On May 25th 2018 the European Union’s General Data Protection Regulation Unit (GDPR) set new rules as to how Magento merchants must deal with customer data.
The new regulations mostly concern personal data and have the aim of implementing greater care towards that data that can potentially identify an individual. The overarching purpose was to make sure that regulations across all countries within the EU and all vendors operating in the EU have to adhere to the same standards.
If you’re a Magento merchant that operates outside the EU, you’re probably wondering whether this applies to you. Well, it does in two instances:
- If your product and/or service is available for purchased within the EU.
- If your business strategy involves monitoring potential consumers within the EU.
Unless you’re a selling locally outside the EU and have no plans to expand, this is likely to concern you, or will soon. In any case, it’s good practice to be up-to-date with any industry standard involving data, and following the regulations will make data collection and storage more efficient.
You don’t need to make any changes to your physical products. However, your Magento ecommerce store does need to provide a process that allows customers to access their personal data and edit it if they so desire. That is one of the core purposes of GDPR. Customer data needs to be kept legitimate and made accessible—customers should have the right to erase their data and have the option of consent to date and time logging. This is just ONE of the GDPR’s core purposes!
What happens if your business fails to comply? The GDPR has put fines in place upon compliance failure: 4% of a company’s annual turnover or €20M, whatever is more. Scary, right? Well this article exists to walk you through the aspects of the latest GDPR rules to safeguard your store and customer data.
Contents
- No More Assumed Opt-ins
- Only Recording Relevant and Completely Necessary Data
- Update Policy Notifications to Align With New Standards
- Increasing Privacy Link Visibility and Accessibility
- GDPR Compliance With Third-Party Tools
- Improve Data Security
- Data Breach Notifications and Full Disclosure
- Don’t get overwhelmed by the GDPR — Hire Magento Developers
No More Assumed Opt-ins
The consumer must be made aware of data transfer, and must be provided the ability to approve or disapprove of their data being transferred and kept.
Any feature of your site that presumes that the consumer has consented to giving away their data is in breach of these regulations. The most common solution to this are ‘opt-ins’, as it gives the consumer the option to opt-out; Common examples are landing page pop-ups or end of sale newsletter subscriptions, “receive email updates from us,” etc. The key thing to ensure here is that the opt-ins you feature do not assume the consumer is okay with being ‘in’. Both options of being in or out should be equally emphasized. If your opt-in includes a tickbox, the default setting should be to opt-out, so the consumer has to take action to display they are comfortable transferring their data.
Only Recording Relevant and Completely Necessary Data
Gaining data about your client becomes malicious when the data is irrelevant to the service, product or feature they came to your website for. For example, an email marketing campaign should not gain a consumer’s physical address (before the point of delivery necessity), while a newsletter subscription has no need for a phone number.
In other words, you need to align any data requests with its relevant service. The consumer should be able to assume what pieces of personal data you will need to serve them and then they should have the option to consent to such data being kept.
The reality of this is that it may have a negative effect on your business. The common belief being, the more data you have about your consumers, the better you can tailor your business to their needs. But, that’s not always the case. Large portions of data will pose no value to you whatsoever, and will cost you in database storage fees. A new approach to Magento data management will save you costs, as you only store and process that which is necessary and has been consented to by the consumer.
Update Policy Notifications to Align With New Standards
Updating your site privacy policy is essential. All Magento merchants need to make changes to their privacy policy so that it aligns with GDPR regulations.
Your privacy policy builds trust amongst your consumers, especially for those who take caution before using your services or buying your products. It’s about transparency and saying exactly what you do with personal data and the control consumers have over theirs.
Increasing Privacy Link Visibility and Accessibility
It’s all well and good to update your privacy policy, but if a concerned consumer cannot find it, you will never gain their trust. Your new and improved GDPR-compliant privacy policy should be obvious to find, locate and made available when data is being passed.
Another very annoying practice that the GDPR aims to remove is hiding the ability to unsubscribe. It’s unacceptable for a popup to force a consumer to subscribe, especially when cancelling their subscription needs them to delve into the lesser-explored corners of your site. It’s things like this that the GDPR wants to get rid of.
It must be simple for consumers to:
- Find links informing them about how their data is handled
- Change their data
- Choose how they interact with your site
The better you are at following these rules, the more your site complies with GDPR regulations and the easier your site is to trust.
GDPR Compliance With Third-Party Tools
Every extension, plugin and feature you install from a third-party provides another avenue for your Magento store to be breached. How do you avoid this completely? Only work with or install services that are also GDPR compliant. It would be especially heart-wrenching to experience a data breach or recieve a GDPR fine due to a third-party service, after the rest of your Magento store was GDPR compliant!
Improve Data Security
You need to ensure data security for two reasons:
- Because cyber attacks are a constant danger to all ecommerce entrepreneurs
- A fine from the GDPR is nothing you can brush off easily!
Improving data security will protect your business just as much as it protects consumer data. Any security breach, no matter how small, is going to inhibit business growth. You need to monitor and be prepared to immediately patch things during a data breach.
Data Breach Notifications and Full Disclosure
This is about ensuring the best practices following a data breach from a public relations perspective. Honesty is the best policy! Providing full disclosure as to what has happened during a data hijack, who may have been affected and when they can expect any more information.
New GDPR regulations require you to provide timely information to your consumers in the event of a data breach. The best way to do this is to set up an automatic notification process that informs consumers in a timely manner. This is the reality of e-commerce: data breaches will happen. The main thing is that—both in preparation and immediately in following a breach—you do everything you can.
Don’t get overwhelmed by the GDPR — Hire Magento Developers
The majority of consumers aren’t too concerned about new GDPR regulations. But, it’s very obvious all concerning Magento merchants need to be well informed and able to make the necessary changes.
These changes themselves are what many Magento users will struggle with—running an ecommerce store can be intense and making major changes to your backend to comply with GDPR isn’t exactly a quick job. It’s going to take time and potentially multiple changes until your business is perfectly compliant. New approaches to data management will be one of the biggest changes merchants will have to adjust to, forcing you to discover a method that makes it easy to find personal data, anonymize it or delete it if requested. This is time perhaps you don’t have while you upkeep the general day-to-day operations of your Magento store.
Whether it’s to continue to comply with the GDPR, improve your security or deal with the increased burden of site maintenance that GDPR brings, it’s recommended you hire a Magento developer.
Your first place to look, especially if only requiring a developer for a short period of time, will be a freelancer website. I would only recommend this if you need a small amount of assistance to keep your Magento store up-to-date with GDPR regulations and other industry standards. The best place to find freelance Magento experts is Toptal! If you require maintenance after project completion, then explore long-term hiring options.
One of the best development companies for hiring Magento developers is CodeClouds. They have a large enough development team that they are able to offer Magento specialists, rather than ecommerce generalists. They offer developer packages, which allow clients to extend or decrease their hiring plan as per current requirements. Such plans are usually paid on a monthly basis. If you’re looking to hire dedicated Magento developers, CodeClouds are one of the better options.
One final piece of advice, keep your Magento store as risk-free as possible! The more uncertain you are about GDPR compliance, the greater likelihood you have of receiving a fine. Taking the time to become GDPR compliant will cost less than any fine or repercussions after a security breach. If you don’t have the technical expertise in-house to ensure business and customer protection, hire a freelancer or services from a reputable Magento developer.