GDPR has been recently received so much attention from internet users all around the world. In this post, we’ll provide you the brief information about GDPR and the guide of GDPR compliance for Magento 2 websites.
1. GDPR Definition and Its Deadline
GDPR means General Data Protection Regulation which will protect personal data and privacy of all EU Citizens. This regulation was adopted by EU Parliament on April 14, 2016 and officially becomes effective on May 25, 2018. It will replace the EU Data Protection Directive (1995).
Personal data has the new definition under the GDPR. The Article 4 states in GDPR says “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. Besides, the GDPR has many changes to the previous directive. You can explore all in the following content.
2. Who is Impacted by GDPR?
All the websites that own data of EU citizens are applied the GDPR. No matter your companies are located in EU or not. You need to comply with this legislation as long as your business is processing the personal data of individuals in the EU.
On the other hand, the most important key point of GDPR for the under organizations is the fine rule. The non-compliance business may be punished up to 4% of annual global sales or €20 Million (whichever is greater). Hence, all companies need to take interest in the GDPR and have actions to make compliance.
3. Consent Conditions and Rights of Data Subjects
The General Data Protection Regulation fortifies the conditions of consent. It requires the consent to be more clear and easier for the data subjects. The controller needs to demonstrate to the data subject that he accepted the processing of his personal data. And the consent must be given “in an intelligible and easily accessible form, using clear and plain language”. Additionally, the GDPR says that data subjects can withdraw their consent at any time. Therefore, the controllers have to always keep track of their data subjects’ consent.
Under the GDPR, the EU individuals will get many rights to protect their privacy as well:
- Right to be informed about the collection and how the controller use their personal data
- Right to request for access personal data with no charge
- Right to complete and correct the personal data.
- Right to have personal data erased
- Right to request for restrictions of processing their data in specific situations
- Right to receive the data concerning them and use for other purposes
- Right to oppose their data being used in certain circumstances, such as data is used for direct marketing
- Right to be protected from actions related to automated decision making including profiling
For the requests of data subjects, the GDPR requires you to respond in one month.
4. How Do Magento 2 Websites Comply with GDPR?
Based on the requirements of GDPR, we’ll provide the list of actions to make the compliance for Magento 2 sites.
Firstly, you need to clearly understand the processing of customer data on your site: types of information you collect; the way you get the information; the reason you collect it; the purpose to use it; all people are shared the information; when individuals concern or object, what will be the effect and consequences?
Then, you can apply the under suggestions to completely abide by the GDPR:
- Add cookies consent to your site
Under GDPR, to get the cookies consent, you need to demonstrate the existence of cookies and how it is used. And it’s must be to have an acceptance button for visitors to give their consent. If your site hasn’t met this requirement yet, you can refer this useful tool – Magento 2 Cookie Notice extension.
You need to add all information on personal data processing that mentioned above to the privacy page of your site.
- Store all personal data in a format such as CSV file
In order to manage the information collected from personal data and take actions related to GDPR easily, you can gather everything in one place and quickly sort out the personal data when being requested.
- Allow individuals to remove personal data
The quickest solution is to add the “Delete my profile” selection to the frontend customer information page.
- Offer submission to customers whenever they have requests concerning personal data
You can create a form for users to send requests regarding their rights under the GDPR.
- Make personal data anonymous, especially the data not used for transactional purposes
To sum up, the General Data Protection Regulation (GDPR) is coming into force on May 25. Hence, we have to hurry up to get ready for the compliance. Hope that this article can help you and if you have any query, don’t hesitate to contact us!