With the advancement of the It sector, the amount of data exchanged is increasing exponentially. Almost all organizations utilize data to improve their services. However, data is being collected without the permission of the users. Hence, the number of data breaches are also increasing. Companies tend to freely exploit and exchange the personal data of the users. European Union revised its regulations to tackle this problem of data security and privacy. Their guidelines are known as GDPR. Here, we will look at the definition of GDPR, GDPR for Magento 2, and all the rules & regulations surrounding it. Finally, we will see how to fulfill the criteria for Magento 2 GDPR compliance and optimize your Magento 2 store accordingly.
What is GDPR?
GDPR stands for General Data Protection and Regulation. It constitutes the rules and guidelines to tackle the increasing number of data breaches and misuse of personal data by online organizations. These regulations have been created to safe-keep the privacy and data security of regular citizens across Europe.
Laws and Rights Covered Under GDPR
GDPR encompasses the following rights for users:-
- The right of Access
- The right to be Informed
- The right to be Forgotten
- The right to Object
- The right to Restrict Processing
- The right to Data Portability
- The right to Erasure
- The right to Rectification
How to Make your Magento 2 Store GDPR Compliant?
Making a Magento 2 store GDPR compliant can vary from store to store. It’s not necessarily a written text of disciplines and guidelines but rather a discipline. You will have to optimize your store accordingly to fulfill all the criteria. With all of that in mind, we have listed some crucial steps that will help you almost completely adhere to GDPR guidelines.
1. Ensure all of your Trackings are in one place such as GTM(Google Tag Manager)
If your Magento 2 store has several trackings implemented then we suggest you keep them in one place such as GTM. It will help you reduce the work while implementing GDPR guidelines. As GDPR requires you to take consent of every user before tracking and collecting their personal data. So if you have everything in place then as soon as you get the consent of the user your tracking can quickly fire from GTM. Not having tracking in one place can lead you to add code in several places which can be a hassle. If you want you can check out our Enhanced Ecommerce Tracking Extension that implements all the tracking directly from GTM. Below are the links for both Magento 1 and Magento 2 versions of this extension.
2. Provide a Cookie Consent Toolbar on Frontend
The very first step towards implementing GDPR is to take the consent of the users. Whenever a user visits your store they should be provided with the option to accept or deny cookies. It can be easily implemented by providing a Cookie consent toolbar on either Header or Footer of your Magento 2 store. As soon as the users accept a certain cookie you should be able to track and collect the respective information. For instance, if the user accepts third-party cookies then you can fire your GTM trackings safely.
3. Give Users the Option to Anonymize or Delete their Personal Data
As covered under the GDPR rights users should be able to delete or anonymize their personal data from your store. So if they should request you to delete their data then your store should no longer contain any personal data associated with that particular user. By default, Magento 2 does not allow you to either delete or anonymize the personal data of users so you will need to implement this feature on your Magento 2 store. Also, all the personal data that is not being used on the store needs to be anonymized in the database.
4. Update and Include Privacy Policy Consent on Each and Every Form
Revise the Terms & Conditions or privacy policy consent as per GDPR on your Magento 2 store. It should cover information such as what data is being collected, why it is being collected, how it will be used, where will it be stored, who has the access to this information, and more. Also, make sure to include the Privacy Policy consent on each and every form(wherever the personal data of a user is being recorded) on your Magento 2 store. It is crucial to have the permission of the user before you collect their personal data. In this way, you are fulfilling one of the key requirements of GDPR for Magento 2.
5. Provide Users Full Access to Their Personal Data Recorded on Your Store
As per GDPR guidelines, if a customer requests for their personal data that is lying in your store, then you should be capable of providing them with all the information that can be stored in several places in your database. Also, you are not allowed to ask for any additional fee to provide this data to them. Make sure to extract and provide all the personal data within 30 days upon a user’s request.
6. Regular Security tests and Penetration Testing Should be Performed on the Store
Perform security checks and penetration testing at least once every 3 to 6 months. It will help you discover and patch any vulnerabilities that might arise keeping your store safe and secure from security risks such as data breaches. Try to restrict access of the admin panel to as few members of your team as possible and implement restrictions based on IPs. For instance, only people whose IP addresses are whitelisted should be able to access the admin panel. You can perform a basic security test HERE. Add the below code in your .htaccess file to implement the whitelist IP feature:-
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/ [NC] RewriteCond %{REMOTE_ADDR} !^1.1.1.1 RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
7. Encrypt All Personal Data on Database Level
Implement encryption of personal data on the database level. Find out all the tables that contain the personal data of users and encrypt all the personal data. Please refer to the link below to learn how you can implement encryption at the database level.
https://dev.mysql.com/doc/refman/5.7/en/innodb-data-encryption.html
8. Provide Users the Ability to Opt-out of Subscriptions, if any on Your Store
If your store has any subscription feature then you must allow users the option to opt-out whenever they want. Also, any emails sent from the store should contain the option to unsubscribe to those emails such as marketing emails. Don’t forget to always record the consent of the user whenever they subscribe to a certain feature.
Luckily, we have built an extension that implements most of the points on this list. However, please keep in mind every store is different hence GDPR can only be fully implemented as per each store’s features and functionalities. So always perform detailed checks before being sure that your store is GDPR compliant. Check out one of our best-selling extensions Magento 2 GDPR Compliance: Anonymisation of order data. This extension implements various features in accordance with GDPR requirements. It is also the Magento Extension winner for 2019. Learn more about the extension by clicking on the link above and get a free demo for yourself.