What is GDPR?
The GDPR, or the General Data Protection Regulation, as the name infers, is a data protection law that was passed in the EU Parliament in 2016. It brings data protection and privacy control to EU individuals who are using your Website. It takes into account the extracting, handling, and processing of personal data by your sites. Every business and various websites need a careful and thorough analysis of the way they handle private information to be sure they comply with all regulations stated in GDPR Law.
Who needs to comply GDPR & when?
It considers both EU-based and other organization based outside EU that caters to EU audiences or tracks the behavior of individuals in EU. This regulation comes into force on 25th May 2018 that means if you have to be GDPR ready by 25th May 2018 else your business can be in trouble
Why it’s important for you to consider?
If you are serving EU customers anyway & If found non-compliant with these regulations, fines can be up to €20 million or 4% of annual revenue. It’s simply not worth it for companies of any size.
HOW TO MAKE YOUR MAGENTO STORE GDPR COMPLIANT
Based on the GDPR, we have summarised actions you can take for Magento B2B Development Services help to make your e-commerce store GDPR-ready
1. Add cookie consent & Opt-out control to site visitors (The right to restrict processing)
Cookie notification popup needs to be integrated on-site to aware your site visitors aware that you or a third-party service requires a cookie to work. Site visitors must give consent by accepting before you inject any third-party service on your site. A link should be there to the privacy policy page which explains which 3rd party services’ are accessing cookies & what purpose they are added. Users should have the option to opt out here as well.
2. Checkboxes Consent on for customer consent:
To ensure transparency, it is important to have unticked checkboxes at the registration and checkout pages to let them know that their personal information will be stored for registration and order processing.
3. Privacy & Dataflow
It is important to track the complete data flow. What and where at each point in the flow the data is stored. This complete flow should be well explained & updated in your privacy policy and/or term of use, pages. Do make sure they all comply with GDPR norms. You should include when customer data will be captured, what purpose they are going to use & include if any third party will access data & what reason.
Its advisable to consult a legal firm to get your privacy policy updated to comply with GDPR norms.
4. Authentic data collection(The right to be informed) :
It is important to collect data from the user only that is relevant to their business functioning, in case of inspection, your business must be able to justify that the collected data is necessary. It is also crucial to check if any old data set contains unnecessary non-obligatory information that will have to be deleted. This directly impacts how magento handles order quote tables because it stores the user’s personal data even if the transaction doesn’t go through. They all should have been deleted frequently if they are not in use anyway. Also, visitor’s log tables should have been deleted by configuring log deletion frequency.
5. Customer Data can be deleted(The right to erasure) :
This ensures customers should have the option to request to delete the account from the account area which should delete all associated personal information directly from the database. You have to implement a secure way (email confirmation or any) for a user to request Account deletion which should delete the data related to their transaction, orders, shipping details, subscription status, etc and these details should be completely removed from their records.
6. Data portability (Right to access) :
To abide by the regulation, which also suggests customers must have access to what information about them has been stored and this must be responded to within a month. It will be worthwhile to have the option in the customer account area to extract all the information stored for the customer in the CSV format or machine-readable format. A feature can be implemented which allows the user to access all of his account data stored in a database which should be available to download (Put security validation here) within 1 month of the period. Information can include, transactions, orders, addresses, personal account info, subscription data, or any data with 3rd party extension.
7. Ability to remove or anonymisation personal data
You need to have the ability on your website for customers to delete or anonymisation their personal records, orders, quotes records from the database by logging into their account. You can, of course, add an additional security layer to verify account authority of a user.
8. Data Flow (The right to be informed):
It is important to track the complete data flow. What and where at each point in the flow the data is stored. This complete flow should well documented & privacy document should be updated to justify when & why data either being collected by you or by any 3rd party from your sites.
9. Third party integration:
While you make sure you comply with the regulation, it is equally important to inspect and check whether the third party extension and other integration also make appropriate use of the data and have strict compliances with the regulation.
10. Data encryption & Database View/Action Control
To ensure the personal data is secure and safe, encryption of stored data is highly recommended. The access right to your data might sound very naive, but it is very important aspect to consider. Stringent access control rules and rights can protect your data from unauthorized access. In case of the site being operated by multiple persons, individual rights should be set up & restrictions should be put in place to restrict unauthorized access to individuals personal data. Admin back-office should be restricted to limited IP addresses & should be placed on hard to guess unique server paths.
11. Children’s personal data
For business catering to children, to give special data protection to children under 16, it would be advisable to get consent from their parent or guardian by implementing a right directed action process.
It’s all about clarity & process how individuals’ data should be used & treated by online portals in service & ecommerce industry.
If you have Magento or Magento 2 store and want our highly skilled team to assist you in making your website GDPR ready then please contact us via email [email protected] or send us a direct inquiry using our Contact Us form.