LOS ANGELES — SetuBridge Technolabs has released a GDPR compliance guide for online merchants.
While the company’s focus is on those using the popular Magento series of e-commerce shopping carts, the rules and compliance measures apply to all sites beginning on Friday, May 25, whether they feature e-tail functionality or not.
The GDPR, or the General Data Protection Regulation, is a data protection law that passed in the EU Parliament in 2016, bringing data protection and privacy control to individuals using any website. It takes into account the extracting, handling and processing of personal data by sites and requires every website to take a careful and thorough analysis of how it handles private information to be sure it complies with all regulations stated in the GDPR.
The GDPR applies to both E.U.-based and the other organizations based outside the E.U. that cater to E.U. audiences or track the behavior of individuals in the E.U. Noncompliant sites can be fined up to €20M (~$23,668,100) or four percent of the company’s annual revenue, making non-compliance simply not worth it for companies of any size.
Based on the GDPR, SetuBridge has summarized the actions Magento Merchants can take in order to make their e-commerce site GDPR-ready.
1. Add cookie consent and opt-out control for site visitors
A cookie notification popup needs to be integrated on the site to alert visitors that it or a third-party service requires a cookie to work. Site visitors must give consent by accepting before you inject any third-party service on your site. A link should be there to your privacy policy page which explains which third-party services are accessing cookies and for what purpose they are added. Users should have the option to opt-out here as well.
2. Checkboxes on for customer consent. To ensure transparency, it is important to have unticked checkboxes on the registration and checkout pages to let users know their personal information will be stored for registration and order processing.
3. Privacy and Dataflow. It is important to track the complete data flow to know what and where at each point in the flow the data is stored. This complete flow should be well explained and updated in your privacy policy and/or terms of use pages. Do make sure they all comply with GDPR norms. You should include when customer data will be captured, what purpose it will be used for and if any third party will access this data and for what reason.
It is advisable to consult a legal firm to get your privacy policy updated to comply with GDPR norms.
4. Authentic data collection. It is important to only collect data from the user that is relevant for the business to function. In case of inspection, your business must be able to justify that the collected data is necessary. It is also crucial to check if any old dataset contains unnecessary non-obligatory information which will have to be deleted. This directly impacts on how Magento handles order quote tables because it stores users’ personal data even if the transaction doesn’t go through. They all should have been deleted frequently if they are not in use anyway. Also, visitor log tables should have been deleted by configuring log deletion frequency.
5. Customer data can be deleted. This ensures customers should have the option to request account deletion from logged in account area, which should delete all associated personal information directly from the database. Implement a secure way (i.e. email confirmation) for users to request account deletion which should delete the data related to their transaction, orders, shipping details, subscription status, etc. These details should be completely removed from their records.
6. Data portability. To abide by the regulation, which also suggests customers must have access to what information about them has been stored and this must be responded to within a month, it will be worthwhile to have the option in the customer account area to extract all the information stored for the customer in the CSV format or a machine-readable format. A feature can be implemented which allows the user to access all of his account data stored in a database which should be available to download with security validation. Information can include transactions, orders, addresses, personal account info, subscription data, or any data with a third-party extension.
7. Ability to remove or anonymize personal data. Your site needs to have the ability for customers to delete or anonymize their personal records, orders, and quotes records from the database by logging into their account, with an additional security layer to verify the user’s account authority.
8. Data flow. It is important to track the complete data flow. What and where at each point in the flow the data is stored. This complete flow should well documented and privacy documents should be updated to justify when and why data is either being collected by you or by any third party from your sites.
9. Third-party integration. While you make sure you comply with the regulations, it is equally important to inspect and check whether the third-party extensions and other integration also make appropriate use of the data and have strict compliances with the regulation.
10. Data encryption and database view/action control. To ensure the personal data is secure and safe, encryption of stored data is highly recommended. The access right to your data might sound very naive, but it is a very important aspect to consider. Stringent access control rules and rights can protect your data from unauthorized access. In case of the site being operated by multiple persons, individual rights should be set up and restrictions should be put in place to restrict unauthorized access to individual’s personal data. Admin back-office panels should be restricted to limited IP addresses and should be placed on hard-to-guess unique server paths.
“It’s all about clarity of process and how individuals’ data should be used and treated by online portals in the service and e-commerce industry,” a company spokesperson concludes.
Magento or Magento 2 store owners seeking assistance in making their site GDPR-ready can contact SetuBridge via email at sales@setubridge.com.
