Preparing Magento for the General Data Protection Regulation (GDPR)

created May 15, 2018, last updated May 15, 2018.

.
closeThis post was last updated 5 years 10 months 9 days ago, some of the information contained here may no longer be actual and any referenced software versions may have been updated!

For small businesses in the EU data protection may not be a top priority but the new General Data Protection Regulation (GDPR) has been around since 2016 and will finally come into effect on the 25th May 2018. If you run a Magento eCommerce store here are some compliance issues you may what to consider implementing.

Move tracking code to Google Tag Manager

Visitors must give positive consent before their data is used. If you are tracking customer visits with third party tools such as Google Analytics, or customer service modules the user needs to “opt in” and give positive consent to permit you to use his data. By using Google Tag Manager you can load all your custom html and javascript tracking code after the user provides consent. Google Tag Manager applies your third party tacking code to all pages making it easier to implement changes.

Add a cookie consent toolbar

The GDPR wants you to clearly state what personal data if any you are storing or sharing with third parties. You need to add a cookie consent toolbar to your Magento site that clearly states how and why you use cookies, which third party tracking tools you use and how you share visitor data with third parties. Visitors must give positive consent to this policy – it is no longer acceptable to say that consent is implied by using the website, users must actively provide consent and your backend logic must implement this. Give visitors as much information as possible and link the cookie consent toolbar to your Data Protection (Privacy) Policy.

Allow individuals to remove or anonymise data

You need to be able to provide assurance that admin staff or customers can remove personal data stored in your Magento store on request.

Allow individuals to opt out from subscriptions

Make sure your opt-out (and opt-in) to newsletter subscriptions is working.

Perform Security Testing

Use the Magento Security scan or Mage Report to provide assurance that your Magento installation is up to date and patched against known security vulnerabilities.

Update your Data Protection (Privacy) Policy

Make sure your Data Protection Policy is up to date and available from every page of your Magento site.

Data Access

Individuals have the right to ask you of all their personal data and this needs to be a full copy of all data held in Magento. Make sure you are able to fulfill such a request, the GDPR states that this information should be made a available, without charge, within 30 days of the request.

Create a Compliance Document

You need to be able to demonstrate a diligent and earnest effort to comply with the GDPR. Create a compliance document that shows how you are meeting the GDPR requirements, the document should include

  • A compliance audit
    • List the steps you have taken to comply with the GDPR
  • Information audit
    • Audit your systems and clearly state where personal data is stored
      • is it internet facing?
      • is it shared with third parties?
      • how is it secured?
      • Where is it physically stored, servers, pc’s etc.
  • Data Protection Policy
    • Include your policy documents

Magento GDPR Compliance Module

A quick Google for GDPR modules for Magento 1.x and 2.x show there are a few solutions available and most are not free. Two free modules are available

Magento 1 https://marketplace.magento.com/zero1-zero1-gdpr.html

Magento 2 https://github.com/AdFabConnect/magento2gdpr

I don’t yet have a live Magento 2 store so have not tested the Magento 2 module. I installed the Zero1 module and found it to contain a couple of bugs which made it unuseable, it appears to be bait to encourage you to purchase the commercial version. The module is fairly simple providing you with a frontend Cookie Consent toolbar, a frontend customer account deletion/anonymisation button and a backend method for anonymising customer data. I took this code and enhanced it with an existing cookie toolbar I had previously developed and the module is free to test and use at https://github.com/gaiterjones/magento1-gdpr

Install the module with modman using modman clone https://github.com/gaiterjones/magento1-gdpr

You will see a new menu item called GDPR in the Configuration -> Customers section.

 

Magento 1 GDPR Module
Magento 1 GDPR Module

Adding your Google Tag Manager ID enables the Google Tag Manager code which will insert any tags you have configured into your Magento site.

Enabling the customer account deletion and anonymisation will provide you with two new admin buttons when you view customer information

Delete Customer and Anonymise Data
Backend Delete Customer and Anonymise Data

 

Magento Customer Account Delete
Magento Customer Account Frontend Delete Option

This enables admin staff to delete and anonymise customer and order data and send a confirmation email. In debug mode both these buttons can be tested for functionality. A similar button is activated in the frontend Customer Account section allowing customers to close their account and anonymise their data. You will be notified by email when a customer closes their account.

Debug mode lets you test the module without actually deleting anything, specifically the confirmation emails and notices sent by the module.

You change the look of the Cooke Policy consent bar skin choosing between light or dark skins and you can customise the consent bar text further as you wish.

GDPR Magneto Cookie Consent Toolbar
GDPR Magento Cookie Consent Toolbar

You can see the consent bar working at http://magento1.gaiterjones.com

Seek advice

Compliance with these new regulations is important, if you are unsure where to begin with GDPR compliance seek professional advice!

The information presented here is a summary of my own personal findings and thoughts on how to improve Magento 1 GDPR compliance and no guarantee whatsoever is provided that the information presented here will ensure GDPR compliance! Use the Magento module at your own risk – be sure to test it first on your development site.

Comments

  1. JaJuMa says:

    In addition, besides only Customer Rights, Cookies and Google Analytics, each 3rd Party integration needs to be checked and considered regarding GDPR.
    One example that gets missed quickly are social share options.

This site uses Akismet to reduce spam. Learn how your comment data is processed.