How to Make Your Magento Store GDPR Compliant

Posted by Abhishek Jain on Jul 9, 2018 12:15:21 PM

Conceived in 2012 and adopted in 2016, the General Data Protection Regulation (GDPR) is all about the protection of EU consumers’ data. Although most of the online sellers and retailers have updated their site to comply with the eight rights, the few who are still knee deep in pending development and documentation, are pushing the boundaries to get their acts together as the deadline to conform, 25 May 2018, has passed already.

What GDPR entails

The General Data Protection Regulation is crafted by keeping an individual at the center. The focus has been set to ensure that an individual does not become victim of any unfair business practices. Therefore, the GDPR rules are for the companies to follow. Here is a brief list of what it entails for a business.

      ο It is applicable to all websites who are offering a product or service to EU customers
      ο The basic requirement is to get explicit consent from data subjects before capturing their data
      ο For legal basis such as fulfillment service, you may capture personal data without consent, they are
           • Name
           • Address
           • Email address
           • Bank detail (while making a purchase)
      ο For no reason whatsoever you can capture sensitive information, they are
           • Social standing
           • Psychological pattern
           • Cultural inclination
      ο You have to clearly state
           • Why want the data
           • How you will store the data
           • How you will process the data
           • Will you share the data with a third-party vendor
           • How long you will retain the data
      ο You have to delete the data once the process, for which it was captured, gets over
      ο Once an individual requests for her raw data stored with you, you have share the same
      ο An individual can delete her data from your records

In case of non-adherence, the penalty is 2% to 4% of annual global turnover or 20 million Euro 

Why an e-commerce firm should care

As data is the lifeblood of any e-commerce business, apparently it may seem that such rigidity has fallen too hard on e-commerce organizations, but in reality, the policies have only cleansed the relation between a business and its customers. Whether to manage the operation, marketing, or understand customers, the e-commerce brands rely on systems like CRM, EDM, and BPA. These systems are fuelled by the customer data pulled from CDPs. So far the brands have been using the data to run automated systems and strike a personalized, targeted communication with the customers, easily. GDPR only instructed the brands to do it responsibly. Under GDPR, e-commerce brands can still talk to their customers, can still send them promotional emails, or present them a targeted ad but only if the customers have chosen to accept them. In addition, to reinforce the transparency in the customer-brand relationship, GDPR has asked the brands to allow full access to the raw data of an individual. This includes anything and everything that falls under the purview of identifiability. Whether its name, email address or location as stated in Article 4 or cookies that help in IP tracking, as elaborated in Recital 30. The latter has not only brought a major change in the way the e-commerce brands have worked with cookies but acts as a mop to sweep out bad actors of advertising who have spawned behind the veil of ad networks and affiliate networks.

How to be GDPR compliant

To be compliant with the GDPR, an ecommerce player need to keep the following in mind:

Smoke the data security system

      ο The security system should be robust, incase of any breach, it should be reported within 72 hours

Take cognizance of sensitive data

      ο Sensitive data should always be captured against explicit consent

Design the system to protect data

      ο Customers’ data should always be anonymized and pseudonymized

Bring IT and marketing together

      ο Both the teams need to get together to work out customized IT solutions

Train your staff

      ο Every member of an organization should be trained on GDPR, including customer relations and data entry operators

Introduce tool driven privacy

      ο Evaluate and partner with service providers offering anonymization and pseudonymization service

Work with GDPR compliant third-party vendors

      ο Third party vendors like CRM providers, email marketers, PR agencies, marketing agencies are to GDPR compliant

Data Protection Officer (DPO)

      ο Introduction of Data Protection Officer as a role to ensure GDPR compliance

How Magento supports

Magento store owners are covered to a great extent as Magento itself is pre-ready for the GDPR. Currently, Magento has released a documentation to help store owners like you to understand how and what type of personal information is stored in the Magento Commerce application. In near future, Magento also intends to update its policy and implement database level encryption and fortify data security. As of now, Magento stores only information on, shopping cart, currently compared products, comparison history, recently viewed products, and customer group membership and segmentation. However, you can turn off these features at the store level and anonymize the data.

With the newly made available features on Magento store, the following actions will keep your store GDPR compliant:

Move all tracking to Google Tag Manager (GTM)

      ο Helps in turning the tracking on or off at the click of a button

Add cookie compliance toolbar

      ο The toolbar will inform what information will get tracked
      ο The toolbar will inform if third-party vendors will access the information
      ο The toolbar should not be checked by default

Allow an individual to remove data

      ο Individual can view stored data in raw form
      ο Individual can delete her data without going through complicated process

Individual to opt-out of subscription

      ο Individuals should expressly opt-in for email subscriptions
      ο Individuals should be able to opt-out of subscription without going through complicated process
      ο Opt-out link should be:
           • On emails
           • At the footer of each page

Personal data anonymization

      ο Data should be stored in anonymized form
      ο A set of data that identifies an individual shouldn’t be stored in one table

Security test

      ο Penetration test and vulnerability scan should be scheduled every quarter or six months
      ο Test and scan reaffirms status of data
      ο Test and scan exposes any malicious attempts or threats
      ο Introduce internal security
            Restrict access to database for all users
            Whitelist IP address to define access
            Use following snippet to restrict access




Update CMS pages

      ο Update privacy and terms and conditions pages with GDPR compliant policies
      ο Update with information:
      ο Who is collecting information
            How the information is collected
            What type of data is collected
            Who the data will get shared with
            Why the data will get shared
            How long the data will be retained

Access data

      ο Individual should have access to her data
      ο Individual can ask for her raw data stored
      ο Company to respond to query within 30 days
      ο Company can run a query to get the data quickly from
            Quote address
            Order address
            Customer address

Consent and privacy

      ο Contact collection form to have a unticked checkbox for individual to express her explicit consent
      ο Privacy policy to be updated with information data collection process, data usage, data share, and data retention
      ο Information to be presented in clear and easy to understand language
      ο Company to maintain when and how consent has been received

Security through encryption

      ο Data must remain in encrypted form at the database level, using reference from the link

The initial storm has passed. By now you’ve gained clarity on how your third-party extensions are using the customer data, you’ve been asking for explicit consent from your customer to place your cookie, you’ve either anonymized or pseudonymized your customer data and given your customers the control and rights. But your tasks don’t stop there. You need to be constantly on top to make sure that your site adheres to the current policies. You certainly don’t want to get penalized after a back-racking exercise to get your site compliant. Download our checklist and see for yourself if your site is still GDPR compliant or a few nuts and bolts still needs a little tightening.

Tags: eCommerce, Magento

Subscribe to our Blog

Posts by Topic

See all

Recent Posts

Posts by Tag

see all