GDPR means General Data Protection Regulation. It is a piece of legislation involving information gathering and use. Since GDPR became law, every EU website is required to follow specific requirements in the collection of personal information. Companies out of compliance are subject to heavy penalties. Therefore, it’s essential for all eCommerce websites to include extensions and strategies to honor these regulations. In this piece, we’ll explore the best extensions to meet GDPR requirements for Magento eCommerce platforms.
The GDPR came into force in May of this year. It addresses how information is collected by processors and controllers. Controllers are the companies and individuals that collect information. Processors are company workers and representatives. The aim of the GDPR is to protect data for all EU residents and citizens. If companies offer services and goods in the EU, they are obligated to follow GDPR law, even if they are foreign-based. If your website uses an EU language, accepts payments in Euros, or mentions EU clients, then regulations require it to act within GDPR law.
GDPR aims to create awareness about and offer control over how information is collected and used. The goal is to simplify information collection and management. GDPR is oriented around seven principles:
- Processing: Information processing should be done with transparency, legally and fairly.
- Limitation of Purpose: Information can only be gathered for legitimate, precise, specific purposes and processed only for those purposes.
- Minimization: No information should be gathered beyond the stated purposes. As little data as possible should be collected to fulfill this purpose.
- Accuracy: All inaccurate information should be updated or removed immediately upon discovery.
- Limitation of Storage: Personal information should be removed once it has fulfilled the company’s stated goals.
- Confidentiality and Integrity: Information should be used only in legal and authorized fashions and protected from exposure to other parties.
- Accountability: Persons and companies responsible for processing and collecting information are accountable for any damage, destruction, or loss related to illegal or unauthorized information handling.
As per GDPR, information which can be used as an identifier is personal data. Names, ID numbers, online identifiers, locations, and other information which can be used to identify a specific person all fall under this category. GDPR makes allowances for technological innovation and changes in information gathering methods. It covers information collected automatically or gathered manually for filing systems.
GDPR also addresses sensitive information. This category includes genetic and biometric data. Philosophical views, religious views, and political views also fall under the heading of sensitive personal information. Sensitive data is protected under extra safeguards. Data protected with a pseudonym or key-code is regarded as personal data, if it can be connected with the individual, indirectly or directly.
Information is only regarded as personal if it “relates to” or concerns a specific person. Consider informational content, processing purpose, and potential impact. Inaccurate information can be regarded as personal data, but anonymized information is exempt from GDPR regulation. Data regarding the deceased, companies or public authorities are also exempt. On the other hand, information about employees, company directors, sole traders, and partners is protected under GDPR.
What Are GDPR Requirements?
Before gathering personal information, a company must establish a valid reason for its collection. The GDPR established six valid reasons, or lawful bases, which justify information gathering and processing. These are:
- Consent: A person can permit to process certain data for a stated goal.
- Contract: Specific information can be necessary to establish contract legitimacy.
- Legal Obligation: Legal compliance can legitimately require the processing of certain data.
- Vital Interests: Information can be gathered to protect life.
- Public Task: Specific information may be gathered to help officials to act in the public interest according to the scope of their position.
- Legitimate Interests: The legitimate interests of your company or a third-party may require the gathering and processing of specific information.
These are the six legitimate purposes which justify data gathering and use. Should your goals change, information can be used for the new goals only if they are compatible with the previous ones. After defining a lawful basis, each website must explicitly state what information is collected and how it is used. This must be clarified in a site’s Cookie and Privacy statements.
How to Make Your Website GDPR Compliant
To ensure your company complies with GDPR standards, you must understand GDPR principles. Think about the content of the data you collect. If sensitive personal information is gathered, read up on the additional conditions that apply to this specific type of data. You must also prepare all documentation to ensure that information is being collected according to a valid legal basis. Finally, all EU customers should be informed of the data gathered, the reason for gathering it, and the processing details.
The principles listed above are the core of GDPR. They are not ironclad laws. Instead, they lay out the intentions of data protection regulations. Websites are compliant when they act by these principles. Any infringements upon these basic principles will result in severe fines.
GDPR requires data to be processed legally, transparently, and fairly. To establish GDPR requirements, first find your lawful basis for information gathering and processing. This gives you validity for the handling of information. Be open, honest, and clear regarding the information and its uses. Do not mislead the customer, and ensure that the data isn’t used detrimentally. Finally, follow GDPR standards and any other relevant regulations. This includes ensuring the information is not processed in any way that constitutes:
- Confidence breaches;
- Exceeding your legal powers or exercising them improperly;
- Copyright infringements;
- Contract breaches;
- Breaches of industry-specific regulations; or
- Breaches of the Human Rights Act of 1998.
Extensive documentation is needed to demonstrate that you are prepared. To be compliant, you must be able to produce a set of documents upon demand. The documents required by the GDPR are as follows:
- Subject Access Request Forms and Procedures
- Retention and Erasure Policy & Schedule
- Records of Processing Activities (where applicable)
- Records of Consent from Data Subjects or Parental/Guardian Consent
- Processor Agreements (where applicable)
- Procedures for Subject Access Requests
- Procedures for Non-EU Data Transfers & Documented Safeguarding Measures
- Procedures for Data Breaches & Notifications
- Procedures & Notifications for Subject Rights
- Privacy Notice with Article 13/14 Information Disclosures
- Documented Technical & Organisational Measures for Processing Security
- Data Protection Policy
- Data Protection Officer Appointment, Duties & Notifications (where applicable)
- Data Protection Officer Appointment, Duties & Notifications (where applicable)
There are several additional forms which extend beyond mandatory requirements. These forms constitute best practice and show dedication to GDPR:
- Access Request Response Templates – These templates ensure compliant and consistent SAR responses.
- Information Audit – Record details of gathered information.
- Internal Audit & Review Policy & Procedures – First, establish GDPR policies and compliance measures and procedures. Review, audit and assess regularly. Adjust and adapt as necessary to maintain compliance.
- Privacy Notice Register – Keep Privacy Notice records. Make sure details like purpose, and last revision date are accessible.
- Staff Training Program –Training methods and policies, evaluations and assessments, any other relevant details.
GDPR requires you to assign roles for information processing and gathering. GDPR defines two key roles: processor and controller. Controllers define the goal of information collection and handling. Processors are entities working for a controller, dealing with information records or processing data. For companies employing over 250 individuals processing information from more than 5000 subjects, GDPR regulation require a Data Protection Officer responsible for compliance.
Legislations relate specifically to each role, so each individual involved in information handling should understand their role. Processors must keep records of information processing and gathering. They are held liable if this information is breached. Controllers are not exempt of these obligations. They are legally obligated to ensure that processors act in compliance. All organizational activities within the EU are subject to these regulations.
Transparency is a key principle for GDPR. Your customers should be made fully aware of any information gathered, your reason for gathering it, and how it is processed. Inform the customer of the lawful basis for collecting data. Include written Cookie policies and Privacy policies which fully detail your information collection and usage practices.
Set Up Extension
There are several extensions which help to ensure GDPR compliant data collection. Each extension offers features which allow you to customize your data collection and processing practices and procedures. The sections below explore the features and pricing of each extension in further detail.
GDPR Magento 2 Extensions for eCommerce Stores
GDPR eCommerce can be complicated for companies both within and outside the EU. GDPR extensions ensure that your Magento eCommerce platform complies with GDPR. They help to bring all aspects of your business operation into alignment with current regulations.
OnTap manager keeps tabs of all customer data. It also gives your customers access to their data and request erasure. Here are key features offered by OnTap:
- Offers Subject Access Requests to Customers.
- Provides a Compliance dashboard.
- Gives customers comprehensive access to information.
- Handles the deletion of data through Magento.
- Offers a workflow which tracks external system data deletion and shows external data sources.
- Informs you of obligations and notifies you of breaches.
- Installation is fast and easy. Installation services are offered in more complicated cases.
OnTap’s compliance manager retails at £199. It offers free installation and 30-day money back guarantee. Free 90-day support is included in the purchase, with the option of 180-day support for £79.60 or 360-day support for £199 pounds.
Amasty’s GDPR extension for Magento 2 collects user consent for information gathering and handling. It manages privacy issues and creates privacy policies, adapting them to your operating region or creating several for different regions. It also provides policy updates for new regulations. This extension lets you:
- Reach GDPR EU regulation;
- Collect user consent on relevant pages;
- Establish and update privacy policies;
- Handle necessary documents;
- Let customers anonymize or download profile data and request deletion;
- Export customer lists according to consent;
- Obtain consent through email and manage consent via a grid;
Amasty Magento 2 GDPR extension retails for £199. Installation costs £59, however, Amasty offers a year of free support.
Aheadworks offers yet another GDPR extension with impressive features and at a competitive price. These are a few features this extension offers:
- Automatic deletion for accounts linked to abandoned carts or incomplete orders
- Complete Base Management for Customers
- Full customer access and means to request data deletion
- Email-driven customer verification
- Means to delete user information
- Means to export customer lists based on lack of consent
- Means to export data access and data removal requests
- Monitoring systems for customer removal requests
- Tracking systems for customers by consent or lack of consent
- Tracking systems for data access requests
- Means to request consents
- Regular automated updates for information protection policies
Just as with the OnTap and Amasty extensions, the AheadWorks GDPR extension for Magento 2 retails for £199. It comes with a 45-day money-back guarantee and 90 days of free support. This offer also includes free installation and free updates for life.
Magebit is a full-service provider of GDPR tool and all other eCommerce web platform solutions. They offer a free open source GDPR extension. Magebit also has a track record of bringing online stores into compliance with GDPR. They offer 24/7 service if you need your site brought into compliance urgently. Magebit also offers a free GDPR requirement checklist so that you can evaluate what your site needs.
Magebit tailors its services to your site, so they don’t give a single price for all web platforms. Magebit ensures that:
- You have a comprehensive list of all personal data, the sources, the uses, where it is shared, and how long it is kept.
- You have a detailed analysis of where personal data is stored and how information flows between these locations.
- You have a Data Protection Officer with all required documentation.
- Your decision makers and staff are aware of data protection and GDPR guidelines.
- Policies are in place for reporting breaches in data.
- You have a detailed list of sub-processors and contracts to cover data sharing under GDPR guidelines.
- Your customers can access, update, halt processing, or request deletions of data.
- Your system automatically deletes any data which is no longer in use.
These are just a few of the features that Magebit offers. It is a great tool to make your store GDPR-ready.
Prepare Your Store According to GDPR Requirements
GDPR requirements list is a major feature of current eCommerce web platforms operating within the EU. Given the extensive regulations, it can be challenging to meet all current requirements. However, with the extensions and information above, you can easily adapt to GDPR and keep your company on top of the game.