Magento 2 & GDPR 5 must-knows

May 25 has come and the General Data Protection Regulation (GDPR for short) becomes active. This legal framework aims to enhance personal data privacy and increase one’s control over their own personal information in the Europe Union. It also brings great confusion to online vendors who now have to familiarize themselves with the new legislation and figure out a way to revamp their store policy accordingly.

Below we would address five points that you need to know about in preparation for the GDPR and how they are related to your Magento 2 store.

Related topics

• Magento 2 GDPR Delete default address
• Magento 2 GDPR Delete customer account
• Magento 2 GDPR Pro - Manage Billing Documents
• Magento 2 GDPR Pro - Cookie Restriction
• GDPR on Magento 2 - Comprehensive Step-by-Step Guideline

Download GDPR

• Free GDPR on Magento Maketplace
• Mageplaza GDPR Magento Extension

1. You are not in the EU, GDPR can still affect you

The scope of the GDPR encompasses data controllers and data possessors who are based in the EU and/or deal with residents in the EU. To put it into perspective: as long as you have customers coming from there, you must treat their personal data in accordance with the GDPR, regardless of where you are physically and virtually.

A general advice is that: If you are a global store (or you want to be one someday), you should to update your policy for ALL of your customers, not just the ones in the EU. This is because it would be very inconvenient to make changes to the backend only to apply it for a portion of customers, not to mention running two types of different privacy policy parallel to each other makes the store harder to manage.

2. GDPR comes with stricter obligation

Replacing the outdated Data Protection Directive, the GDPR introduces new, heavier penalties for non-compliance.

For the first and non-intentional violation, a written warning will be issued. Following tiers include: periodic examination, a fine of up to €10 million or 2% of annual total global turnover, whichever is higher. Notably, the most severe fines can reach €20 million or up to 4% of the annual worldwide turnover, whichever is higher.

3. Silent agreement, opt-out and pre-ticked checkbox are no longer legitimate

Data controllers are now required to explicitly ask for authorization from subjects before collecting data from them. This means some of the frequently-used methods to ask for agreement are no longer qualified. You may have seen many sites that upon entering prompt a pop-up message with something similar to “By using this site you have accepted our cookies”. Well, something like that is seen as insufficient now under the GDPR. So do opt-out and “I agree with all the terms that I won’t bother to read” pre-checked boxes.

The subjects need to be clearly informed about and actively agree to your term. This means you would need to go out of the way to ask for permission and provide solid reasons for it when taking information from them. Preferably, this should be done by a digital agreement (contract) that can be publicly presented at any time. In addition, some extensions such as Store locator and Multi-store Switcher automatically collect users’ IP addresses which, as the new regulation sees it, are now private data. As such, be aware of what input your third-party extensions take, by how and make sure it does not happen without consent.

4. GDPR requires data protection by design, data protection by default and pseudonymisation

Don’t let the jargons scare you away. To put it simply: You have to ensure protection for your customers’ data, and these terms mentioned above are computer methods which will help you achieve that task under a lawful basis. Below we will take a closer look at them.

• Data protection by design and by default. This broad principle is about privacy being taken into consideration right from the start, when a program is still under construction. By making use of various technologies and mechanisms, the final system as a whole will be specifically designed with and for the protection of users’ data. Prominent foundations for data protection by design includes: focus on prevention rather than remedy, be openly clear about how privacy is carried out and center around the end users Some examples are: setting default privacy to high, keep encryption and decryption local, only give decryption key to data controller and rotate keys regularly.
• Pseudonymization. Along with anonymization, this is a recommended way to render personal information unidentifiable. Fields with data are replaced (pseudonymize) by a computer identifier, thus making them less recognizable while still available for analysis and processing. An advantage of pseudonymization is that it is reversible (when provided additional information) while anonymization is not. However, a weakness of this method is being vulnerable to inference attack (infer a person’s identity based on known information about their activities pattern)

Psedonymization is not a cure-all, just one of the many factors forming a protection scheme. It needs to be combined with an adequate security base and risk-minimizing measures to be truly effective.

5. Your EU customers have a right of access and a right to erasure

The GDPR is not just about policy, it is also about how clear vendors are about that policy to their customer. Users must be given the option to decline request for data, see their collected information and have that deleted or moved if they wish. These rights extend to your external partners as well. When a customer revokes their consent, you need to make sure that not just you, but your partner also can no longer access the shared data about that person. In addition, data handlers must present proof of legal conduct when asked for, including records of information gathering, storage duration and processing activities.

A good way to manage consent is creating a mutual database that can carries out deletion requests either automatically or on order. As for users, it is good practice to allow them to conveniently view their data, request changes and erasure right from their account setting.

Final word

Making your Magento store compliant with the GDPR could be confusing and time consuming, as it requires a bit of knowledge about data science and digital privacy. Thankfully, you can get help from tools like GDPR extensions which enable store admins to completely delete customers’ account and their default addresses. With such aid at your site, managing and protecting customers’ privacy would be much easier.