What is GDPR?
The General Data Protection Regulation, or GDPR, is one of the most significant pieces of legislation passed relating to technology and the internet. It was approved by the European Union in April 2016, and set to come into force on May 25, 2018. GDPR looks to bring together several existing laws and regulations to harmonize rulings across the EU. Primarily, GDPR aims to provide new guidelines that provide a better fit for today’s technology-dominated world.
The main points of GDPR concern the privacy rights of everyday users and their online data. It will affect businesses of all sizes and will have a great effect on how companies gather, store, and look after their user’s data. Companies will also need to give explicit notice when collecting personal data, which implies that consent will need to be explicitly given by the user and the purpose for gathering the data will need to be disclosed. Once data is collected, personal data will need to be encrypted by default as part of a process known as pseudonymization, meaning that it can’t be linked to a specific person without being accompanied by extra information.
What is considered personal data?
The concept applies to anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, social network posts, medical information, web-based cookie data, or even a computer IP address.
What is the “right to erasure”?
Your website’s users will also have the right to know exactly what details you hold about them, and will have the right to request that any of this information be deleted if they feel their rights to privacy are being infringed upon.
How does this affect you?
Companies outside of the EU must abide by the same rules as EU companies if offering goods and services to customers in the EU. If you have mailing lists for newsletters or promotions, and some of your prospects or customers are EU citizens, GDPR applies to you.
What are the requirements?
The requirements for online retailers that have EU customers at this point are outlined below:
- Understand what “personal data” you are collecting and storing in Magento as well as in upstream and downstream systems (i.e. names, e-mails, addresses, credit card details, etc.). Special safeguards should be taken if collecting any data about race, sexual orientation, religious, and political beliefs. We recommend doing an inventory the “personal data” and where it is flowing to/from, like data to/from ERP, third-party services, reporting tools, etc.
- Tell your customers who you are when you’re requesting their data – About Us, Contact Us, Customer Service, and Help pages that are informative and do not shield or make it difficult to contact you. Provide physical addresses, phone numbers, and names of key personnel (i.e. owner, support, customer service).
- Tell your customers why you are collecting their personal data, how long you will keep it and who you share it with – this should be clearly outlined in your privacy and use of personal data policies on the site and linked to a customer registration and checkout.
- Provide your customers access to their personal data – ensure customers can view what personal data you have collected about them. The Magento ‘My Account’ area clearly covers most if not all of the personal data you might have as it relates to orders and transactions. This gets trickier if you are collecting other identifying data through marketing services. Make sure that your third-party partners have a clear and coherent GDPR plan for compliance that you are comfortable with.
- Provide your customers the “right to be forgotten” or “right to erasure” – this is new to Magento and still unclear on how to best implement this, but GDPR is expecting online retailers to allow their customers to “erase” or “take their personal data”. This means names, e-mail address, physical addresses, credit card details, and possibly order details or at least the elements of it that are deemed “personal data”. This may extend to logs including their IP address as well as other personally identifiable source of data (i.e. reviews, social interactions, etc.). As you can see this one opens the door for a lot of questions and a burden on small online retailers.
- As an online retailer you are expected to be proactive in maintaining best practices as it relates to security and protecting your customer’s data. In addition, if there is ever a breach and data is compromised, you are required to communicate the breach and any “serious risk” to your customers.
- Provide your customers the right to “opt-out” of direct marketing that uses their personal data – Magento has always supported this as it relates to Newsletters and E-Mail promotions and allows your customers to subscribe and unsubscribe from these forms of direct marketing. This right to opt out is something that it is important to review with third-party partners who you may be sharing customer’s personal data with.
- Ensure that any transfer of “personal data” to other parties is highlighted in your privacy and use of personal data policies. Contact your customers for any changes to these policies.
- It is ultimately your responsibility to be aware of the data usage policies and behaviors of any extensions or third-party system you choose to use.
What are the consequences of non-compliance?
Companies outside Europe will also need to ensure they’re compliant with the rules, as they could also be subject to fines if found not to be up to speed. GDPR is a huge deal. Any organization found out of compliance to the new regulations after the May 25 deadline could face heavy fines, equivalent to 4% of annual global turnover, or €20 million, whichever is greater.
This blog post is not providing legal or regulatory advice. It is an interpretation of the GDPR and emerging “best practices” to help our Magento customers. The team at Crimson Agility can help (from a technology standpoint) to get your online retail shop ready in time for the GDPR deadline of May 25th, 2018. It remains to be seen exactly how GDPR will be monitored, and if fines will be issued…but for now it is best to be safe than sorry and prepare as much as you can.
Ask us and we can do an assessment of your site and provide you with a free estimate for what it would take to get your site GDPR compliant.
Thanks for stopping by!
Crimson Agility Team