Blog eCommerce

GDPR Magento guide

GDPR Magento guide

Categories
eCommerce

What I need to do right now to be GDPR compliant? Read this actionable guide with links, references and Magento GDPR extensions available right now. Feel free to add to the topic any time. GDPR In a nutshell GDPR is going into effect this May on 25th. Fines for organisations ramp up to 4% of […]

What I need to do right now to be GDPR compliant? Read this actionable guide with links, references and Magento GDPR extensions available right now. Feel free to add to the topic any time.

GDPR In a nutshell

GDPR is going into effect this May on 25th. Fines for organisations ramp up to 4% of their annual turnover, personal data can be anything that can be related to your customer, everyone is affected and so on. You know this already. Here’s how to prepare your Magento store for GDPR.

GDPR ensures the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Even though GDPR is still looks like it’s “open” to interpretation, the fines are NOT and GDPR governing body doesn’t care how big or small your organisation is.

I’ve managed to gather a list of what is commonly used by merchants at the moment. Let’s dive in.

Marketing and Analytics data profiling

Whether you are sending data back to your software or to a third party, customers need to know about that.

Action item(s):

–  Move all marketing and analytics tracking to Google Tag manager – this way you only have one place to turn of tracking for the customer

–  Cookie consent toolbar

–  Info about gathering data must be provided

–  List all the types of data you are collecting

–  Display the message across the site and enable customers to consent with gathering their data

–  Newsletter sign-up, checkout pages etc., must have specific data listed before customer opts-in

Ability for customers to remove and anonymise data on request

Action items:

–  All personal details from “My Account” area must be deleted

–  Orders, invoices and other purchase history data that merchant has to keep gets anonymised by merchant

–  Anonymisation should happen automatically after customer deletes their data

– For users without a registered account, merchant provides anonymisation of their purchase history data

Personal data Anonymisation

All data that is not essential for fulfilment has to be anonymised. This affects all servers you are storing data on. Don’t forget  your development servers, staging servers etc. Make sure you have updated the contract with your outsourced muscle and brain to comply with GDPR regulations.

Action items:

–  Anonymise LIVE, development and staging server data

–  Anonymise data used by your outsourced agency as well

Security

Merchants responsibility is to ensure there is no security vulnerabilities on their stores. Consult with your hosting company about this issue as well as your sysadmin department.

Action items:

–  Sites like magereport.com can aid in revealing security flaws

–  Make sure admin area has exclusive IP access or use a VPN

–  Keep regular updates of your store and extensions

–  Access to the database should also be secured

Communicate GDPR compliance to the customer

Update your Customer service pages with the GDPR compliant and useful information.
Make it clear how you are protecting their data and what options customers have.

Action items:

–  What kind of data you are collecting

–  Who is collecting it (include third parties also)

–  How is data collected

–  How is data used within your company

–  Who is it shared with if applicable

–  How does this affect the customer

–  Can data use raise complaints from the customer

Customer Data Access

Action items:

– Explore additional tables used by custom or third party extensions

Ability to export all customer data that you have in store. Apart from standard Magento database tables, remember to include data stored by additional custom or third party extensions.

– Use Magento 2 or Magento 1 data mapping docs to navigate Agenda

– Make it possible to export data within 30 days of the request without additional charge

Thankfully, you don’t have to go through all of these from scratch. I’ve provided a list of useful resources that should give you a quick start.

Magento Inc. provided an GDPR related overview of all user data stored within the database:

magento.com/gdpr devdocs.magento.com/guides/v2.2/architecture/gdpr/magento-2x.html

GDPR Extension for Magento 2 Commerce and Magento open Source that are available right now:

github.com/flurrybox/enhanced-privacy – by Magebit.com – FREE

www.scommerce-mage.com/magento2-gdpr-compliance.html – by Scommerce Mage – PAID

marketplace.magento.com/zero1-gdpr.html – by ZERO 1 – PAID

github.com/AdfabConnect/magento2gdpr – by AdFab – FREE

Upcoming:

GDPR for Magento 2 – by Aheadworks