Magento 2 GDPR Compliance Guide

Magento 2 GDPR Integration

In the following post, we shed light on such an important topic as Magento 2 GDPR compliance. The article describes what GDPR is, how to make your e-commerce store suitable for the new legislation, what are the deadlines, and what Magento 2 GDPR extensions and Magento 1 GDPR modules are currently available in the market.

Before we begin, take a look at the Magento 2 GDPR extensions by Amasty and Aheadworks. Both are described in more details in the corresponding section below.

Magento 2 GDPR Extension by Aheadworks

Amasty GDPR Magento 2 Extension

GDPR stands for General Data Protection Regulation. It’s the EU’s new data protection legislation developed after four years of hard work. For instance, data usage in the UK was based on the 1995 EU Data Protection Directive until now. Is it normal to control something on the Internet in 2018 by rules created more than 20 years ago? How many things are entirely different now? The whole Internet became an entirely new dimension since that time, but the legislation of 1995 is still used. Luckily, it will be replaced by the new data protection legislation. Is GDPR good or bad for your business? Let’s try to figure out.

GDPR is good because it introduces stricter fines for non-compliance and breaches. Perhaps, it requires a new control system that will discover non-compliance and breaches more efficiently, but the push towards toughening will make the market better from the perspective of end users who will receive the new treatment concerning personal data security. How many people want to have a more secure Internet? Plenty of EU citizens dream about this, and soon their dreams will come true.

GDPR gives people more say over what companies can do with their data. And that’s a massive jump into the new more user-oriented and personalized experience for each individual. Besides, the new legislation makes data protection rules more or less identical throughout the EU requiring the same standard to be adopted by the Union. So if your Magento website is accessible in several EU countries, you no longer have to follow the unique data protection requirements of each of them since the legislation is going to be standardized.

UPD (24/05/18): No One Is Ready for GDPR

The deadline is tomorrow, but, according to the Verge, no one is ready for GDPR. The regulation gave companies a two-year runway to get compliant, but this term wasn’t enough.  Furthermore, not only the companies but also the regulators can implement the new legislation. A year ago, more than a half of companies had not even started the implementation of GDPR. And since the new requirements are very complicated, not many merchants will be fully compatible with it soon. Luckily, the Magento ecosystem provides a reliable way to implement core requirements via third-party modules, and the Magento 2 GDPR plugin by Aheadworks is the most robust solution. So get your extension copy and be compliant with GDPR. Follow this link for more details:

Get Magento 2 GDPR Extension by Aheadworks

What are the consequences of the reformation?

As we’ve just mentioned, the new legislation was developed with end users in mind. The EU gives people more rights regarding their personal information. As a Magento store visitor, you get all the necessary instruments for controlling how your personal data is used. Moreover, think of Google and Facebook: does everyone likes how these giants interact with data? This situation will be changed soon!

And it’s generally because the current legislation was created long before the appearance of cloud services and all these insane algorithms that exploit data. Do you still remember articles dedicated to Trump presidential campaign and the usage of Facebook? Some specialists claim that the new US president won the elections due to the use of the latest data processing technologies that analyze personal data of Facebook users. In other words, microtargeting paid a crucial role in his campaign.

Thus, microtargeting becomes a powerful instrument that can be used by politics. And you might have seen the right-winged movement rapidly gains popular in many EU countries. Can we consider GDPR the new instrument of political and social stability for the EU?

Unfortunately, we are non-experts in this area, so let’s return to the e-commerce aspect of the topic. While by strengthening data protection legislation, the EU wants to improve trust in the emerging digital economy, it also gives businesses a new clearer environment to operate in. Since all the countries get the same data protection law, this will save companies a lot of money. According to some estimates – approximately €2.3 billion a year collectively.

What is the GDPR deadline?

Unfortunately, you don’t have much time to make your business ready for the new data protection legislation. It comes into force on 25 May 2018. Despite the GDPR deadline, there are still many companies which haven’t start the modernization of their websites. The majority of security professionals know about GDPR, but more than half of them are not preparing for its arrival. If you are in the majority, please, keep reading the article, below, we shed light on implementing GDPR for Magento 2 and 1.  

Do I need to abide by the GDPR?

There are two types of businesses which need to abide by the GDPR. They are data controllers that must state how and why the data is processed and data processors that must run the actual data processing according to the new standards. Any organization could be a data controller. The range is extensive from a profit-seeking business to a charity organization. As for a data processor – it is any IT firm doing the actual data processing. As a Magento merchant or an e-commerce store owner, you need to abide by the GDPR.

There is also one VERY IMPORTANT thing we must mention here. Even if your company is a controller and no data processing takes place in your office, you have the responsibility to ensure your processor abides by GDPR.

What about foreign businesses?

If the company is situated outside the EU but operates with the data of EU residents, it is still necessary to comply with the new data processing standards. So, non-EU merchants, welcome to the game and get your online store prepared for the new data processing epoch!

What is consent and how to get it?

Pre-ticked boxes or opt-outs are no longer useful. Now, you must make your website visitors more educated. Consent is active, affirmative action by the visitor (data subject). Therefore, passive acceptance is considered a GDPR violation.

As a controller, you must keep a record of how and when an individual gave consent. Furthermore, any individual may withdraw their consent anytime. Seems like a nightmare especially for e-commerce stores with thousands of daily visitors, doesn’t it?

Also, note that the term ‘personal data’ has the new definition under the GDPR. Even IP addresses are considered personal data. Besides, the personally identifiable information includes economic, cultural, or mental health information.

Even pseudonymized personal data is a subject to the new legislation. And it is not a joke. Here at Firebear, we are also surprised, but we understand the importance of the new definition since it makes individual digital space safer allowing people feel more comfortable both online and offline.

What about data storing?

If your website stores personal data, you must be ready to provide customers who ask for access to their data with a response within a month. It is also necessary to be transparent about many new aspects of your business.

  • Firstly, you must inform visitors about how you collect the data.
  • Secondly, it is necessary to provide a description of what you do with it.
  • Thirdly, tell visitors how you process information about them.

Don’t forget to use plain language and avoid the usage of too complicated terms while describing the aspects mentioned above. Your clients should understand what you are talking about. If they don’t, it seems to be your problem according to GDPR.

What new rights do people get?

Below, you can see a list of new rights individuals get after GDPR comes into force.

  • Access to any information a company holds on individuals;
  • Right to know why that data is stored and processed;
  • Right to know how long it’s stored;
  • Right to know who has access to it;
  • Right to get direct access to review the stored data;
  • Right to ask for data correction if it is incorrect or incomplete;
  • Right to be forgotten: an individual can ask you to delete the data if it’s no longer necessary to the purpose for which it was initially collected.

According to the last condition, you, as a controller, is responsible for telling other organizations to delete any links to copies of that data. The copies must be deleted as well.

What else should controllers do?

Two important aspects should be mentioned in our article. First of all, the data must be stored in common formats. For instance, you can entirely rely on CSV. Why is it necessary to do so? Because of the second aspect.

If an individual asks you to move data to another organization, you should do that. There is only one month to provide the specified organization with the data in commonly used format!

GDPR Criticism

Robert Madge marks the following GDPR loopholes

  • ‘Controllers’ from the outside. According to the GDPR, when their personal data is controlled by organizations outside the EU, it must be protected in keeping with the legislation. But it may not. Due to weaknesses in the wording of the law, some organizations may collect data ignoring the GDPR. Once it ‘escapes’ from the legislation mechanisms, it can be passed to others without legal protection.  
  • Protection is lost. Even if the collection of data satisfied the GDPR requirements, it may be transferred to third-parties escaping the protection.
  • Invisible data chain. If organizations obtain data indirectly, the application of the law may be only theoretical, especially when it comes to “data chains”.
  • Inferred data. When the data stays personal, users may lose multiple benefits. And organizations may take advantage of that as usual.
  • Legitimate interests. Processing personal data after considering the interests of the individuals may be considered a loophole in the law.

For more detailed descriptions of each GDPR loophole, follow this link.

You can find more GDPR criticism here. And don’t forget to explore the official GDPR documentation before making any conclusions. 

Magento GDPR Compliance Extensions

Now when you know some core aspects of GDPR and understand the influence of the new personal data protection legislation on your business, we’d like to draw your attention to several Magento GDPR extensions designed for the implementation of the new standards. Note that neither of the following modules provides the full integration.

Magento 2 GDPR Extension by Amasty

With the Amasty GDPR extension, you will get all necessary tools to make your Magento 2 website compliant with the GDPR legislation. The module provides all tools necessary for collecting and processing customers’ data most transparently and efficiently.

Below, you can see how to configure the extension:

Now, customers can accept policy right on the checkout page:

Anonymization of personal data changes looks as follows:

For further information, check our review or follow the link below:

Download / Buy Amasty GDPR Magento 2 Extension

Magento 2 GDPR Extension by Aheadworks

This is the most robust Magento 2 extension that provides merchants with a necessary toolset to comply with the most essential GDPR regulations, especially with the right to be informed, access, erasure, and port data. As for data protection policy consents, they are collected on multiple pages, including registration and checkout. Below, you can see a grid with data access requests:

Furthermore, the extension revamps a customer account, so that registered users can easily ask to delete or copy their personal data. Take a look at the screenshot below:

And the Magento 2 GDPR module enables a customer verification mechanism that effectively protects data against fraudulent activities. Furthermore, all customers can be divided into groups according to their statuses and intentions. And with the provided API, you can retrieve and delete data even from third-party apps. For further information, follow this link:

Get Magento 2 GDPR Extension by Aheadworks

Magento 2 GDPR extension by Mageplaza

Magento 2 gdpr extension

Another GDPR module for Magento to that allows:

  • Deleting a customer account;
  • Deleting the default address;
  • Managing Billing Documents;
  • Implementing Cookie Restrictions.

For further information, follow this link:

Get Magento 2 GDPR extension by Mageplaza

Magento GDPR Support by ZERO-1

Magento 2 GDPR Compliance

If you still use Magento 1, then this is a must-have module for implementing GDPR on your website. The extension is totally free, and it is designed to provide such services as Cookie Compliance and Customer Data Anonymisation.

Besides, it adds multiple vital features to make Magento GDPR-compliant.  Unfortunately, the Magento platform doesn’t support the removal of customer data on request. But you will get this opportunity with the Magento GDPR extension by Zero-1.

Besides, you will be able to delete customer cart data quotes and customer order data for failed orders – the new laws require both procedures. And you will quickly avoid ALL non-essential cookies from operating UNTIL express consent has been granted.

Below, you can see an image of a customer account with new features. Under the Delete Account tab, a customer can view, edit, or delete his/her information following GDPR:

GDPR Magento Integration

For any further information, follow this link:

Download Magento GDPR Support Extension by ZERO-1

AdFabConnect Magento 2 GDPR Compliance

If you already use the Magento 2 store to run your e-commerce business, then it is necessary to install the Magento 2 GDPR compliance module by AdFabConnect. The extension will add all the essential tools and features that provide successful GDPR implementation for Magento 2.

It adds a new huge backend section under Configuration -> Customers -> Customer Configuration -> Privacy (GDPR). Here, you can enable/disable all provided features, making your Magento 2 store GDPR-compliant. It is also necessary to mention that the Magento 2 GDPR extension does not affect any third-party modules, which can store personal data. Thus, the integration becomes more complex, since you should ask module providers for custom improvements.

Magento 2 GDPR Compliance by AdFabConnect is totally free, and you can get it here:

Download Magento 2 GDPR Compliance Extension by AdFabConnect

Final Words

Let’s summarise everything we’ve just said in the following steps:

  • Inform everyone in your organization that the law is changing to the GDPR. People should understand the impact of the new law.
  • Get ready to organize an information audit: everything should be documented and appropriately stored.
  • Review your privacy notices and adopt the Magento store to the new requirements.
  • Beware of the new rights individuals now have (we’ve just described them above).
  • Create a mechanism for providing data on a request within the new timescales.
  • Identify the lawful basis for processing activity and explain it via the updated privacy notice.
  • Don’t forget about the new way of getting consent (and the new meaning of consent).
  • Verify individuals’ ages and to obtain parental or guardian consent for data processing.
  • Provide procedures for detecting, reporting, and investigating personal data breaches.
  • Remember all your responsibilities related to third parties: data processing services and extensions you use in your e-commerce business.

GDPR Compliance Useful Links

For any further information about GDPR, check the following links: