With a growing amount of personal data being captured on a daily basis, the regulations and laws imposed on organisations holding and processing individual’s data has significantly increased in order to protect them.
The new European Union General Data Protection Regulation (GDPR) is a data privacy regulation that applies to all companies processing and holding the personal data of data subjects residing in the European Union. It aims to provide people with greater control over their privacy. The compliance deadline is on the 25th May 2018.
The GDPR can be summarised by the rights it grants to individuals; these include the…
- Right to be informed: you will need to clearly inform your customers about the data you collect and how you will use that data
- Right of access: customers should be able to gain access to all of their personal data
- Right of rectification/erasure: your customers should be able to request the removal (except for certain limitations i.e. legal obligations) of their personal data and/or have any errors corrected.
- Right to data portability: it should be possible to request a portable copy of data you hold (for example a CSV file)
You may also need to consider the right to object, the right to restrict processing and the right not to be subject to automated decision-making including profiling.
We recommend that a complete audit of your site is carried out by us in order to help you identify the data you collect, where it is held and the purpose you collect it along with any third parties it is shared with. This will help your business to achieve full transparency.
To help you to ensure your organisations compliance with the regulations we have prepared a handy 9-point helpsheet to assist you with auditing your Magento website for GDPR.
You will need to ensure that all customer data you hold is processed with full consent given (or perhaps another lawful basis; such as to fulfil contractual obligations or legitimate interests in the case of email marketing) and that customers are well informed at the point of consent about how this data is to be used. Records to evidence consent should also be kept – including when, how, and what they were told.
Where, traditionally, a single terms and conditions checkbox at the end of the checkout may have been sufficient, you now need to be more explicit. For example, you may wish to offer a tooltip alongside the telephone number field to explain why you are collecting their number if you intend to use it for anything other than fulfilling your contractual obligations to them in the future (i.e. marketing). The ICO calls these “just-in-time” notices and might look similar to this:
If you wish to obtain consent and not rely on legitimate interests, you may wish to give further options for opting-in to different marketing channels (i.e. phone, email, text).
It is also recommended that privacy notices are presented in a layered way (i.e. follow this link for more information) which allows you to show the key privacy information immediately with more detailed information elsewhere. This is especially helpful for mobile users and for maintaining good UX.
2. Admin access
The Magento Admin likely provides full access to most, if not all, of the private data you collect. Access should be limited to GDPR trained members of your organisation and only third parties, such as ourselves, who are also GDPR compliant. Passwords should be strong to protect the data you hold.
Users should be assigned to limited access “roles” which allow you to limit the amount of data they can access to only that which they require.
All websites we run should operate with enforced SSL encryption. We can also setup IP restrictions on your Magento Admin area to limit which machines can access it as well as logging those that do.
3. Data storage
Have you considered who has access to your customers data in your store’s database? You should ensure that your hosting provider is GDPR compliant and that access to the database itself is limited to you and us. At outer/edge we will aim to ensure that all customer data is anonymised before being used for development purposes.
You may also want to discuss putting in place a regular vulnerability scan and penetration testing regime. You can also use the MageReport.com website to test for easy to spot security issues.
4. Third-parties and tracking scripts
If you send customer data to third parties for processing (for example; analytics and marketing segmentation tools) then your customers should be made clearly aware of this. You will also need to check that these third parties also comply with the GDPR and review your contract with them.
Google Analytics provides an option to anonymise users IP addresses. Combine this, with ensuring that users aren’t identifiable in Analytics through the page URLs or the User ID feature.
We recommend moving all of your tracking scripts to Google Tag Manager. This provides a single location for enabling tracking once consent has been granted by the customer and dramatically decreases complexity.
GDPR requires that a customer can request their data be removed (except, for example, where you have a legal obligation to retain it). Magento may record sales data even if the order has not resulted in a completed sale.
We can provide an extension to Magento that allows you to fully anonymise/erase customer data from all of these areas. We can also support you with the implementation of an option to allow your customers with accounts to remove this data. Customer data that may need to be made removable might include:
- Invoices and order history
- Contact form submissions
- Saved payment methods
- Product reviews
- Newsletter signups
6. Data export
You will need to be able to provide your customers with a portable version (CSV, for example) of the personal data you hold on them within 30 days of the request. We can advise on implementing methods to automate this, or, assist with individual requests.
7. Opt-in and out
There should no longer be any pre-filled checkboxes for opt-in on your site. The customer should be required to give explicit consent for you to contact them for marketing purposes (and thereafter the option to opt-out).
If you have collected data before GDPR for marketing purposes without consent, you will need to seek consent to retain this data or remove it.
Whilst we’ve spent a lot of time with GDPR to understand its intent and meaning, these recommendations should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.