have no longer rights to store their information, so you have to permanently wipe out all those related data. All of these actions will help show the stores’ respect towards their customers, partners, and employees.

Step 9: Allow to opt out with ease

Every store wants their visitors to subscribe to their pages through emails since they can easily notify them about your new products and services. However, customers might feel uncomfortable if you don’t allow them to unsubscribe if they no longer want to. Therefore, to satisfy them to the highest extent, if you’re using emails, you need to make sure people can deny receiving marketing content whenever they want. Similar to text messages and advertising phone calls, people have their rights to stop being annoyed by constant advertisements.

It is vital to keep in mind that the guidelines of the way to restrict emails, calls, or text messages should be easy-to-find, clear and concise enough for customers to follow. Or else, you can receive unwanted complaints and poor reviews from your users.

! Remember: A small print button shouldn’t be used. Moreover, it is necessary to have strict rules on the way you guarantee to help someone stop receiving marketing materials from your system. Art. 83 of GDPR regulates financial penalties for whom doesn’t follow the legal terms. To be specific, If you don’t make sure that your customers can get rid of advertising content, you may have to face an up-to-20-million-euro fine.

Step 10: Make sure your team members know the new GDPR laws

Make sure your team members know the new GDPR laws

You want your e-shop to provide customers the highest level of privacy protection, then you have to follow the recent GDPR regulations term by term. Making every action of your business stick to that legislation would require you and your team members to be updated and understand every single principle in the palm of the hand.

In the first place, you must send emails to all your team members notifying that there is a change in the privacy policy that requires them to understand deeply. After that, since it is difficult to self-learn all of those complicated principles, the employees should be trained carefully to ensure that they don’t misunderstand any term of the new rules.

! Bonus tip: It is a good idea to appoint a data protection officer (DPO) to be responsible for summarizing and simplifying all the must-know factors to all the staff. Having a person managed all of the training processes will assure things to work well.

Buying/Selling data and GDPR compliance

If you are a data buyer from another business, GDPR will definitely have some influences on you. First, it is your responsibility to make sure that the data seller also complies with GDPR. If there is any evidence of an improper data trading, you should be aware and stop the buying process if you don’t want to have any troubles. If there is nothing wrong with the seller themselves, the second thing you must ensure is that whether the data you receive is permitted in opt-ins to be shared with third parties or not. Check these problems carefully before making the deal.

If you sell data to other parties, add an ‘Assignment clause’ to your fair processing notice. The people who opted in must have the rights to receive data from third parties for the identical purposes. Also, you have to make sure that your buyers will not use the data you shared for the unknown purposes. Every action of private data misuse can make you in trouble.

GDPR Compliance Tools for Magento 2

Mageplaza GDPR extension for Magento 2

Mageplaza GDPR is a must-have free module that can help stores comply with GDPR without much effort. It protects customers’ right of erasure by allowing them to wipe out their default addresses and their accounts permanently by some simple clicks. Upgraded from the free plugin, the paid version even enables customers to manage their billing documents and restrict cookies with ease.

Lubenda’s GDPR toolkit

This is all you need to comply with GDPR thoroughly. Customers’ privacy will be guaranteed by a range of incredible features including cookie banners, authorization management, and internal privacy methods.

Siftery’s GDPR Checker

Siftery’s GDPR Checker is a helpful method that enables store owners to examine their SaaS vendors for GDPR compliance. Thanks to this tool, stores can keep the individual data of their customers safe anywhere, at any time.

Algolia’s GDPR search tool

This tool was developed to prevent users from being overwhelming with tons of GDPR terms. It not only simplifies the rules searching process but also arranges those complex regulations logically.

GDPR Email Copy

It provides useful email templates that are compliant to GDPR. With the help of this tool, e-stores can carry out outbound marketing effectively.

GDPR Form GDPR Form is an effective yet easy-to-use gadget to collects all requests, keep an eye on their monitor progress and send the response to data owners. All of the activities stick to GDPR rules in a strict way.

This tool plays the role of a GDPR guidance for managing tasks. It helps business keep the records of data processing activities and creates reports to send to the authorities.

SOS GDPR Kit for Digital Marketers

This is absolutely helpful for marketers to be prepared for GDPR in advance. It provides a 3-week plan for businesses to follow and make sure that they understand GDPR deeply.

Ultimate GDPR Quiz

By using an ask-and-answer method, this tool is what you need to analyze to what extent your business complies with GDPR. Outstandingly, you can be provided with helpful tips on business improvement.

GDPR Compliant Badges

If you are compliant to GDPR and want to show that to your visitors in an attractive way, this is your best choice. This tool allows store admins to display a “GDPR Compliant” badge on the web page or app.

How to Configure GDPR extension for Magento 2

GDPR extension for Magento 2

GDPR regulates a range of principles about how customer data can be protected legitimately. In order to comply with this EU data protection regulation, Mageplaza GDPR extension has been developed, which can ensure customers’ privacy rights to fully control their data. To understand how to customize the configuration, please follow the instructions below.

Navigating the Admin Panel, you could go to Store > Settings > Configuration > Mageplaza Extensions > GDPR to start configuring this extension at the backend.

How to Configure GDPR extension for Magento 2

General configuration

  • The module can be activated at the Enable field.
  • The Allow Delete Customer Account field is where store owners can allow customers to erase their accounts permanently.
  • The alert message which is shown when customers decide to delete their accounts can be edited in the Delete Message field.
  • Selecting “Yes” in the Allow Delete Default Address field means that you give customers full permission to remove their default billing and shipping addresses by themselves.

GDPR extension for Magento 2 General configuration

After these backend setups, the frontend display will be like below:

GDPR extension for Magento 2 backend General configuration

Clicking on Delete your account enables customers to delete their accounts with ease.

GDPR extension for Magento 2 Delete your account

Customers can remove their default address simply by clicking on the “Delete Address” button.

Anonymous Account Configuration (Pro)

GDPR extension for Magento 2 Anonymous Account Configuration

  • By selecting “Yes” in the “Allow delete abandoned cart” field, customers can remove abandoned cart along with eliminating their accounts.
  • The “Allow anonymizing account in billing document” field enables customers to make their data including Billing Address, Shipping Address be decoded in a random character string that couldn’t be understood by ordinary people.
  • Similarly, the account first name, last name, email addresses, address option can also be anonymized and replaced by a 10-character string.

At the frontend, the encrypted information will be displayed as below:

GDPR extension for Magento 2 Anonymous Account Configuration frontend

GDPR extension for Magento 2 Cookie Restriction

  • You can activate the Enable Cookie Restriction Mode field by choosing “Yes” if you permit your customers to ban cookie to be used in the websites.
  • If you choose “Yes” in Visitors must accept cookie policy field, you required customers to agree with the cookie using rules if they want to carry out some specific actions on the web pages.
  • Store administrators can type the cookie messages in the Cookie Text Message field. That message will be displayed to customers on the frontend as the illustration below.

GDPR extension for Magento 2 Cookie Text Message field

  • The CMS Cookie Policy Page field is where store owners can decide which page to insert an internal link in Learn more of Cookie Text Message.
  • The name of the Cookie message button can be altered in the Button Label field. If you don’t want to change, it will display as default - “Allow Cookies”.
  • Admins can adjust the position to display cookie message on the websites as well as set the specific geographical area to allow or restrict cookies.
  • The Custom CSS field allows you to customize the cookie display as you wish.

See how Cookie text message is presented to users on the frontend:

GDPR extension for Magento 2 Cookie text message is presented to users on the frontend



Marketing Manager of Mageplaza. Summer is attracted by new things. She loves writing, travelling and photography. Perceives herself as a part-time gymmer and a full-time dream chaser.

Related Post

Website Support & Maintenance Services

mageplaza services

Make sure your store is not only in good shape but also thriving with a professional team yet at an affordable price.