Calling all Magento Merchants: are you ready for GDPR? We're getting our files in order here at The Pixel HQ; giving our information a good sweep, blowing out the virtual data cobwebs.If you're not that sure what the GDPR really is, have a read of our article 'What does GDPR mean for Magento merchants?' to get a good idea as to what's involved. Below is a recap.

What is the GDPR?

The GDPR (General Data Protection Regulation) will apply in the UK from 25 May 2018. The GDPR is Europe’s new framework for data protection laws. In the UK, the current Data Protection Act 1998 sets out how your personal information can be used by companies & the government. The key difference is that GDPR changes how personal data can be used.All individuals and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR, which includes Magento ecommerce merchants storing data about individuals.The GDPR places specific legal obligations on processors. They are required to maintain records of personal data and processing activities, and will have significantly more legal liability if they are responsible for a breach. If you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

Accountability & consent

In the case of "a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data", if that breach is likely to result in a risk to the rights and freedoms of individuals, then that breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. In the case of the UK, that’s the ICO – the UK’s independent body set up to uphold information rights.The GDPR has higher standards for consent. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent has been given and there has been a “positive opt-in”.The GDPR also states that you have to make it easy for people to exercise their right to withdraw consent. Companies will also need to make it easy for people to withdraw consent and tell them how, and keep evidence of consent – who, when, how, and what you told people.

What can you do?

The ICO has issued a document 'Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now' to help businesses prepare. Take a look to help you with your preparations.

Preparing for GDPR

What are we doing?

Here at The Pixel we are doing what we can to help ourselves and our clients prepare.Tom Worley, Hosting Manager, explains some of the security advantages of being with The Pixel during the GDPR transition:

  • The Pixel is automating the majority of security functionality on our hosting to ensure that all security is configured as it should be, providing the highest standard of security across all our servers.
  • Only people who absolutely need access to data and servers are given it.
  • All access to the sites is encrypted where possible, and administrative access to servers is always heavily firewalled, behind encrypted VPN connections.
  • Sites are also protected behind Web Application Firewalls with DDoS protection.
  • Automated Operating System software and security patches are applied daily as well as server security scans.

Tash Sprague, HR Manager, explains some of the preparations going on in The Pixel office:

  • Data audits have commenced to identify what personal data we store, why we store it, and to identify if it's really needed.
  • Data flows are being created to map the journey of personal data throughout the business.
  • We are reviewing and updating internal policies and procedures.
  • The creation of a Retention Schedule to demonstrate how long we keep personal data and the reasons why, e.g. for legal reasons such as for tax purposes.
  • The assigning of roles: who is the 'controller' and who is the 'processor'.
  • Reviewing all client and employee contracts to ensure GDPR compliance.
  • All staff will soon undergo an e-learning module to educate them on GDPR.
  • The creation of a Risk Register to log issues and provide a means of tracking the response to issues, and what course of action to take to resolve those issues.
  • Speaking to our solicitors to ensure all literature is correct.

All information featured in this article is obtained from or influenced by the sources referred to. This article is designed as an aid to ecommerce merchants only. Seek legal advice or contact the ICO for official and additional information about the GDPA and how it will affect your ecommerce business.