If you are reading this article, then you must be wondering whether all this fuss about GDPR has anything to do with your Magento 2 store, and whether you need to do anything about it. If not, then perhaps you are already looking for solutions to make your store comply with GDPR. Well, read on as we tackle the most basic questions about this issue (in understandable human language).
GDPR, short for General Data Protection Regulation, is a regulation about protection of personal data and privacy for all people in the EU that takes effect on May 25, 2018.
Before diving in more details of its content, let us first clear some of the terms that would be referred to quite frequently:
With that out of the way, it is time to look at what GDPR is actually about. Basically, the legislation requires data controllers and data processors to:
The regulation also introduces stricter enforcement of compliance. Violation can result in hefty fines that, at maximum, could reach 4% of worldwide turnover or €20 million, whichever is higher. This shows how seriously valued private information is in the EU, and you would want to remain compliant to that notion.
GDPR is implemented to replace the much-outdated Data Protection Directive (which was adopted more than 20 years ago in 1995). In doing so, the EU parliament hopes to create a safer, more secure Internet place that respects personal privacy as well as unify privacy laws among EU countries, thus making it easier for international companies to follow.
The answer is: very likely, YES!
The answer is still very likely yes. According to Article 3(2), the regulation applies to all data controllers and processors that are based in, or have their customers based in, the Europe Union. That means even if your headquarter is not physically in the EU, as long as you have customers that are from there, you MUST treat those customers in compliance with GDPR.
If you are a global store (or plan to be one someday), it will be cumbersome to update your system only to apply it for just one portion of your customers base. Hence, it is recommended that you update your policy for ALL of your customers, regardless if they are from the EU or not.
Firstly, transparency. Your site must be upfront about when, how long what and for what purposes the data are collected. Everything needs to be spelled out loud and clear. One thing to be noted is that consent by using, pre-ticked box and opt-out is no longer legitimate as they are deemed insufficient to ask for agreement from end users. In addition, customers must be able to decline your request, see the information you have about them, and get it modified, deleted or transferred if they want to.
Secondly, credibility. You need to provide a record of everything related to how information is processed in your store. This encompasses how you obtain authorization, how the data is stored, how it is used/shared and above all: how you keep them secure and private. The GDPR regards data protection by design, data protection by default and pseudonymisation as necessary measure for data storage. If you have no idea what these terms mean, then it is worth looking into them. Plainly, they are computer methods that will ensure the basic mandatory security level for your customer information.
We are not legal consultants, but below are some suggestions to give you a general idea of what will need to be done.
Finally, look at how your customers are informed about all of these above. Do you put the terms in clear and plain language (or maybe even put it in a video for easy comprehension)? Or do your customers have to scroll through a 30-page-long policy full of jargons that bores them right from the very first word?
After examining your system and discover where its weaknesses lie, you can start working on them. Some of the precautions are: be clear and explicit, take only what you need, keep them in one place for security and delete them when no longer needed.
You might also need to reconsider some of the third-party tools you are using and check to see whether they take or leak information without consent, as Magento warned. Some extensions, like Store location, automatically track the user’s IP address which under GDPR is now considered to be private data. You would need to explicitly ask for authorization from your customers for such information, and offer them an option to decline.
Giving users a customized experience it is a major factor in increasing browsers’ satisfaction, engagement and your revenue. Understandably, it requires tons of personal information to work. If you are aiming at making personalized content, then you definitely want to care about how to make it happen in a legitimate way. The GDPR does not forbid you to take data from your customers, rather, it demands you to do it in a way that show greater respect to your customers privacy and the rights they have over their own information.