cancel
Showing results for 
Search instead for 
Did you mean: 

GDPR Compliance for those with EU customers

GDPR Compliance for those with EU customers

For those of you with European customers, I'm curious, how are you handling GDPR compliance?

 

What is GDPR?

The General Data Protection Regulation (https://gdpr-info.eu/) that governs how the data of EU citizens is stored and transferred.

 

Penalties

Could be 10-20 million euros or 2-4% of global revenue (whichever is higher). Yowser!

 

What does it cover?

Any personally identifying data, name, address, etc., but also cookies and IP addresses used to track activity. Not just the data on your servers, but any data hosted on SaaS platforms (think Salesforce, Dropbox, Google Drive, etc.), in the Cloud (AWS, Azure, etc.) or shared with 3rd parties as well.

 

What can't you do?

In short, store the personal data of EU citizens anywhere that doesn't adhere the the EUs strict rules either by being a country recognized as complying, or having lots of specialized business agreements in place.

 

What must you do?

At a very high level that barely scratches the surface (I am not a lawyer)...

  • Allow opt outs for cookies, etc.
  • Capture explicit opt ins (no pre-checked boxes, no fine print).
  • Make sure data is accurate. So if a customer updates their information in one system, make sure it's updated in all your others as well. Not just the data in your databases, but third parties you've shared that data with as well (automated updates and push notifications from your customer master would be prudent), and ensure inaccurate data is never processed.
  • Be able to export and share all a customers data (including transactional data), within one month of request. 
  • Be able to delete a customer and all records associated with the customer, across all your systems, within a month of request.
  • Notify the commission within 72 hours of a data breach of any kind.

I'd love to hear about:

  • How you're approaching GDPR compliance.
  • Which hosting companies and SaaS vendors have policies in place to support GDPR.
  • Your biggest GDPR challenges.

Thanks!

 

 

 

Nicola Kinsella
BridgeSGI.com | Ask me about Order Management
35 REPLIES 35

Re: GDPR Compliance for those with EU customers

Hi Nicola,

this is a very interesting topic. I'd love to discuss a bit further on email if that's interesting to you.

Cheers,

 

Ivo Spigel

Co-founder

Perpetuum Mobile

www.perpetuum.eu

ivo.spigel@perpetuum.hr

 

Re: GDPR Compliance for those with EU customers

Hi Nicola,

This is an issue we are now having to consider with a new Magento2 website. It all seems to be a little fuzzy and full of grey areas - particularly with respect to b2b. We would love to hear how other people are preparing.

Re: GDPR Compliance for those with EU customers

Hi there, 
I'm curious if anyone has any updates on this topic? Has anyone tackled this yet?

Thank you!

Re: GDPR Compliance for those with EU customers

Hi all, 

If you speak a little bit of french, you may find this article and the associated module quite interesting! 

the article : https://connect.adfab.fr/dev/le-rgpd-gdpr-c-est-maintenant-pour-les-e-commercants

the GDPR module for magento 2 : https://github.com/AdfabConnect/magento2gdpr

Re: GDPR Compliance for those with EU customers

Hi

The biggest challenge (so far) is how to delete old orders. Does anyone know if that is necessary?

 

As far as I know it's not possible to delete orders (Magento 1) and those records are needed for accounting.

Re: GDPR Compliance for those with EU customers

There is a module for Magento which can easily delete orders: https://www.wyomind.com/order-eraser-magento.html 

 

Do you know if orders have to be deleted after a certain time-frame or do we just need the facility to delete them and the customer details if the customer requests it? 

 

Re: GDPR Compliance for those with EU customers

Hi Sean

Thanks for the link.

 

I don't think anyone knows that at the moment. I have read a lot of "guides" but that part is still a grey area for me. Will try to find out.

 

But in Sweden, by law, you must save your records (for accounting) for 7 years. So if the Magento database is your saved records, my guess is that this law overrides the GDRP.

Re: GDPR Compliance for those with EU customers

Yeah that's what I thought as well as it's similar bookkeeping laws in UK and Ireland. 

Re: GDPR Compliance for those with EU customers

My colleague have talked to a friend, working at a big ecommerce site in Sweden, and they will (probably) not delete old orders.

 

This link might be of interest: https://www.cennydd.com/writing/a-techies-rough-guide-to-gdpr