How GDPR affects your Magento 2 stores
If you are reading this article, then you must be wondering whether all this fuss about GDPR has anything to do with your Magento 2 store, and whether you need to do anything about it. If not, then perhaps you are already looking for solutions to make your store comply with GDPR. Well, read on as we tackle the most basic questions about this issue (in understandable human language).
- Magento 2 GDPR Delete default address
- Magento 2 GDPR Delete customer account
- Magento 2 GDPR Pro - Manage Billing Documents
- Magento 2 GDPR Pro - Cookie Restriction
- Magento 2 & GDPR 5 must-knows
- GDPR on Magento 2 - Comprehensive Step-by-Step Guideline
What exactly is GDPR? What does it do?
GDPR, short for General Data Protection Regulation, is a regulation about protection of personal data and privacy for all people in the EU that takes effect on May 25, 2018.
Some clarification, please!
Before diving in more details of its content, let us first clear some of the terms that would be referred to quite frequently:
- Personal data: any information that can be used to identify a person. This ranges from name, email, phone number, photo to even IP address and cookies used by webs.
- Data controllers: individuals or organizations that collect data from EU residents. They can be stores, schools and companies. Data controllers are responsible for and in control of the information they collect.
- Data processors: individuals or organizations that processes data of EU residents on behalf of the data controller. Examples include cloud service providers, market research companies and tax advisers. Your store can be either a controller or a processor, or both.
So what is the deal?
With that out of the way, it is time to look at what GDPR is actually about. Basically, the legislation requires data controllers and data processors to:
- Ask for explicit consent (read: agreement) to personal data collection from their subjects
- Be crystal clear about what are collected, how it is stored and used
- Ensure that the entire process is secured under a lawful basis
- Allow the subjects to have access to their information and have that information removed or transferred should they want to There a lot more about this regulation, but that is the GDPR stripped down to its bare bones. If you have the time (and ability), you can read it in full details here.
The regulation also introduces stricter enforcement of compliance. Violation can result in hefty fines that, at maximum, could reach 4% of worldwide turnover or €20 million, whichever is higher. This shows how seriously valued private information is in the EU, and you would want to remain compliant to that notion.
GDPR is implemented to replace the much-outdated Data Protection Directive (which was adopted more than 20 years ago in 1995). In doing so, the EU parliament hopes to create a safer, more secure Internet place that respects personal privacy as well as unify privacy laws among EU countries, thus making it easier for international companies to follow.
Can GDPR affect my store? And How?
The answer is: very likely, YES!
Wait, I am not located in the EU!
The answer is still very likely yes. According to Article 3(2), the regulation applies to all data controllers and processors that are based in, or have their customers based in, the Europe Union. That means even if your headquarter is not physically in the EU, as long as you have customers that are from there, you MUST treat those customers in compliance with GDPR.
If you are a global store (or plan to be one someday), it will be cumbersome to update your system only to apply it for just one portion of your customers base. Hence, it is recommended that you update your policy for ALL of your customers, regardless if they are from the EU or not.
What will become of my store?
Firstly, transparency. Your site must be upfront about when, how long what and for what purposes the data are collected. Everything needs to be spelled out loud and clear. One thing to be noted is that consent by using, pre-ticked box and opt-out is no longer legitimate as they are deemed insufficient to ask for agreement from end users. In addition, customers must be able to decline your request, see the information you have about them, and get it modified, deleted or transferred if they want to.
Secondly, credibility. You need to provide a record of everything related to how information is processed in your store. This encompasses how you obtain authorization, how the data is stored, how it is used/shared and above all: how you keep them secure and private. The GDPR regards data protection by design, data protection by default and pseudonymisation as necessary measure for data storage. If you have no idea what these terms mean, then it is worth looking into them. Plainly, they are computer methods that will ensure the basic mandatory security level for your customer information.
What should I do?
We are not legal consultants, but below are some suggestions to give you a general idea of what will need to be done.
Do an information overhaul
Finally, look at how your customers are informed about all of these above. Do you put the terms in clear and plain language (or maybe even put it in a video for easy comprehension)? Or do your customers have to scroll through a 30-page-long policy full of jargons that bores them right from the very first word?
Adjust your policy accordingly and take necessary measures
After examining your system and discover where its weaknesses lie, you can start working on them. Some of the precautions are: be clear and explicit, take only what you need, keep them in one place for security and delete them when no longer needed.
You might also need to reconsider some of the third-party tools you are using and check to see whether they take or leak information without consent, as Magento warned. Some extensions, like Store location, automatically track the user’s IP address which under GDPR is now considered to be private data. You would need to explicitly ask for authorization from your customers for such information, and offer them an option to decline.
Giving users a customized experience it is a major factor in increasing browsers’ satisfaction, engagement and your revenue. Understandably, it requires tons of personal information to work. If you are aiming at making personalized content, then you definitely want to care about how to make it happen in a legitimate way. The GDPR does not forbid you to take data from your customers, rather, it demands you to do it in a way that show greater respect to your customers privacy and the rights they have over their own information.