The GDPR was approved by the EU Parliament in April 2016. The regulation was due to take place after two-year since it was approved, meaning it will be in force from May 2018.
The GDPR applies to the organisations located within and outside the EU especially the organisations who are storing personal data of EU citizen within their data centre.
Organizations can be fined up to 4% of their annual turnover for not being compliance with GDPR. Maximum fine could be €20 Million if it is less than 4% of their annual turnover.
Any information which can be used to directly or indirectly identify the person. It can be anything from name, address, photo, phone number, email address, bank details, posts on social networking sites, medical records, or IP address.
You have to be compliant regardless of your size of the company especially if you are hold or process personal data of EU citizen.
A controller holds the data and determines the purpose and the means of processing personal data whereas a processor is responsible for processing personal data on behalf of a controller
The short answer is 'YES' especially when organisation offer online services to children. There are some exceptions but it won't apply to online businesses.
The GDPR provides the following rights for individuals:

  • 1. The right to be informed
  • 2. The right of access
  • 3. The right to rectification
  • 4. The right to erasure
  • 5. The right to restrict processing
  • 6. The right to data portability
  • 7. The right to object
  • 8. Rights in relation to automated decision making and profiling.
For more information click the following link https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you have Magento site and you want our Magento certified team to assess your website from GDPR point of view then please contact us via email

core@scommerce-mage.com
or send us an enquiry using our contact us form.

Your Magento GDPR checklist

We have come up with the list of things you have to do to make your Magento site GDPR compliant

This makes everything easier for you in regards to GDPR because all your trackings will be running from one place and once the customer has given consent on your website to use third party cookies then you just need switch on GTM to run all your trackings. Otherwise you might need to change several places in your code to make sure all the trackings are disabled until you get consent from your customers on using third party cookies.

Enhanced Tracking with Google Tag Manager

Magento 1
Magento 2

This toolbar is going to let your customers know that you have additional third party services in place for example Google Analytics that requires cookies to work. The customer must give consent by clicking the accept button before you enable any third party tracking on your website. We recommend configuring this to work with Google Tag Manager, as already mentioned in Step 1, so that no third party services only run once the consent has been gathered by the customer.

You need to have the ability on your website for customers to delete or anonymisation their personal records from Magento database by login into their my account section of the website.

You need to have the ability on your website for customers to opt-out from any subscription by login into their my account section of the website. Also make sure any email you send to your customers must have option for them to opt-out from your subscription list. Also capture explicit opt ins which means no pre-checked boxes and no fine print.

Make sure any data which is not being used especially the data which is not required for fulfillment purposes needs to be anonymised from the database for example personal data which is stored in the quote table

Make sure you have provision in place to perform vulnerability scan and penetration testing. Our recommendation to perform vulnerability scan at least quarterly and penetration testing at least every six months. You can also use this link to test your Magento site for easy to spot security issues https://www.magereport.com/. You can also whitelist certain IP addresses so that only authorized users could access the admin panel. Here is the code snippet which you could add in .htaccess

RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC] RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1 RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

Make sure your privacy policy and terms & conditions pages are updated with GDPR compliance information. Here is the list of things you need to consider to answer -:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?
  • Clear data retention policy statement

Under GDPR individuals will have the full right to ask for their personal data and this needs to be a full copy of the data which could be sitting under several tables in your Magento database. Here is the list of Magento tables where personal data could be stored

  • Quote
  • Quote Address
  • Order
  • Order Address
  • Customer
  • Customer Address
  • Newsletter
You need to make sure you have the provision to extract this data out of your database when requested within 30 days of the request and this should be free of charge, you can't ask for fee especially when this is the first time request by the customer.

To make your site fully GDPR compliant, you need ensure you ask for clear consent and make sure those consents are being recording with who, when and how? Please see below few guidlines about the consent -:

  • Consent checkbox needs to be there wherever you are collecting personal information for example checkout, registration, contact us etc.
  • Your privacy policy should be clear, plain language that is easy to understand.
  • You specify your organisation and any third party controllers who will be relying on the consent on your privacy policy page
  • Clearly specify why you want the data and what are you going to do with it
  • Make sure you don’t use pre-ticked boxes or any other type of default consent
  • You need to make the request for consent prominent and separate from your general terms and conditions
  • You need to keep a record of when and how the consent was given by the individual
  • You need to keep a record of what individuals were told when they given the consent
  • You need to give them option to withdraw from the consent

Make sure any personal data in your database tables are encrypted using one of the regulatory compliance solutions out there. Here is the link which will help you achieving database encryption at the database(mysql) level

https://dev.mysql.com/doc/refman/5.7/en/innodb-data-encryption.html

Step 2, Step 3, Step 5, Step 8 and Step 9 can be implemented by using our GDPR compliance extension:

Buy GDPR Compliance

Magento 1

Magento 2