Magento 2 GDPR Checklist — Comprehensive Preparation
Posted on 13 June 2018
Regardless of the criticism and debate around it, the legislation is very much real and so are its sanctions: violation could result in heavy financial penalties which, at maximum, can reach €20 million or 4% of the annual global profit, whichever is higher.
Wrapping your head around this new legal framework and figure out what you need to do step by step could be confusing and puzzling (as generally with anything involving laws on any level, really). If you do find yourself to be so, then the following should give you a pretty good idea about where to start and what to work on. This involves doing your homework on the matter, examining your current policy and enhancing it with the help of modules.
Table of contents
Study basic elements of the GDPR
The first step is getting yourself familiarized with the legislation, which could be very hard and dry to chew through. Below you would find the highlights of the GDPR content to give you a brief overview of what it is about. If you want to take a closer look at it, then the full regulation is available online for the public.
Objectives and scope
The GDPR was created with the hope that it would be able to create a safer Internet place with higher security for EU residents’ personally identifiable data. It also meant as an update to catch up with changes in technologies in the last 20 years which the Data Protection Directive fails to address.
Even if the GDPR is aimed at EU residents, it essentially sets a new standard in privacy globally. This is because the regulation applies to individuals and organization in the EU and those who deal with people in the EU. Hence, as long as you have private information of users/customers from there, you need to treat the data in accordance with the regulation regardless of where you are.
On a side note, “personal information” is defined under the GDPR as information that can be used to identify a person. This incorporates previously considered non-personal data like IP address and cookies set by websites.
Requirements for storage and transparency
For openness, it is required that you explicitly ask for agreement from customers before collecting their information (opt-in) and giving them the option to decline. Not only that, but you also need to provide solid reasons for what, why, how and for how long the data is kept, meaning your private policy need to be public and easy to read. Customers also must be allowed to see the information you have about them (right of access), make changes and have it deleted or transferred with ease (right of erasure).
Of course, all of the above would be futile if you cannot show proof that they have been carried out. As such, it is required that records of how data are collected, stored and processed are kept and available for audits.
Reflect on your current practices
After getting a general grasp of what is required, it is time to look at where you currently are at achieving them.
An excellent place to start is carrying out a thorough spring clean with your database to detect its weak spots. Begin by filtering out information that can be considered private and follow up with a risk assessment. Also, pay attention to how processing activities are recorded. Make sure that those logs are straightened out and presented in a unified, concise yet comprehensive manner. This should be done with not only your store’s information bank but your partners’ as well since they are the one whom you share customer data with.
In the next step, take a look at how you inform your customers about your policy. Have you made the text easy to find and read yet? Is your request for data clear and loud enough? Do the customers know how much you know about them? Furthermore, can they access their information and make requests for changes and deletion? Maybe they can, but is the process convenient, straightforward and quick?
After answering all of those questions, surely you have got a better view of your current policy and where it needs improvement.
Take actions accordingly
It should be noted that one principle of privacy by default is “prevention is better than cure”. Take to a broader sense; it is better to focus on improving your process for handling data and its security rather than emergency measures in case of a breach.
How many of your managers know what “GDPR” stands for? Every administrator in your store, no matter how minor they are, can potentially have to handle customer’s data one day (if they haven’t already). So everyone needs to be aware of and be responsible for the protection of customers’ privacy. Keeping all of your staff informed about the new regulation and what to do in accordance with it is vital in minimizing information breaches and leaks.
Tools and extensions
It would be such a miss not to utilize Magento add-ons as it is a great way to save time and effort in making your operation compliant with the GDPR. These extensions would help you quickly erase customers’ information and default address permanently with ease. What’s more, some of them are even free!
Here is a quick list of three best free GDPR extensions for Magento 2 along with a brief introduction about each one.
Magento 2 GDPR Extension by Mageplaza
This module allows for complete removal of customers’ accounts and their default addresses from the front end. From their account, customers can easily see what information about their billing and shipping location (which includes name, phone number, and address) are currently available to the store and delete it if they wish to. At a stronger level, they can erase their account entirely, along with any data associated with it.
Magento GDPR Compliance by Magebit
The extension will help customers export their private data to a .zip file. It also allows users to delete/anonymize their accounts (require account password and an explanation) and offers a popup notification about cookies setting.
GDPR Magento 2 by Magenticity
It will help you display inquiries for consent to visitors at your site. You can decide where the messages will be prompted as well as fully customize their content and opt-in options.
Katherine enjoys reading about marketing and online commerce. What intrigues her the most is the different creative ways vendors come up with to facilitate shopping process in their virtual stores, for example, a One Step Checkout page or a Layered navigation system. Her favorite leisure activities are drawing, writing and spending time with her feline friend.This is a guest post from our partner MagePlaza.
Click here to explore our partnership program!