Blog

How to make your Magento store GDPR-proof?

Being the owner of an online store, it is your responsibility to provide the customer with a safe online shopping experience. Since the 25th of may 2018, the safety responsibilities of store owners have increased because of the introduction of the European law: the General Data Protection Regulation (GDPR). This new law has significantly sharpened the privacy requirements that apply to the processing of personal data. In this article we will show you how to make your Magento store GDPR-ready.


The definition of personal data

The GDPR deals with personal data and tightens up the requirements that are needed to process them. But which data are considered to be personal? The official definition states that ‘all information about an identified or identifiable natural person’ should be seen as personal data. This definition obviously includes direct data like someone’s surname and family name, address and date of birth, but also more indirect information like license plates, geolocations and IP addresses.

Rights of the data subject

Modern technological breakthroughs have made it a lot easier to determine the identity of a customer. Therefore, the GDPR is equipped with an extra segment that gives the consumer more control and authority over the gathering and storage of personal data. This extra amount of control is known as the right of the data subject and consists of the following elements.

  • The right to be informed. This means that the store owner has to be able to show for what purpose he is going to use the collected data.
  • The right of access by the data subject. The consumer must be able to determine which personal records are collected and stored by the shop owner.
  • The right to rectification. The customer must be offered the option to unsubscribe to certain services such as automatically sent newsletters.
  • The right to erasure. Can my data be erased? According to the GDPR, the answer should be yes.
  • The right to data portability. The GDPR explicitly states that customers should always be allowed to switch between organisations and be able to reuse their personal data or transfer the information to other parties.

The GDPR and the front end of your Magento store

In order to comply with the GDPR and prevent data leaks and security breaches, you have to adjust the front end and back end of your Magento store. Here is how, starting with the front end of your Magento shop.

1. Cookie policies

Asking permission from your customer starts when they reach the landing page of your store. This has to do with the installment of cookies. You can use functional cookies without customer permission, but this changes when analytical cookies (which register where consumers reside, what websites they visit and what they buy) and marketing cookies (which are usually used for remarketing purposes) come into play.

So if your store uses non-functional cookies (which are not essential for your shop to work), consent from the consumer is necessary. Luckily, Magento offers a standard functionality that can be used to inform visitors about your cookie policy. You must definitely make the following things known:

  • What kind of information is collected?
  • What purpose does the collection of data serve?
  • How is the data collected? What methods are used? Cookies, script, beacons or a combination of these methods?
  • For how long will the information be stored?

2. Age check

The GDPR also closely follows online stores that tend to be a bit sloppy when it comes to checking the age of their visitors. Websites and online stores have to be able to show what measures they take to deny minors access to content that is not suited for the age group. For example, the Dutch beer giant Heineken does this very effectively by obliging visitors to fill out their complete birth date and current whereabouts on a separate page.

3. Privacy statement

Making a good, transparent, understandable and easily accessible privacy statement is also important. Also make sure that the statement is easy to find on your site. There are certain things that you should always mention in your privacy statement.

  • The contact details of your firm
  • The purposes and legal base of your data processing operations
  • The duration of data storage
  • The rights that the persons concerned enjoy
  • The consumer’s right to file a complaint to the AP
  • Contact details of your Data Protection Officer (DPO) if you have one
  • The recipients of the personal data (for example third parties)
  • Information about the storage of data in other countries
  • Info about automated decision making or profiling

The GDPR and your back end

You also have to make some adjustments to the back end of your Magento store to achieve full compliance with the GDPR. These adjustments mainly involve the previously mentioned ‘rights of the data subject’.
The right of access allows consumers to retrieve their personal data. Momentarily, Magento doesn’t have a tool or feature that makes it possible to automatically export data. So this potentially time-consuming task still has to be performed manually.

  • The right to erasure can be guaranteed by not automatically ticking off boxes in your store and by only requesting a minimal amount of information when asking people to sign up for your newsletter. This part of the back end also has to be adjusted manually, although there are certain GDPR extensions available to partially automate the process.
  • When it comes to the right to data portability, the store owner has to choose a generally accepted format when he exports personal data to other parties. No standard functionality yet exists to perform this task. As the owner of an online store, you have to carefully deliberate about a format that makes personal data easily storable and transferable.
  • The right to rectification gives customers more control over their personal data. Addressing this in the back end of your Magento shop usually demands a customized solution, although Magento does offer a standardized option for changing authorisation issues in newsletters.

GDPR and web hosting

Owners of an online store are also responsible for data leaks that (may) occur outside of the direct shopping environment of your store. You are obliged to report a data leak within 72 hours. This highlights the importance of seeking out partner companies that are GDPR-compliant. This is especially true if you are working with foreign partners. For example, if your shop is mainly or partially aimed at the American market, it makes sense to use a US-based server. But as a Dutch (or more generally speaking European) store, you still have to comply with the GDPR. The EU-US Privacy Shield, makes life a little easier. This agreement between the European Union and the United States entails the processing and protection of personal data and tells you if the policies of an American company are in harmony with the GDPR. However, this is no guarantee. You still have to check their terms and agreements and company papers to be absolutely certain. Also make sure to draft good data processing agreements to document (the legal side of) your partnerships with third parties. For example, Hypernode only uses certified international servers like AWS and DigitalOcean to make certain that everything is GDPR-proof.

Payment Service Providers

Do you want to keep a good balance between anonymity and privacy and at the same time minimize the risk that your shop is going to be used for illegal activities like money laundering? Then you are well-advised to use a Payment Service Provider (PSP).
The PSP makes sure that the payment information and transaction data are stored safely. PSP’s are legally obliged to meet all the requirements that the GDPR lays down.

When a consumer asks to erase payment data, he has to take into account that this is only possible up to the point of the transaction. Every shop owner is legally obliged to save his administration and the accompanying documents for a duration of seven years. A processing agreement is the best way to document the accords between you and your Payment Service Provider. You should also let the customer know which PSP you use, preferably before he reaches the check-out process in your shop.

Risks and data risk insurances

Operating an online store in a 100 percent risk-free fashion is impossible. There is, and probably always will be, cybercrime like the theft of personal data, ransomware and malware, the theft of transaction data and card information, the loss of money from your account or reputation damage.

The best thing you can do to protect yourself and your Magento shop against cybercrime is to be well prepared. The good news is that there are good data risk insurances and cyber insurances available out there. They often come with both standardized and customized options and usually offer the following coverage:

  • Privacy claims, including possible fines. This type of insurance covers both claims and the fines that may result from these.
  • Media and network insurance claims.
  • Digital extortion. Malware, which blocks your computer and will only restore access to the device after you pay a certain amount of money (often in the form of bitcoins) to the cybercriminals, is a prime example of this.
  • Image damage and the recovery costs that you have to pay to regain personal data. Data risk insurances usually also pay for expenses that result from security breaches like legal aid or the fees that external experts charge you.
  • Data risk insurances also often offer pre-scans that monitor the potential hazards to your Magento store.

The costs of the aforementioned types of insurance can vary and usually depend on the size of your online store. The more money you make and the bigger the number of clients that you deal with, the higher the price will be. Insurances will only take you as a customer if you have put adequate safety measures in place like the installment of absolute necessities like good and regularly updated virus scanners, backups, regular security patches and software updates. You should also have a solid recovery process in place in case things go wrong.

Conclusion

The new GDPR asks a lot from online stores when it comes to processing personal data in a safe and reliable way. This means that you have to take the job of making your online store GDPR-compliant very serious. It is wise to start as early as possible when it comes to mapping the privacy of customers who visit your store. The new privacy laws prioritise the rights of the persons concerned. Create the essential awareness within your business and take the necessary measures to make sure that your Magento installation, web hosting and PSP are fully compliant with the rules outlined in the GDPR. A data risk insurance or cyber insurance can function as an extra safety net.