GDPR for Magento 2

What is GDPR?

General Data Protection Regulation is a set of rules made to protect consumer’s interests and control the companies that collect, process and store the data. Personal data can refer to any information used for identifying a person’s contact details, names, IP addresses, etc. The regulation applies to all organizations that run e-commerce sites in the European Union(EU) and therefore should take necessary steps to make their e-stores GDPR compliant.

The organizations face potential fines for misusing the data and thus makes it easier for people to know what information organizations collect. In particular, transparency about data of the people comes in hand, people can know what data the organizations collect about them, in which purpose the organizations use them for and also enable people to prevent unnecessary data collection.

What is GDPR Compliance?

Data breaches usually happen. Those people who were never intended to see the data and often have malicious intent, hacks the personal data which gets lost or stolen.

Under the terms of GDPR, personal data is to be collected with the user’s consent and under strict restrictions by the organizations. Those who collect the personal data/ information are required to protect it from misuse and exploitation.

All the organizations that process data must disclose the following:

1. Type of the data that is collected.
2. Purpose of collecting the data.
3. The method that is used for collecting the data
4. How long the data is in use.
5. Whether or not shared with others.

Abbreviations used for GDPR:

Data Subjects: Magento users meet the GDPR definition of “data subjects”. Data subjects are 2 key rights i.e, “the right to data portability” and “the right to data forgotten”.

Data Controllers: Data controllers determine who shall be responsible for compliance with data protection rules and how data subjects can practice their rights. For example, a business collecting a customer’s details, a school, college or university holding student’s records.

Data Processors: The role of data processors could include storing data, retrieving data, carrying out marketing activities, providing security to the data. For e.g, Vendors.

Database Attributes

Magento 2 customer-specific information in the form of orders, quotes, customer, address and payment details. All other tables contain the reference ID of the customer.

1) Customer information and data: The customer aspects, such as first name, middle name, last name, name prefix, name suffix, gender, and date of birth stored by Magento.

2) Address information and data: Magento 2 stores data and information, including first name, last name, name prefix and suffix, city, country, telephone number, stress address, fax, state/provide ID, VAT number, Zip/Postal Code, and country.

3) Order information: The platform also stores data, such as the name of the customer, billing and shipping addresses, and other relevant data.

4) Quote data: Data like attributes like name, email, address, and related information are stored.

5) Payment information: The data, which include the credit card information of customers, as well as other payment information are stored in the payment table.

Sparsh Technologies’s GDPR Extension

Along with the development of the Internet, customers are more concerned about their personal data and privacy issues. The more data customers provide on the internet, the more possibility is those data to be tracked, stolen and misused. Customers will be the direct victims that will be suffered from fraud and data leaking. Considering customers’ issues, merchants try their best to standardize their security policies to follow a range of international certified regulations, which is referred to as GDPR. However, it is not easy to manually regulate every single action of the system to comply with those complex principles.

Hence, Sparsh Technologies’s GDPR Extension came into the picture. The aim is to protect customers’ private data and give them their rights to control their data fully. This extension allows customers the ability to remove unnecessary data. Customers can also anonymize their identity when shopping if they feel insecure to provide their personal data.

Feature List:

1. It allows you to implement a cookie compliance customized notification message on your website.
   The cookie notification banner requesting user consent appears as soon as the user lands up on your website.
   The cookie notification can be optional or mandatory for customers to accept before browsing through the website.
2. It allows registered users to delete their accounts including newsletter subscription from the front end with the help of option provided under my account section.
3. Admin can either accept or reject the request to delete the customers’ account.
4. It will ask the current password of the customer and reason in the front end to delete their account.
   A popup window confirming the current password with the reason will be asked.
5. It will ask the current password of the customer to allow the customer for an anonymous account.
   A popup window confirming the password will be asked.
   
6. Display which information will be deleted with the deletion of the customer account.
7. Confirm by email to delete a customer account.
8. Confirm and send anonymous details by email.
9. Enables admin to customize cookie message.
10. Eliminate billing information on an order, invoice, credit memo, shipment details.
11. It allows admins to change Email Templates from admin panel.

Google Analytics settings for GDPR:

*You can also Read: Magento Integration with Google Analytics*

Steps to become GDPR compliant with Google Analytics:

Step1: Update the Google Analytics settings

1. Sign in to your company’s Google Analytics account.
2. Select Admin on the left sidebar panel. Afterwards, you can go to the account you wish to edit.
3. In the Account section, click Account Settings. Then update the following settings to support GDPR settings:
4. Turn Off Data Sharing.

Your company data is going to be shared with Google by default, to turn off data sharing remove the checkmark from the following settings:

1. Benchmarking.
2. Technical support.
3. Account specialists.

Accept DPA(Data Processing Agreement):

1. Scroll down the page to the Data Processing Amendment. Then, tap View Adjustment.
2. To read the Google Ads Data Processing Terms, tap on the Review Amendment. Tap accept afterwards.
3. To complete the DPA details, click Manage DPA Details.

4. Click Edit on the Legal Entities section. Then, do the following:

   Enter the data of the first contact. Mark the checkbox of every role afterwards.

   1. Primary contact: The contact of whom all notices are sent.
   2. Data Protection Officer: The person who is designated to facilitate the GDPR compliance.
   3. EEA Representative: The person who represents customers regarding their GDPR obligations.
5. When finished, click Add.
6. If you want to add another contact role, then repeat the process again.
7. When finished, click Save.

Step 2: Anonymize IP addresses.

1. On your web server, make the IP addresses used by Google Analytics anonymous by using the following snippet to the analytics.js library.

- ga(’set’, ‘anonymizeIp’, true);

- ga.js

If you’re using the legacy ga.js library, you may add:

ga(’set’, ‘anonymizeIp’, true);

2. For making the IP addresses used by Google Tag Manager anonymous, on your server, set the anonymiz.jp parameter into true in the gtag.js library.

gtag.js

gtag(’event’, ’your_event’, { ‘anonymize_ip’: true })

Step 3: Update your Privacy Policy

The most important step is to update your Privacy Policy under GDPR which should be clear, concise and easy to understand.

When writing your privacy notice, You should consider the following questions:

1. What data is being collected?
2. Who is collecting it?
3. How is it collected?
4. Why is it being collected?
5. What method is used for collecting?
6. Who will it be shared with?

Features in Sparsh Technologies’s GDPR Extension.

1. Delete customer’s data like orders, newsletter subscriptions, shipment details, invoices, and credit memos.
2. Asks users for privacy consent on the registration page, contact page and newsletter form.
3. Store the log details on the backend side of when and from where the customer accepted the consent from the website.
4. Get the user's deletion requests and manage them in one place. Allows admin to delete the account history of a particular customer i.e, The customer account will only be deleted if admin from the backend side accepts it.
5. Notify admin through Email whenever the user wants to delete their account.