GDPR Compliance Checklist for Online Merchants

GDPR is applicable for those companies which process the personal data of EU citizens even if the companies themselves are not geographically located in the EU. So, it’s safe to say that our GDPR compliance checklist is also applicable for US companies.

6 principles of data processing according to GDPR:

1. Lawfulness, justice, and transparency. The purpose and volume/quantity of collected personal data should be described as transparently as possible.
2. Defining the purpose is also a key element. All collected data should be used strictly within the initially stated purpose, otherwise penalties can be levied if the data is used inappropriately.
3. Minimization of the data. Data is to be collected in exactly the stated volume/quantity necessary for processing the client request.
4. Accuracy. All vagaries in personal data should be deleted, or edited by the user’s request.
5. Storage limitation. All collected personal data should be stored in a secure manner which helps to identify their subject, as well as the period of storage necessary to process them.
6. Consistency and confidentiality. Gathered and processed data should be protected from illegal processing, damage, or deletion.

So, as you can see, GDPR is the real deal and it’s better to be extra cautious about it, because fines for breaking the GDPR rules can amount to €20,000,000 or 4% of a company’s annual global income, depending on which amount is bigger. Yeah, that’s right, bigger.

• In the case of data infringement, notification to the data protection authorities should be made within 72 hours of the infringement or it’s existence made evident. In some cases, the victims of data infringements should be notified. EU citizens and residents have a right to request detailed information on their data processing period, location, purpose, etc. They are also entitled to claim correction of their data, or cancellation of their processing. Because of GDPR, the right to be forgotten is stipulated, which entitles EU citizens and residents to request their personal data deletion.
• GDPR’s novelty is a right to data portability. Now companies are obliged to provide the e-copy of other company’s personal data for free, if the subject of said data requested it (this implies videos, preferences, etc.)
• A consent to personal data processing can not be obtained automatically, by default, using the field of consent with a prefilled tick or similar. Such consent is to be considered invalid. The data subjects should actively signify their consent, and the data collecting party should demonstrate it. What is also important is that information on consent withdrawal should be easily accessible.
• As personal data requires exceptional protection, consent to their processing should be signified by parents or official guardians/representatives of a child. Children’s responsibility threshold for their data to be approved by parents is between 13 and 16 years old depending on the EU country.

• Data controller is a personal data manager. They bear the highest responsibility for users’ data – a business owner, CEO, COO.
• Data processor – is a person who processes personal data on behalf of the data controller. Sometimes called a ‘third party’.
• Data protection officer (DPO) is an employee who is responsible for data protection. It is an obligatory post for the companies whose main occupation is data processing, or monitoring users. The DPO is responsible for lawfulness and security as they relate to data processing.

So, if the business (data controller) uses a third-party service as a data processor, (e.g. Mailchimp, which also atores the clients’ personal data) the GDPR rules are subject to both parties. But, of course, in case of infringement, the responsibility of the data controller is higher.

Personal data is any such information which directly relates the identity of a private individual (data subject) directly or indirectly. Such information includes:

• Name
• Address
• Positioning data
• IP address
• Credit card details
• One or more factors specific for physical, physiological, genetical, mental, economic, cultural or social distinctive feature of data subject (Chapter 1, article 4.)

Check the sites according to this checklist:

1. There is a toolbar with a request for cookie usage consent in the site’s header or footer. This toolbar should notify users that the site is using third-party services that use cookies for the correct functioning. The client should signify his consent by pressing the “accept” button before any tracking is being activated on site.
2. There is an option for users in the ‘My Account’ section to delete personal data from the Magento database and other databases you store your customers data or make them anonymous.
3. There is an option for users to cancel any subscriptions after logging in to their accounts. Moreover every email which is being sent to a client should have the option of cancelling said subscription and excluding the client from the mailing list.
4. All types of consent signified by a user should be voluntary. That means that there are no prefilled checkboxes or listings in small print on site.
5. All personal data should be anonymized. Data which is not necessary for direct orders management should be anonymous in the database, for example, personal data which is stored in a quote table.
6. There are site scanning tools which detect site vulnerabilities and test the probability of unauthorised access. It is recommended to perform scanning for vulnerabilities quarterly, and testing the probability of unauthorised access biannually.
7. CMS pages, such as terms & conditions, are updated and contain information on GDPR compliance. They should contain answers to the following questions:

• What kinds of data is being collected?
• Who collects this data?
• How the data is collected?
• What are they collected for?
• How the data will be used?
• Who will have access to the data?
• How does the data collecting affect each individual?
• The detailed description of data storage policy.

1. Make sure that every single piece of data is deleted from the database, if the user has requested deletion. Within the Magento platform, the same personal data may be stored in the following tables:

• Quote
• Quote Address
• Order
• Order Address
• Customer
• Customer Address
• Newsletter
• Invoices

It’s obligatory to check tables created by custom modules Upon deletion request, data should be deleted from each and every table.

1. Privacy policy consent. To make the site comply with GDPR, the privacy policy consent should be as transparent as possible. A user should have a clear understanding on who, when, and how they signify the consent with regard to the privacy policy. Guidelines on achieving transparency are listed below:

• Privacy policy consent checkboxes are located on each page collecting data. For example, checkout, registration, contact us, etc.
• The Privacy policy is described in plain language for easy understanding.
• The names of the company and all third-party data controllers are mentioned.
• Information on porting personal data to third-party countries is mentioned. Listing these countries is obligatory.
• It is clearly stated why you are collecting data and how you are going to process it.
• The data processing period is clearly stated.
• None of the consent checkboxes is prefilled by default.
• A toolbar with consent request stands separately from general terms and conditions on the site.
• A record on how and when the consent has been signified by a user is kept.
• Users have the option of consent withdrawal.

1. All personal data stored in database tables should be ciphered on the database level. The example can be seen here.

So, now you are well-armed to make your Magento store compliant with GDPR requirements we hope that this checklist will provide you with a step-by-step manual and save your time.

If you face any issues along the way, we will gladly assist you with this matter – just fill in the contact form below.