Hello to Amasty customers!

You have already planned your Magento GDPR strategy, haven’t you?

The enforcement date has been set for 25 May 2018 and we can thus say that the countdown to the entry into force, indeed, began.

Today we want to share our own experience and bring you all up to speed to make sure we get everything right.

Our solutions: We have developed Magento 1 GDPR extension, as well as GDPR extension for Magento 2. Comply with the data protection regulation terms by making customer data storage and processing transparent.

What is GDPR?

The EU’s General Data Protection Regulation (GDPR) is an updated regulation in EU law on data protection and privacy for all individuals within the European Union. The expected regulation is to affect any online business even if it’s not located in one of the European countries.

What does it mean for a US business?

In case you do business in the US but offer goods and services to EU citizens, your company has to comply with the new requirements. Even if data processing is conducted by a third party, you need to make it transparent. Which means you are obliged to receive a clear consent from your EU customers for collecting and processing their personal information. In addition, the individuals have a right to delete the data on their request and anonymize it.

The logic is at the set of rules by which EU individuals should grant permissions to utilize their personal information for a number of reasons in return for the provided services.

To find more information on GDPR, refer to the European Commission’s Website.

What should Magento store owner know about GDPR?

According to GDPR, a Magento site owner, as well as any EU-wide level company, can only process personal data under certain conditions. The data processing should be (1) transparent for site users, (2) dedicated to a legitimate purpose and (3) limited in time required for the purpose fulfillment. Besides, the data processing should be established on one of the legal grounds stated in Article 6 of the GDPR.

The GDPR purpose is to ensure that an individual understands what he or she is consenting to. In this, Article 4(11) of the GDPR stipulates that a user consent of the data collection means any:

freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The consent should be freely given in clear language in your Privacy Policy and require for checking a box online or singing a form. In this, if you are to process personal data of a child based on the consent, then you need to avail of the parents’ permit for that.

Within the EU’s General Data Protection Regulation, you need to:

(1) determine your role (data controller; data processor);
(2) provide your site users with transparent information about the personal data collection;
(3) give the personal data being processed on the user’s request;
(4) delete the personal data from the site database on the user’s request or when it’s no longer required for the processing purpose;
(5) respect the user’s right to correct and object to the incorrect personal data.

Thus, demonstrating your Magento store compliance with GDPR and keeping records are the top-priority tasks to complete until May 25th.

Why assess any Magento extensions [connected with your account]?

Magento has already called for reviewing some areas of your business services. What is this for?
Due to the fact that all Magento Marketplace extensions are developed by 3d parties, they may store personal data in other locations than the Magento core. The data can be further sent to external services.
Thus, you know some 3d-party extensions (like Customer Attributes by Amasty) can store your customers’ private data. And in case you collect data from individuals in the EU, you need to (1) state the fact in your Privacy Policy and (2) remove/anonymize the information on the request of an EU individual.

What does GDPR mean for Amasty?

As for Amasty, we will continue taking care of our customers’ personal data safety and security. We commit to fully comply with the new legislative requirements and therefore, are making all the changes requested by the law.

To date, we are revising our Privacy Policy to lead the dialogue on specific policies dealing with the EU’s General Data Protection Regulation. We are going to run an email campaign in which we are to inform our EU users about the need for the repeat subscription. Also, a number of minor changes are planned to be made on our official website.
Amasty is a law-abiding company that fully meets the requirements of the personal data protection.

Find out what magento GDPR requirements apply to your business and stay tuned!