What is the General Data Protection Regulation (GDPR)?
In a nutshell, the General Data Protection Regulation, or GDPR, is a single privacy framework that aims to ensure that personal data of individuals is handled with caution and care. It applies to organizations established in the European Union (EU) that process personal data and to organizations based outside the EU that either offer goods or services directly to individuals in the EU, or monitor behavior of individuals in the EU (for example, through customer profiling).
The GDPR regulations are designed to protect a wide range of information. Basically, anything that could be used to identify a person in any way, even indirectly. That means, for example, that names, email addresses, photos, ID numbers, health data, biometric data, location data, and financial data are all included. IP addresses, social network posts, and web-based cookie data are also included on that extensive list. If something is in any way relevant to the “physical, physiological, genetic, mental, economic, cultural, or social identity” of a person, it is considered personal data.
The GDPR gives individuals control of their personal data. There are a number of data “rights” that are granted to a person so that they can control how data related to them is used. Some of these rights are:
- Right to Access – customer has the right to access the data stored
- The right to be informed – customers have the right to know how their data will be used
- The right to be forgotten – Provide “forget me” function that deletes all traces of customer from all databases & records.
Companies can store or process affected data only when the associated individual explicitly authorizes it. And even then, GDPR puts firm limits on the length of time the data can be kept. Additionally, the GDPR mandates notification on data breaches within 72 hours of discovery. This means that if your company or website has data stolen, then it must be reported and a process to prevent future intrusions must be put in place.
Once GDPR comes into effect, any organization found to be in violation could be fined up to 4 percent of its global annual revenue or €20 million (about $23.7 million in current U.S. dollars), whichever is higher.
If you’re like most Magento store owners, the idea of losing millions of dollars due to a matter of non-compliance is sorta terrifying. So we’ve put together this handy guide, providing the answers to some of the most frequently asked questions posed by our clients.
Is Your eCommerce Store Compliant?
Probably not yet. But it’s not as scary as it may sound. The GDPR doesn’t go into effect until May 25, 2018 and Magento is actively working to be compliant by the upcoming deadline, as is BigCommerce.
The Magento team is working on a data mapping exercise to identify all locations where personal data is stored in the system. This mapping will initially be provided only as documentation. Tools to automate the listing, exporting, and deletion of customer data may be considered in the future. Read Magento’s FAQ on GDPR for more information.
BigCommerce is also actively working to meet GDPR compliance, and has provided more details on how they recommend clients create their own plan.
What Does The GDPR Update Mean For You?
Even if your organization is not established in the EU, you will need to comply with the GDPR if your products or services are sold to individuals in the EU, or if your company monitors the behaviors of individuals living in the EU. Most of our clients should assume that they need to be compliant.
At Human Element, our developers are actively reviewing Magento extensions and are in contact with partners to provide our clients all the information they need to understand the individual impact of the regulations to their organization. Of course, for final compliance you should review your plans with your legal counsel.
Whether or not you are a client of Human Element, this update means you have some homework to do. Understand the regulations and review what your partners are telling you about their technologies and how they may impact your site and your digital marketing initiatives.
Where Should I Start?
Under the GDPR, every business is responsible for knowing how data is collected, processed, and disseminated by their organization. As a starting point to determine your steps to GDPR compliance, you will need to document what data your company collects about customers and how that data is being used. Additionally, you will need to know what data your company is sending to vendors and other 3rd parties and what their plans are for GDPR compliance.
What’s All This About Cookies?
Cookies are small files which are stored on a user’s computer, and can hold data specific to a particular client and website. Most websites use some form of cookies at the moment. This data can be accessed either by the web server or the client computer.
Under existing rules, cookies that are not strictly necessary require consent, and the definition of consent and the requirements associated with it, changes under the GDPR. Implied consent is no longer sufficient to utilize cookies. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent. A few background articles on Cookie Consent can be found here, here and here.
How Much Development Time Should You Expect This To Take?
The reality is GDPR is much more focused on process and data transparency to the user rather than technical security requirements. However, GDPR does require that you have processes to completely remove any data which you hold on a customer. This can be done manually and the Magento data mapping documentation should detail exactly where these records live. Keep in mind that for a specific long term solution you should talk to your Human Element Account Manager to coordinate a plan specific to you.
The main bulk of the work will not be with your eCommerce platform but will be specific to user data you are collecting using other services such as email marketing, retargeting, and tracking on-site user behaviors. You will also want to take a look at how you’re collecting personal data in reviews, forms and customer account profiles. At the end of the day, you want to be sure that your vendors do not store, further process or forward the data they have used to provide you the service. Check the contract. If you’re not satisfied with what you see, ask them specific questions. Below is a list of resources from many of our partners on how to handle GDPR specifically for your particular eCommerce marketing stack.