With the advancement of the It sector, the amount of data exchanged is increasing exponentially. Almost all organizations utilize data to improve their services. However, data is being collected without the permission of the users. Hence, the number of data breaches are also increasing. Companies tend to freely exploit and exchange the personal data of the users. European Union revised its regulations to tackle this problem of data security and privacy. Their guidelines are known as GDPR. Here, we will look at the definition of GDPR, GDPR for Magento 2, and all the rules & regulations surrounding it. Finally, we will see how to fulfill the criteria for Magento 2 GDPR compliance and optimize your Magento 2 store accordingly.
What is GDPR?
GDPR stands for General Data Protection and Regulation. It constitutes the rules and guidelines to tackle the increasing number of data breaches and misuse of personal data by online organizations. These regulations have been created to safe-keep the privacy and data security of regular citizens across Europe.
Laws and Rights Covered Under GDPR
GDPR encompasses the following rights for users:-
The right of Access:- “The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.” – Source
It entails a customer’s right to protect against the misuse of their personal data. They have a right to request what personal data you are collecting, how you are collecting it, how it will be used, to whom it is being shared with and much more.
The right to be Informed:- “Individuals have the right to be informed about the collection and use of their personal data; You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.” – Source
Customers must be informed at all times about the use of their personal data. This can be achieved by providing Privacy agreements, Terms & Conditions, etc. All the necessary information should be listed in clear and concise language.
The right to Erasure:- “Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.” – Source
Each and every customer has the right to get their personal data erased if any collected by a business. They can request you to completely erase their personal data and you are required to comply under regulations.
The right to Object:- “Individuals have the absolute right to object to the processing of their personal data if it is for direct marketing purposes. Individuals can also object if the processing is for: a task carried out in the public interest; the exercise of official authority vested in you; or.” – Source
Customers have the right to object to the processing of personal data collected by stores at any point in time. However, they must provide proper reasons and explanations. It does not mean you have to delete their entire personal data rather you can retain certain information as per guidelines.
The right to Restrict Processing:- “What is the right to restrict processing? Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organization uses their data.” – Source
The right to restrict processing basically gives customers the right to restrict the processing of their personal data by businesses based on legitimate conditions.
The right to Data Portability:- “The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.” – Source
Whenever a customer requests a copy of their personal data collected on your store, you are ought to provide them with the information within a limited number of days. So it is crucial that your store has the data portability feature in place.
The right to Rectification:- “An individual can make a request for rectification verbally or in writing. You have one calendar month to respond to a request. In certain circumstances, you can refuse a request for rectification.” – Source
If a customer believes that you have collected incorrect personal data about them then they have a right to request you for rectification. However, they should be able to provide valid arguments and evidence to prove the same.
How to Make your Magento 2 Store GDPR Compliant?
Making a Magento 2 store GDPR compliant can vary from store to store. It’s not necessarily a written text of disciplines and guidelines but rather a discipline. You will have to optimize your store accordingly to fulfill all the criteria. With all of that in mind, we have listed some crucial steps that will help you almost completely adhere to GDPR guidelines.
1. Ensure all of your Trackings are in one place such as GTM(Google Tag Manager)
If your Magento 2 store has several trackings implemented then we suggest you keep them in one place such as GTM. It will help you reduce the work while implementing GDPR guidelines. As GDPR requires you to take consent of every user before tracking and collecting their personal data. So if you have everything in place then as soon as you get the consent of the user your tracking can quickly fire from GTM. Not having tracking in one place can lead you to add code in several places which can be a hassle. If you want you can check out our Enhanced Ecommerce Tracking Extension that implements all the tracking directly from GTM. Below are the links for both Magento 1 and Magento 2 versions of this extension.
2. Provide a Cookie Consent Toolbar on Frontend
The very first step towards implementing GDPR is to take the consent of the users. Whenever a user visits your store they should be provided with the option to accept or deny cookies. It can be easily implemented by providing a Cookie consent toolbar on either Header or Footer of your Magento 2 store. As soon as the users accept a certain cookie you should be able to track and collect the respective information. For instance, if the user accepts third-party cookies then you can fire your GTM trackings safely.
3. Give Users the Option to Anonymize or Delete their Personal Data
As covered under the GDPR rights users should be able to delete or anonymize their personal data from your store. So if they should request you to delete their data then your store should no longer contain any personal data associated with that particular user. By default, Magento 2 does not allow you to either delete or anonymize the personal data of users so you will need to implement this feature on your Magento 2 store. Also, all the personal data that is not being used on the store needs to be anonymized in the database.
4. Update and Include Privacy Policy Consent on Each and Every Form
Revise the Terms & Conditions or privacy policy consent as per GDPR on your Magento 2 store. It should cover information such as what data is being collected, why it is being collected, how it will be used, where will it be stored, who has the access to this information, and more. Also, make sure to include the Privacy Policy consent on each and every form(wherever the personal data of a user is being recorded) on your Magento 2 store. It is crucial to have the permission of the user before you collect their personal data. In this way, you are fulfilling one of the key requirements of GDPR for Magento 2.
5. Provide Users Full Access to Their Personal Data Recorded on Your Store
As per GDPR guidelines, if a customer requests for their personal data that is lying in your store, then you should be capable of providing them with all the information that can be stored in several places in your database. Also, you are not allowed to ask for any additional fee to provide this data to them. Make sure to extract and provide all the personal data within 30 days upon a user’s request.
6. Regular Security tests and Penetration Testing Should be Performed on the Store
Perform security checks and penetration testing at least once every 3 to 6 months. It will help you discover and patch any vulnerabilities that might arise keeping your store safe and secure from security risks such as data breaches. Try to restrict access of the admin panel to as few members of your team as possible and implement restrictions based on IPs. For instance, only people whose IP addresses are whitelisted should be able to access the admin panel. You can perform a basic security test HERE. Add the below code in your .htaccess file to implement the whitelist IP feature:-
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC] RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1 RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
7. Encrypt All Personal Data on Database Level
Implement encryption of personal data on the database level. Find out all the tables that contain the personal data of users and encrypt all the personal data. Please refer to the link below to learn how you can implement encryption at the database level.
https://dev.mysql.com/doc/refman/5.7/en/innodb-data-encryption.html
8. Provide Users the Ability to Opt-out of Subscriptions, if any on Your Store
If your store has any subscription feature then you must allow users the option to opt-out whenever they want. Also, any emails sent from the store should contain the option to unsubscribe to those emails such as marketing emails. Don’t forget to always record the consent of the user whenever they subscribe to a certain feature.
Luckily, we have built an extension that implements most of the points on this list. However, please keep in mind every store is different hence GDPR can only be fully implemented as per each store’s features and functionalities. So always perform detailed checks before being sure that your store is GDPR compliant. Check out one of our best-selling extensions Magento 2 GDPR Compliance: Anonymisation of order data. It is fully compatible with Hyva Theme and Breeze Theme. This extension implements various features in accordance with GDPR requirements. It is also the Magento Extension winner for 2019. Learn more about the extension by clicking on the link above and get a free demo for yourself.
