Magento 2 GDPR Checklist - Comprehensive Guide for Beginners

Ever since the GDPR (General Data Protection Regulation) has taken effect on 25th May 2018, it has brought significant changes to the privacy policy worldwide.

Now, regardless of debate and criticism happening across the world, the GDPR legislation and its sanctions are actually very real.

In fact, the violations of GDPR can result in heavy financial penalties, which can be as high as 4% of the annual global profit or €20 million, whichever is higher.

Therefore, it’s extremely critical to wrap your head around this new legal framework and figure out exactly what you need to do to fully comply with the new GDPR policy in your Magento 2 store.

Fortunately for you, we’ve put together a comprehensive Magento 2 GDPR checklist guide that will give you a complete understanding of everything you need to know about GDPR, from where to start to what to work on.

What is GDPR?

GDPR stands for General Data Protection Regulation. It’s a new data protection legislation that was developed after 4 years of hard work.

The GDPR legislation basically helps to determine the ways personal data of EU citizens & residents can be processed within and outside the EU in other countries.

Simply put, the main objective of GDPR is to give back the control of personal data to the citizens & residents of the EU, meaning they will be able to decide who has access to their personal data.

This basically involves the ability to demand any personal data stored previously by an online store or a business, which is to be modified quickly or deleted permanently.

Now, complying with the GDPR can certainly seem like a daunting and resource-heavy task at first, but on the bright side, the GDPR can also help businesses find out who their real subscribers are who are actually eager to hear from them.

Whom Does GDPR Apply to?

Many eCommerce companies, including many of our own clients, believe that GDPR was created by the EU and only for the EU and so it should only affect the EU eCommerce companies.

But this is simply a wrong assumption.

The truth is, GDPR applies to anyone who handles EU residents or citizens’ personal data.

That means, if you’ve ever collected an EU resident or citizen’s personal data such as name, address, contact number, etc., then the GDPR applies to you or your business. - It doesn’t matter where you are in the world.

Now, it is obviously difficult to identify if you have any European subscribers or customers, especially in the eCommerce business.

But, if you’ve even just a hundred customers, chances are many of them are European.

So, it’s crucial to make sure that your online store adheres to the GDPR policy. Because if you don’t, then even just one situation of mishandled personal data will cost you lots of money.

And not only that, but it may even end your eCommerce adventure altogether.

GDPR for eCommerce - 3 Essential Factors

GDPR sanctions are definitely scary. But the good news is, preparing your Magento 2 store for GDPR is not that hard.

To make sure your eCommerce store complies with GDPR, you need to remember just the following 3 essential factors.

  1. Consent - The end-user must be agreed to be included in your marketing campaigns.
  2. Data Protection - You must make sure to provide adequate protection to users’ personal data at all times.
  3. Correction or Deletion - If a user requests you to correct, restrict, or delete his or her personal data that you have, you must fulfill that request quickly.

Let’s go through each of these essential factors in depth.

Consent is one of the most important parts of GDPR for eCommerce businesses.

To put it in the simplest terms, if a user has consented to your message and the communication channel, only then you’re allowed to continue doing as you always have.

But, if a user does not consent to your message as well as the communication channel, then you’re not allowed to send them any kind of marketing material or advertise to them.

This is why it’s extremely critical to get consent before you collect their personal data and send them various messages.

And this goes without saying but this applies to all types of marketing including emails, newsletters, SMS/text messages, retargeting, Messenger, and so on.

So, unless you have the explicit consent from the users to receive these kinds of marketing messages, you must avoid sending them messages or else face heavy financial penalties.

2. Data Protection

The second essential factor of GDPR for eCommerce businesses as well as other businesses revolves around the idea of personal data protection.

Once a user consents to your storing and processing their personal data, then it becomes your responsibility to make sure that their personal data is adequately protected.

This personal data includes a user’s:

  • Name
  • Physical Address
  • Email Address
  • IP Address
  • Demographic data (age, location, etc.)

So, if you’re storing any of the above-mentioned data from your customers or shoppers, then you need to ensure its adequate protection.

Speaking of adequate protection, you might be wondering what exactly does “adequate protection” mean, right?

Well, according to the GDPR, businesses are supposed to hire a Data Protection Officer (DPO) who will be responsible for ensuring the security of your customers’ personal data.

It also states that while businesses that process large amounts of customers’ personal data are required to hire a DPO, smaller businesses (including eCommerce stores) are in the clear.

However, it’s still important for small eCommerce stores to ensure adequate data protection.

3. Correction or Deletion

The last essential factor of the GDPR for eCommerce is regarding the users’ requests to have their personal data get corrected, modified, or deleted.

The GDPR gives the rights to European residents & citizens to have complete control over how their personal data is used.

And it’s for that reason you need to quickly change or erase the personal data of any EU customer within a reasonable time when he or she asks.

Now, we are not sure about how long this reasonable time is, but for eCommerce businesses, we think it should not take over one week from the day request is made.

GDPR Checklist for Magento 2 eCommerce Stores

So, now that you finally know all 3 essential factors of the GDPR for eCommerce businesses, it’s time we finally discuss the GDPR checklist, which helps to ensure that you’re following all the rules and are prepared to do business with EU residents & citizens.

1 - Find Out What Personal Data You’re Collecting & Storing

The first thing you need to identify to comply with GDPR policy is the personal data of your customers that you’re collecting and storing.

Generally, most eCommerce stores collect the customer’s name, phone number, email address, demographic information (age, location, etc), and payment information (credit card number, PayPal ID, etc).

But when you’re collecting the above-mentioned data, you must also make sure that your customers understand why collecting their personal data is mandatory.

For example, if they don’t provide their email address, they won’t be able to create an account on your online store or if they don’t provide their payment information, they won’t be able to place their orders.

2 - Ensure That You Gather Customers’ Personal Data Fairly

While getting customers’ consent to collect their personal data is important, but you also need to ensure that they’ve also consented to be marketed to.

In simple words, if you run a newsletter, make sure to explicitly ask whether or not they’d like to receive it.

This is one of the reasons why we always recommend to get our Magento 2 Cookie Consent Extension.

3 - Keep Customers’ Personal Data Only for As Long As It’s Necessary

Since you’re an eCommerce business, you don’t really need to worry about this one as you’re simply selling products to customers.

This is mainly because, even if a customer has not bought from you in a year or more, there is still a possibility that you’ll be able to sell to them sooner or later.

However, you’re still required to get their consent in the first place.

4 - Hire a Data Protection Officer

While this isn’t necessary for all eCommerce businesses, as discussed earlier. But you still need to make sure that the personal data of your customers that you’ve collected and stored are completely protected.

For example, if you don’t deal with large amounts of personal data in your eCommerce business, you still need someone, which can be you, to regularly inform customers about the data protection levels you’re using.

5 - Make Sure That Customers’ Personal Data Protection is One of Your Core Activities

If you’re planning to launch a new campaign, you as the business owner need to make sure that your customers’ personal data protection is one of your top priorities.

This includes making sure that there is neither an accidental nor intentional situation where you reveal your customers’ personal information.

6 - Protect Your Employees

If you’ve employees who are EU citizens or residents, then you need to make sure that you’re handling their personal data carefully and at the same level of protection that you generally use for your EU customers.

On the other hand, if you don’t have any EU employees, you can skip this part.

7 - Allow Easy Way to Modify or Delete Customers’ Personal Data

When setting up your online store, make sure it’s easy for you to modify or delete any customer’s personal data in a timely manner.

This is useful whenever a customer comes to you with a request to have their personal information modified or deleted.

That means you must find a customer’s data, modify it or delete it and confirm it with the customer that the information has been modified or deleted from your entire system.

8 - If There is a Data Breach, Inform All Customers Quickly

According to the GDPR, businesses have 72 hours to inform about the data breach to their customers.

You see, whenever a data breach occurs, it would already be a tough situation as you’ll be liable to pay fine up to 4% of your previous year’s turnover or €20 million.

And if you don’t inform your customers, especially the affected ones in the given 72 hours timeframe, you’re going to make the situation only worse and you might be liable to even more damage.

So, make sure to inform all your customers as soon as possible if any data breach occurs.

9 - Update Your Privacy Policy

If you have not written a privacy policy on your online store, then you should immediately write one. And while you’re at it, make sure that it’s written in a plain & clear language and complies with the GDPR rules.

In addition, your privacy policy also must be accessible by everyone and should mention how you plan to use your customers’ personal data and for what reasons.

This includes mentioning how a customer can request access, modify, or delete their personal data. Most importantly, you must also make sure that you have a cookie consent banner and it only fires a pixel and drops cookie only after the customer has expressed consent.

Now, if you’ve no idea how to write a privacy policy, you can use Termly, which is a free privacy policy generator.

10 - Make Sure All 3rd Party Vendors and/or Apps are GDPR Compliant

If you’re already running a Magento 2 based online store, then chances are you might already be using third-party apps or platforms to help you run your online store smoothly.

Now, if this is the case, then you need to make sure that all the third-party apps or extensions you’re using are fully compliant with GDPR rules.

Key Takeaway

The GDPR does seem scary at first, but it’s not as bad as it may seem, especially for the eCommerce businesses.

And the main reason why eCommerce businesses need to make their stores GDPR compliant is that most online stores use lots of third-party apps that store and process customers’ personal data.

So, it’s necessary to make sure that your Magento store is GDPR-ready. And if you’re still confused about how to do it right, you can simply install the Magento 2 Cookie Consent (GDPR) extension.