GDPR & Magento
What does the new General Data Protection Regulation (GDPR) mean for business owners using Magento e-commerce.
Well, as a business owner, you are what’s known as a data controller. Your web hosting company, Magento developer & any marketing tools (dotmailer, MailChimp etc.) are known as data processors. The protection of any personal data stored is the responsibility of the data controller.
GDPR covers all personal data held in your business & with your 3rd party processors.
All your data processors & sub processors have to be GDPR compliant.
GDPR does not supersede other laws, eg. if you have to keep personal data to justify V.A.T charges then this has to be kept for tax compliance.
What you need to do
Assign a staff member to look after Data Protection. Get data protection training & a certification. This is typically someone at board Level as they will require indemnity insurance to cover the liability of the role.
Specify what information you collect & store from web-site visitors. ( e.g. ip addresses, device information, access information, cookies, visit duration & tracking, mouse & swipe actions, email, phone, name, address & billing addresses)
Specify who has access to this personal data. (e.g. you, MailChimp, Google, dotmailer etc.)
Specify the contact details of the assigned Data Protection Officer in your business.
Specify how to lodge a data subject access request.
Specify how long you hold personal information.
Remove any automatic opt-ins
In online forms all checkboxes must be empty. An empty box cannot imply acceptance.
Only collect information you require to run your business
Delete any personal information you have on servers, excel sheets, xml files etc. that are no longer used. This includes files containing personal information or emails with attachments.
“If you do not have the information you do not need to protect it”
Only keep one version of personal information. Keep copies only for backup & restore purposes, up to 4 backups is acceptable. Keeping more will need to be justified. Record the location of the backups in your data audit.
It is un-lawful to collect any extra information that you may use in the future. You must delete any information you have about individuals that you have no use for.
All data breaches need to be actioned with a preventative measure & recorded
Examples of data breaches:
Personal information being passed or coming into the possession of an unauthorised data processor or subprocessor.
Passing of personal data to into a non GDPR compliant country.
Passing of personal data to a third party without the knowledge of the data subject.
Personal information leaked as a result of a hack on a web-site.
Implement a data breach process & plan
Have an action plan in place & run worst case scenarios to test your plan.
“A data breach handled incorrectly can do untold damage to your brand.“
Have a process in place for when someone is looking for a copy of their data. ( Subject Data Access Requests )
“I have a request for all personal data we hold for an individual to be exposed to them, what do I do ?”
Verify their identity.
Make sure you have the data before processing the request, if you do not have the data respond & say “I dont have the data”.
Do not create more personal data while performing the request.
Process the request.
Record it in you data audit log.
Do it within 20 days.
Update your contracts, NDA’s & Privacy policies on your web-site
All staff need to have signed NDA’s & data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.
All customer contracts have to be updated with a GDPR clause.
It is a good opportunity to do a data cleanup & make sure all your sub contractors are lawful, & that you have valid contracts with your customers.
If you have a data breach you must report this to the data commissioners office. Failure to do so is unlawful. You may get sued for not protecting personal data correctly. If your processes are found to be defective then you are liable for fines as well as the loss of reputation & loss of business.
What you can no longer do
1. You cannot send unsolicited emails to anyone. No more purchased lists or merging lists from different companies into other lists.
2. You cannot Auto email from Abandoned shopping carts offering discounts unless the shopper has opted in for email the top of the checkout.
3. You cannot refuse to give customers their personal details on request.
4. You cannot send unsolicited text messages via mobile phone numbers.
We have provided a brief outline of GDPR from an e-commerce stand point. We strongly advise businesses have one person who is Data Protection Certified.
Perform a data audit. Record the location of all personal data stored in your organisation. Keep an updated record for audit & inspection. This will act as the source for data requests in the future.
Make a data breach plan.
Complete a data risk assessment.
Perform a data breach dry run.
Update your policies & contracts to include GDPR compliance.
Have a process in place for supplying individuals requests for information from your business.