GDPR and Privacy Policy

On May 25, 2018, GDPR legislation came into our lives. A new privacy law that brings about major changes in the collection and use of personal data. Something that will certainly grow in importance as the future and adaptations of the rules progress. PHPro is not a legal firm, so very in-depth we are not going to talk about this law here.

However, we are going to explain how best to set up your Magento webshop in accordance with the GDRP and Privacy Policy terms and give you tips for some GDPR modules in Magento that will make it easy.

FRONT-END MEASURES | LANDING PAGES

A landing page is a page where your visitors enter your website. So on this page you have to ask your visitors for permission to use cookies. Of course, you don't do this for all pages. Once the cookie preferences are accepted, they remain valid.

Huh? Cookies? PHPro wrote a blog post about Cookie Policy and GDPR compliance. Here's all the info you need.

Did you know that PHPro has a GDPR module for Magento that makes sure your webshop is Cookie GDPR compliant in no time? As a webshop owner, you can use this Magento module to divide the cookies into categories, so you have a quick overview of the cookies used on your webshop. Your customers then have the option to select their cookie preferences in a customizable pop-up.

FRONT-END MEASURES | AGE CHECK

Owners of websites with unsuitable content and/or products for minors should not allow them to enter the website or make purchases. They must be able to show that they have made the effort to keep the content out. A good example of this is Vinetiq.

Alcohol may only be sold from the age of 18. Before you can proceed, you must enter your full date of birth.

FRONT-END MEASURES | TRANSPARENT, ACCESSIBLE AND UNDERSTANDABLE

Your privacy policy may be concisely worded. The more concise the clearer it is to your visitor. Make sure it is complete, understandable and correct. All the information/data that you collect from your visitor must be translated into human language.

In addition, it is important that it be in a visible place. Through a pop-up, banner at the bottom or at the top, ... doesn't matter. You have the freedom to decide it yourself.

Some points to mention:

• The purposes and legal grounds for data processing
• The contact details of your company
• The duration of the storage
• The right to file a complaint with the AP (Personal Data Authority)
• The rights of the data subject
• The recipients of your personal data, such as third parties
• Whether the data will be stored in another country
• Contact details of the Data Protection Officer (DPO).

More information about GDPR and Privacy Policy can be found on Sirius Legal's website. 

BACK-END MEASURES

Just like on the front-end, you will have to take some measures on the back-end.
The nice thing about Magento is that you can personalize and automate your webshop with extensive functionalities and extensions.

Via the back-end you have to respond to the “Rights of the data subject”:

• Right to oblivion (right to be erased): The company should only collect information that it needs. A customer should have the option to delete their data. This right is not absolute though, for example, data may be kept for billing purposes.
• Right of access: The visitor has the right to request all his/her data and receive it in full.
• Right to data portability (clear structure in the collection and retention of data): If you want to export your visitor's data to other parties, it must be reusable. Make sure storing and exporting is easy.
• Right to change data: Your visitor gets more control over his/her collected data and can request adjustments or ask to delete certain things.

It all seems complex, but fortunately Magento can expand with modules or custom development to comply with these regulations. You can find all these modules in Magento's marketplace. We take a look at some interesting ones here:

• Delete Customers: Allows you to easily comply with “The Right to Oblivion. This extension allows customers to delete and delete their own account and information on the frontend. When you use Delete Customers as a module, your customers have the freedom to delete their account at any time - without having to send admin requests.
• The Magento GDPR extension: This module allows Magento sellers to monitor, maintain and improve the full GDPR compliance of all business activities. This module makes the whole process manageable and transparent for Magento admins and customers. The GDPR module for Magento collects consent from new and existing customers throughout their registration, checkout and on other website pages. Customers can easily check their data and can send delete requests directly from their account. These requests are sent directly to the Magento backend where they can be managed quickly and efficiently.
• PHPro Cookie-module: This is an open-source module from PHPro. This module makes it easier for Magento admins to keep an overview of their cookies because you can divide them into categories. Your customers can select cookie preferences in a customizable pop-up.

There are so many different modules within Magento that can really make a difference. Don't let it put you off, take your time to perfect it. After all, being compliant is very important. The lawsuits and fines that can hang over your head are not minuscule.