Are you EU GDPR compliant?
You must have heard of EU GDPR if you are even remotely related to web-development. If you are a webshop/website owner then you must already be dreading the 25th May 2018 deadline.
We hope you already have a plan-of-action in place and are working on it with utmost dedication. The deadline is just a few days away and there is still alot of confusion and discussion floating around this topic but there are no clear answers.
In past few weeks, we were busy making Hungersoft.com fully compliant to all conditions and guidelines of EU GDPR. While doing so we also learnt alot of things and collected alot of useful information. In this blog post, we will try to summarise whatever we know about GDPR for our customers and readers.
Note that we are not lawyers and this article reflects only our understanding of GDPR legislation from a developer point of view. This article should not be taken as legal advice but only as a reference article. We strongly recommend that you discuss it with your business lawyers and technical advisers and make all the changes that they suggest.
General Data Protection Regulation (GDPR or EU GDPR or AVG) is European Union's new data protection legislation that is created to make sure that an individual's "right to privacy" is protected even in the age of wild wild web.
All businesses that deal with any kind of customer data (of EU citizens) come under umbrella of EU GDPR. It applies to you if you are located within the EU and it also applies to you if you are located outside of the EU but offer goods or services to EU citizens. It applies to you even if you just track and monitor the behaviour of EU web-traffic. That means it applies to all companies that are processing and storing "personal data" of individuals living in the EU, regardless of the company’s location or field of interest.
By ‘personal data’ we mean the personally identifiable information which might include IP address, name, addresses, email address, phone number, economic, cultural, or medical and mental health information.
It not only concerns your Magento webshops or Wordpress websites but your entire IT infrastructure. All systems where you store any type of customer data should be GDPR compliant by 25th May 2018. If you are not compliant with the new legislation by end of May 2018 then your business might face heavy penalties and fines. You can read about the legislation in detail from here.
Magento or any other reliable company has not released any usefull extension so far.
Mostly because EU GDPR is not just about technical changes but more about how you procure, save, process and share customer's personal data. It is more of 'philosophy' about how individual privacy is important and should be respected and
protected. However, this philosophy is now being enforced by this new legislation.
For your understanding, there are 3 major pillars of EU GDPR:
A. Inform customers
B. Take consent
You will have to take definite and active consent/permission from all visitors before you can store any of their data. You will need to implement notification text and approve buttons at all places where something gets submitted on frontend. It will not be enough to take a common/default consent and you also cannot have pre-selected tick-boxes for consent. Ie. you have to make sure that none of the check-boxes are selected in advance or automatically. Every option should be manually selected/ticked and approved by the visitor. You have to also keep records of how and when an individual gave you consent.
C. Give control
The customers and visitors should be able to disapprove or reject your request to store their data. They should also be given option to withdraw their consent at any time,
even if they agreed earlier.
Customers should also be given option to delete all their data from all your systems if they want to. You are responsible for asking your partners (with whom you share customer data) to delete the data from their system too. You must also make arrangements to provide customers who ask for access to their data. These requests should be replied to within a month.
Now that you know the basics of EU GDPR, here are some practical steps that you should take to achieve EU GDPR compliance on your website quickly:
- The first thing you should do is move all your tracking code to Google Tag Manager. GTM and GA are GDPR compliant, thanks to Google! You should also anonymize your customer data in GA and GTM. You can use other services too if you are sure that they are fully GDPR complaint.
- The next most important thing you should do is implement a prominent consent/approval mechanism on your site, either in the header or footer of your website. Make it so prominent that it should be the first thing visitors notice once they land on your website. This pop-up/tool-bar should clearly inform your visitors that the site uses external services like Google Analytics, Hotjar etc and these services require cookies to work correctly. The visitor must be able to give his consent or even reject it. You can store any cookies and start tracking only when the visitor gives their consent.
- Develop a new section in 'My account' part of your website from where users can:
- opt-out from all subscriptions, be it newsletters or any marketing tools that you use.
- delete their data that is stored with your website
- choose to anonymize their data that cannot be deleted for legal reasons (orders, invoices etc).
- download or request a copy of all their data that is stored in your system.
- Make sure that any email you send to your customers (newsletter, marketing emails etc) has an option for them to opt-out from your subscription list. Do not send these emails to customers unless you get explicit consent from them. There must be visible unsubscription link in each newsletter email. There should also be a return email address clearly mentioned in all emails. You should also add a declaration statement that subscribers can unsubscribe or update their data/consent at any time
- Newsletter subscription forms also require active consent from the subscribers. Ideally, there should be a description text and a confirmation tick-box to request subscriber approval. The newsletter subscription block should also have clear instruction for un-subscription process.
- Give customers an ability to download all their data stored in your system or make sure to have executives available to respond to customer’s request for information about their data stored in your system.
If you do these things, you should be able to cover all basic requirement of the EU GDPR legislation and hence avoid heavy penalties.
Here are some more links that might help you with understanding EU GDPR better (we do not vouch for their accuracy but we found them to be informative):
- Magento, GDPR, and You: 5 Things to Know Right Now
- Is magento compatible for GDPR compliance
- Apply GDPR rules to magento
- GDPR – a brief reality check
- Magento 2 GDPR Compliance Guide
- GDPR – A Practical Guide for Developers/
- GDPR details and agreements for all relevant companies related to eCommerce
- GDPR: 10 examples of best practice UX for obtaining marketing consent
- How to Make Your Website GDPR Compliant
- GDPR and Google Analytics: How to continue working with User tracking on digital newspapers
- 5 Actionable Steps to GDPR Compliance with Google Analytics
- GDPR Compliance for those with EU customers
- What does GDPR mean for Magento merchants?/
- What Magento users need to know about GDPR in ecommerce
Feel free to contact us if you have any further questions or queries about EU GDPR. We can help you be compliant, confident and ready!