For those of you with European customers, I'm curious, how are you handling GDPR compliance?
What is GDPR?
The General Data Protection Regulation (https://gdpr-info.eu/) that governs how the data of EU citizens is stored and transferred.
Could be 10-20 million euros or 2-4% of global revenue (whichever is higher). Yowser!
What does it cover?
Any personally identifying data, name, address, etc., but also cookies and IP addresses used to track activity. Not just the data on your servers, but any data hosted on SaaS platforms (think Salesforce, Dropbox, Google Drive, etc.), in the Cloud (AWS, Azure, etc.) or shared with 3rd parties as well.
What can't you do?
In short, store the personal data of EU citizens anywhere that doesn't adhere the the EUs strict rules either by being a country recognized as complying, or having lots of specialized business agreements in place.
What must you do?
At a very high level that barely scratches the surface (I am not a lawyer)...
I'd love to hear about:
this is a very interesting topic. I'd love to discuss a bit further on email if that's interesting to you.
This is an issue we are now having to consider with a new Magento2 website. It all seems to be a little fuzzy and full of grey areas - particularly with respect to b2b. We would love to hear how other people are preparing.
I'm curious if anyone has any updates on this topic? Has anyone tackled this yet?
If you speak a little bit of french, you may find this article and the associated module quite interesting!
the GDPR module for magento 2 : https://github.com/AdfabConnect/magento2gdpr
The biggest challenge (so far) is how to delete old orders. Does anyone know if that is necessary?
As far as I know it's not possible to delete orders (Magento 1) and those records are needed for accounting.
There is a module for Magento which can easily delete orders: https://www.wyomind.com/order-eraser-magento.html
Do you know if orders have to be deleted after a certain time-frame or do we just need the facility to delete them and the customer details if the customer requests it?
Thanks for the link.
I don't think anyone knows that at the moment. I have read a lot of "guides" but that part is still a grey area for me. Will try to find out.
But in Sweden, by law, you must save your records (for accounting) for 7 years. So if the Magento database is your saved records, my guess is that this law overrides the GDRP.
Yeah that's what I thought as well as it's similar bookkeeping laws in UK and Ireland.
My colleague have talked to a friend, working at a big ecommerce site in Sweden, and they will (probably) not delete old orders.
This link might be of interest: https://www.cennydd.com/writing/a-techies-rough-guide-to-gdpr