What are the GDPR regulations?

The GDPR regulations are based on a few important principals:

Transparency. Websites and online stores must inform their visitors on how they collect and store their data. This has to happen in a clear manner. The visitor must be able to comprehend everything.
Permission. You need permission from your visitor before you can collect, store and use their data for different purposes.
Notification Obligation. When there is an issue with the collected personal information (for example; a data leak), you have 72 hours to report it.
Right to be forgotten. The user can and may at all times demand to see or to delete their information.

In this entire process the consumer is central. As a company personal data of your customers can be very valuable. It is of the utmost importance to adhere to the GDPR regulations, in order to optimally use your user-data.

GDPR and Magento

Front-end measures | Landingspages

A landingspage is the page where a visitor enters your online store. On this page you must ask for permission for the use of cookies. This does not need to happen on every page. Once the cookiepreferences are accepted, they remain applicable.

What? Cookies? PHPro wrote an entire blogpost on Cookie Policy and GDPR compliance. You can find al the information you need.

Did you know that PHPro had a GDPR-module for Magento that makes your online store in no time cookie GDPR-compliant? With this module you, as webstore-owner, can categorize the cookies on your website, that way you can quickly generate an overview of the cookies on your website. Visitors will have the opportunity to select their cookie-preferences in a customizable pop-up.

Front-end measures | Age Check

Owners of websites with non-suitable content and/or products for minors, are not allowed to admit them to their website or let them purchase from their online store. They have to show that they have made an effort to withhold the content. A good example is Vinetiq. Alcohol can't be sold to minors, so before you can end your purchase, you must fill in your date of birth.

Front-end measures | Transparant, accessible and comprehensible

Your privacy policy can be concise and direct. The more concise, the easier it will be for your visitor to comprehend.

But watch out: it has to be exhaustive, comprehensible and correct. All information/data that you collect from your visitor had to be written for people. It's also important that it is placed somewhere visible. Through a pop-up, banner bellow or above... you have the freedom to decide that yourself.

A few things have to be mentioned in your privacy policy:

The purposes and legal grounds for the data-processing;
The contact information of your corporation;
The period of storage;
The right to submit a complaint at the AP;
The rights of the person concerned;
The recipients of your personal data, like third parties;
Or if the data is stored in another country;
Contact informations of the Data Protection Officer (DPO).

More information on GDPR and Privacy policy can be found on the GBA website.

Back-end measures

Just like at the front-end, you will have to take measures at the back-end. The amazing thing about Magento is that you have extensive fuctionalities and extensions, so that you are able to personalize and automize your online store.

Through the back-end you can address the "Rights of the Person concerned":

Right to be forgotten (right to be erased): The company can only collect information that it needs. A visitor needs to have the option to delete their information. This right is not total, information for invoices can remain stored.
Right of disclosure: The visitor has the right to demand insight in their data and to receive this in full.
Right on data transferability (clear structure in the collection and storage of data): When you have to export your data to third parties, it needs to be reusable. Make sure the storage and export of your data is easy.
Right to adapt information: Your visitor gets more controle on their collected information and can demand to change or delete certain elements.

The GDPR-modules in Magento

It all looks somewhat complex, but fortunately Magento offers modules or custom development to comply to the GDPR regulations. You can find all these modules in the Marketplace at Magento. We'll look at some interesting modules:

Delete Customers: With this module you can easily comply to the "Right to be forgotten". This extension allows customers to delete their own account or information at the front-end. When you use the Delete Customers module, your custimers have the freedom to delete their account at all times - without contacting the admin of the online store.
The Magento GDPR extension: The Magento GDPR extension allows Magento merchants to control, manage and improve the overall compliance of their business activities with the GDPR requirements. The GDPR module for Magento collects consent from new and existing customers throughout registration, checkout or any other website pages. Customers are able to send data access and erasure requests directly from their accounts. The requests, verified and approved beforehand by email, are sent straight to the Magento back-end and can be easily processed and managed there.
PHPro Cookie-module: This is an open-source module by PHPro. As a store-owner, you can now divide cookies into categories and have a quick overview of what cookies are being used by your store. Your customers can select their cookie preferences from within a customizable popup.

There are many different modules for Magento that can really make a difference. Don't be put of by the complexity, take your time to perfect the privacy policy on your website. It is of the utmost importance that you are compliant. The lawsuits and fines that given if you are not, are not a laughing matter.

Don't know where to start?

Running into issues with the implementation of GDPR and your Privacy Policy in Magento? Let us know! We'll gladly help you on your way.

News

GDPR and Privacy Policy