Welcome to PotatoCommerce - Magento Extensions Store

Home > Blog > Magento 2 GDPR Checklist

Magento 2 GDPR Checklist — Comprehensive Preparation

Posted on 13 June 2018

Magento 2 GDPR Checklist

As the GDPR (General Data Protection Regulation) takes effect, it brings about significant changes in privacy policy around the world and, ironically, one of the greatest waves of spam email people in the EU have ever faced in Internet history.

Regardless of the criticism and debate around it, the legislation is very much real and so are its sanctions: violation could result in heavy financial penalties which, at maximum, can reach €20 million or 4% of the annual global profit, whichever is higher.

Wrapping your head around this new legal framework and figure out what you need to do step by step could be confusing and puzzling (as generally with anything involving laws on any level, really). If you do find yourself to be so, then the following should give you a pretty good idea about where to start and what to work on. This involves doing your homework on the matter, examining your current policy and enhancing it with the help of modules.

Study basic elements of the GDPR

The first step is getting yourself familiarized with the legislation, which could be very hard and dry to chew through. Below you would find the highlights of the GDPR content to give you a brief overview of what it is about. If you want to take a closer look at it, then the full regulation is available online for the public.

Objectives and scope

The GDPR was created with the hope that it would be able to create a safer Internet place with higher security for EU residents’ personally identifiable data. It also meant as an update to catch up with changes in technologies in the last 20 years which the Data Protection Directive fails to address.

Even if the GDPR is aimed at EU residents, it essentially sets a new standard in privacy globally. This is because the regulation applies to individuals and organization in the EU and those who deal with people in the EU. Hence, as long as you have private information of users/customers from there, you need to treat the data in accordance with the regulation regardless of where you are.

On a side note, “personal information” is defined under the GDPR as information that can be used to identify a person. This incorporates previously considered non-personal data like IP address and cookies set by websites.

Requirements for storage and transparency

GDPR aims explicitly at making privacy policy stronger and more transparent. For secured data storage, the recommended/required methods are privacy by design, pseudonymization, and anonymization. If you have no idea what language you just read, then perhaps it is worth starting to look into these terms, maybe by beginning with this article.

For openness, it is required that you explicitly ask for agreement from customers before collecting their information (opt-in) and giving them the option to decline. Not only that, but you also need to provide solid reasons for what, why, how and for how long the data is kept, meaning your private policy need to be public and easy to read. Customers also must be allowed to see the information you have about them (right of access), make changes and have it deleted or transferred with ease (right of erasure).

Of course, all of the above would be futile if you cannot show proof that they have been carried out. As such, it is required that records of how data are collected, stored and processed are kept and available for audits.

Magento 2 GDPR Checklist Guide

Reflect on your current practices

After getting a general grasp of what is required, it is time to look at where you currently are at achieving them.

Information cleanup

An excellent place to start is carrying out a thorough spring clean with your database to detect its weak spots. Begin by filtering out information that can be considered private and follow up with a risk assessment. Also, pay attention to how processing activities are recorded. Make sure that those logs are straightened out and presented in a unified, concise yet comprehensive manner. This should be done with not only your store’s information bank but your partners’ as well since they are the one whom you share customer data with.

Transparency assessment

In the next step, take a look at how you inform your customers about your policy. Have you made the text easy to find and read yet? Is your request for data clear and loud enough? Do the customers know how much you know about them? Furthermore, can they access their information and make requests for changes and deletion? Maybe they can, but is the process convenient, straightforward and quick?

After answering all of those questions, surely you have got a better view of your current policy and where it needs improvement.

Take actions accordingly

It should be noted that one principle of privacy by default is “prevention is better than cure”. Take to a broader sense; it is better to focus on improving your process for handling data and its security rather than emergency measures in case of a breach.

Staff training

How many of your managers know what “GDPR” stands for? Every administrator in your store, no matter how minor they are, can potentially have to handle customer’s data one day (if they haven’t already). So everyone needs to be aware of and be responsible for the protection of customers’ privacy. Keeping all of your staff informed about the new regulation and what to do in accordance with it is vital in minimizing information breaches and leaks.

Database management

As a business, it is very likely that you need to cooperate with others organizations. Whether you function as a store or as a third party provider, having separate databases is hard for management and security. Hence, it is suggested that you and your partners should create a mutual databank where all parties could see upfront who control the source, what they are allowed to know and what they are not anymore. Also, it is generally good practice to examine your partner privacy policy in advance to make sure that it is in harmony with yours.

Tools and extensions

It would be such a miss not to utilize Magento add-ons as it is a great way to save time and effort in making your operation compliant with the GDPR. These extensions would help you quickly erase customers’ information and default address permanently with ease. What’s more, some of them are even free!

Here is a quick list of three best free GDPR extensions for Magento 2 along with a brief introduction about each one.

Magento 2 GDPR Extension by Mageplaza

This module allows for complete removal of customers’ accounts and their default addresses from the front end. From their account, customers can easily see what information about their billing and shipping location (which includes name, phone number, and address) are currently available to the store and delete it if they wish to. At a stronger level, they can erase their account entirely, along with any data associated with it.

Magento 2 GDPR Compliance

Magento GDPR Compliance by Magebit

The extension will help customers export their private data to a .zip file. It also allows users to delete/anonymize their accounts (require account password and an explanation) and offers a popup notification about cookies setting.

Magento 2 GDPR module

GDPR Magento 2 by Magenticity

It will help you display inquiries for consent to visitors at your site. You can decide where the messages will be prompted as well as fully customize their content and opt-in options.

Final words

It is obvious that no matter how advanced your technology is, the real responsibility still lies on you. To deliver a privacy policy that genuinely meets the GDPR requirement requires a combination of human resource, technology, and understanding. This new legal framework marks a time when online marketers need to be more conscious of Internet users’ control over their private data and show that they do acknowledge and respect such fundamental rights.

Author’s bio

Katherine enjoys reading about marketing and online commerce. What intrigues her the most is the different creative ways vendors come up with to facilitate shopping process in their virtual stores, for example, a One Step Checkout page or a Layered navigation system. Her favorite leisure activities are drawing, writing and spending time with her feline friend.

This is a guest post from our partner MagePlaza.
Click here to explore our partnership program!