May 25 has come and the General Data Protection Regulation (GDPR for short) becomes active. This legal framework aims to enhance personal data privacy and increase one’s control over their own personal information in the Europe Union. It also brings great confusion to online vendors who now have to familiarize themselves with the new legislation and figure out a way to revamp their store policy accordingly.
Below we would address five points that you need to know about in preparation for the GDPR and how they are related to your Magento 2 store.
The scope of the GDPR encompasses data controllers and data possessors who are based in the EU and/or deal with residents in the EU. To put it into perspective: as long as you have customers coming from there, you must treat their personal data in accordance with the GDPR, regardless of where you are physically and virtually.
Replacing the outdated Data Protection Directive, the GDPR introduces new, heavier penalties for non-compliance.
For the first and non-intentional violation, a written warning will be issued. Following tiers include: periodic examination, a fine of up to €10 million or 2% of annual total global turnover, whichever is higher. Notably, the most severe fines can reach €20 million or up to 4% of the annual worldwide turnover, whichever is higher.
Data controllers are now required to explicitly ask for authorization from subjects before collecting data from them. This means some of the frequently-used methods to ask for agreement are no longer qualified. You may have seen many sites that upon entering prompt a pop-up message with something similar to “By using this site you have accepted our cookies”. Well, something like that is seen as insufficient now under the GDPR. So do opt-out and “I agree with all the terms that I won’t bother to read” pre-checked boxes.
The subjects need to be clearly informed about and actively agree to your term. This means you would need to go out of the way to ask for permission and provide solid reasons for it when taking information from them. Preferably, this should be done by a digital agreement (contract) that can be publicly presented at any time. In addition, some extensions such as Store location and Multi-store Switcher automatically collect users’ IP addresses which, as the new regulation sees it, are now private data. As such, be aware of what input your third-party extensions take, by how and make sure it does not happen without consent.
Don’t let the jargons scare you away. To put it simply: You have to ensure protection for your customers’ data, and these terms mentioned above are computer methods which will help you achieve that task under a lawful basis. Below we will take a closer look at them.
Psedonymization is not a cure-all, just one of the many factors forming a protection scheme. It needs to be combined with an adequate security base and risk-minimizing measures to be truly effective.
The GDPR is not just about policy, it is also about how clear vendors are about that policy to their customer. Users must be given the option to decline request for data, see their collected information and have that deleted or moved if they wish. These rights extend to your external partners as well. When a customer revokes their consent, you need to make sure that not just you, but your partner also can no longer access the shared data about that person. In addition, data handlers must present proof of legal conduct when asked for, including records of information gathering, storage duration and processing activities.
A good way to manage consent is creating a mutual database that can carries out deletion requests either automatically or on order. As for users, it is good practice to allow them to conveniently view their data, request changes and erasure right from their account setting.
Making your Magento store compliant with the GDPR could be confusing and time consuming, as it requires a bit of knowledge about data science and digital privacy. Thankfully, you can get help from tools like GDPR extensions which enable store admins to completely delete customers’ account and their default addresses. With such aid at your site, managing and protecting customers’ privacy would be much easier.