GDPR is about to cause a huge change to data privacy regulations in the EU, starting May 25. Yet while a lot has been said about GDPR, little has been directed at Magento store owners and how GDPR will affect them. Simply installing a plugin may work for some stores, but larger Magento sites are going to need to do more.
Here, we’ll look at some of the ways in which the GDPR will mean changes for Magento store owners operating in (and outside of) the EU, and how you’ll be able to make sure your store and extensions remain compliant.
What Is GDPR?
The GDPR is a new European regulation aimed at improving personal data protection for European citizens. It replaces previous regulations implemented over two decades ago.
While the regulations are based in Europe, any business that has online customers in Europe will be affected and need to make changes if they want to remain compliant. This includes if your data storing and processing facilities (data center) are located outside of Europe. Magento themselves have stated that you should probably remain GDPR compliant, even if your store isn’t based in the EU.
The deadline for making sure your organization is in compliance is May 25, 2018.
Find Out More About the GDPR
We’ve already talked about the GDPR at length. Learn more about GDPR, what changes are being made, and why you need to make sure your organization is ready, regardless of what web application you use.
How GDPR Will Affect Your Magento Store
Non-compliance with the GDPR can lead to fines of up to €20 million, or 4% of your prior year’s worldwide annual revenue. So paying attention to the changes taking place is important. Here are some of the things you should watch out for as the regulations come into effect.
IP Tracking and Checking
IP tracking and checking is the process of taking a visitor’s IP address and using it to motivate other actions. This may be done in order to ascertain a visitor’s location, currency, or geographic preferences. With this information, it’s possible to then create tailored store rules for specific customers, such as alternating CTAs (call to actions ), changing available SKUs, and modifying pricing.
Some of our favorite extensions make use of IP tracking to help international Magento stores easily manage their diverse customer base. For instance, GeoIP Store & Currency Switcher use IP tracking and storage to change store location, inventory, currency, and more. Similarly, extensions such as the Magento 2 Store Locator use IP address information in order to find a visitor’s nearest physical store location.
Under the new GDPR guidelines, you will now need to explicitly ask permission in order to do these things. When a customer from the EU visits your site, you will need to make sure they are asked explicitly if their IP address can be collected and stored. This doesn’t just mean on your .co.de site, but also for your .com as well. Any visitor from the EU should be able to either accept or reject your use of their IP address.
Delivering Personalized content to specific audiences is an integral part of maximizing the effectiveness of any website. This is especially true for eCommerce stores. You wouldn’t want to show a user who is interested in a specific type of dress several results for baseballs.
Statistics with thanks to Accenture.
For Magento extensions such as Magento 2 Custom Popup, this will have far-reaching consequences and may mean the removal of this feature from EU portions of your site. This is mainly due to the extension’s ability to track popup indicators and set viewing permissions for different customer groups. These steps involve collecting data – some of which will be seen as personally identifiable information under the GDPR. Explicit permission and opt-outs will be needed.
Relevancy and Minimisation
You should only be collecting and storing data which you will use. If the data is irrelevant, then it shouldn’t be collected. Moreover, multiple copies of that data should not exist.
For some Magento store owners, this may mean cleaning up their databases. The good news is that this will likely lead to faster load times – especially if you properly implement Varnish and Nginx. The bad news is that it may be a lot of time-consuming work.
These restrictions also apply to the period for which you can keep that data. For instance, if you run a competition and several hundred EU citizens sign up through an online form, you must delete that data once the competition is over. That is unless those entries include specific permission for signing up to a long-term program. If not, you must delete them once they become irrelevant to the purpose they were originally intended for.
For Magento extensions such as Multiple Order Emails for Magento 2, this may mean changes to the way in which you store data regarding order emails. If order information is stored in multiple locations, you may have to redirect to a single, pseudonymised, location, or ensure that order email data is deleted as soon as it is no longer deemed relevant.
The GDPR has made note of something called pseudonymisation. This is where all stored personal data must be “unintelligible” without the use of a secondary set of information. In essence, storing personal information directly to your Magento databases is no longer ok when dealing with EU citizens.
A suggested method for ensuring pseudonymisation is through tokenization. Magento themselves have talked about using tokenization in order to store customer’s payment details. Companies like Braintree can help you do this but only for payment information. Under the GDPR, all personally identifiable information collected will need to be pseudonymised. That includes names, locations, IP addresses, race, gender, and more.
Another method is by partitioning space on your server and then separating personally identifiable data so that one single set is not intelligible without the other. Masking is another solution, with partial email addresses and other form data being stored instead of full values.
How you comply with pseudonymisation is up to you. However, you must make sure that personal data is not attributable to a single individual without additional data.
Downloading the Magento 2 GDPR Extension
If you want to remain in compliance with the GDPR, the GDPR Magento 2 Module is an easy way to make changes. This extension makes compliance as easy as clicking:
Configuration > Customers > Customer Configuration > Privacy (GDPR).
Note that personal data stored in other extensions is not affected, so it is recommended that you either wait for Magento developers to start implementing GDPR changes, stop using certain extensions, or make changes to your database system yourself.
Preparing your Magento 2 Store for GDPR
This is by no means is an exhaustive list of everything your Magento 2 store will need to consider when it comes to GDPR. However, it does provide a good starting point for those who specifically target EU citizens.
Note that this guide does not constitute legal advice and is rather an overview of the regulation changes which will take effect. For a full breakdown of the changes taking place, please consult the agreed text from the EUGDPR.org website.