These days, the issue related to the new EU legislation named GDPR has become the prominent topic and attracted great attention from most of the merchants around the world. Thus, this post will explore this regulation to see whether it affects Magento and web owner and figure out what concerned people should do to comply with GDPR.

General Information about GDPR


GDPR stands for General Data Protection Regulation. It is EU’s latest legislation referring to data protection laws. In details, the new rules influence how companies are allowed to do business in the EU and how they collect and handle personal data.


GDPR is considered a single framework with two targets :

  • Ensure that individual data is handled with caution and care
  • Remove obstacles to flows of personal data between countries and regions.

What are the main contents of GDPR?

GDPR is designed to protect a wide range of personal data, including anything which could be used to identify an individual, even indirectly. For examples, name, email address, photo, ID numbers, health data, biometric data, location data and financial data. Even IP address, social network posts, and web-based cookie data are included.

Organizations can store or process this type of data only when the associated individual explicitly authorizes it. Furthermore, GDPR regulation also put firm limits on the time that data can be kept.

What is personal data under GDPR?

The type of data considered personal under the existing regulation includes name, address, photo. However, GDPR extends this definition so that even IP address can also be personal data. In addition, all sensitive data such as genetic data, biometric data which could be processed to identify an individual is involved in the definition of personal data.

Whom does GDPR apply for?

This legislation applies to organizations established in the EU which process personal data. It also applies to organizations based outside the EU that either provide goods and services directly to individuals in the EU or monitor behaviors of individuals in the EU. Even if you only have a few customers in the EU, you will have to comply with this regulation.

When doer GDPR go into effect?

GDPR legislation goes into effect on May 25th, 2018 and Magento has been working to make sure its system is compliant and companies are well prepared

What are GDPR’s penalties?

Organizations in the breach of GDPR can be fined up to 4% of annual turnover or €20 millions whichever is greater.

How Magento adapt to GDPR?

Magento’s Role in GDPR Compliance

Magento has both customers that are located in the EU and customers serving individuals in the EU. As a result, GDPR compliance is a prominent and serious issue to Magento.

Before going to details, retailers need to clearly understand 2 definitions which are data controllers and data processors.

Data controllers: Magento’s customers who can determine how personal data is collected and used.

Data processors: Magento. It processes personal data at the controller’s directions

And the issue of handling proper data is a shared responsibility of Data controllers and Data processors.

As a data processor, Magento implements changes into those areas to adapt to GDPR

  • Policy and Contract

They have been proactively reviewing and updating customers and partners contract as well as policies and processes of data protection.

  • Technology

Magento once claims that their products have strong architecture and security features so there is no need to adjust any modification to enable merchants GDPR compliance.

They are working closely with legal and engineering experts to access Magento’s products for better assisting customers and identifying what personal data is being stored and where that data resides. It will help merchants to comply with GDPR.

Besides, The Security Team of Magento is also conducting detailed security audits across all Magento’s products.

3 highlights which Magento advises merchants to prepare for GDPR

  • Scrutinize privacy policies to make sure your policies aligned with reality.

The merchant should take into account that the core which GDPR regulation cares about is the Transparency. It means merchants should do what they say and say what they do. In other words, merchants should communicate with clients in concise and clear language which anyone could understand quickly. With GDPR, merchants not only need to examine Privacy Policies but also behaviors to make sure that they match each other well.

  • Make sure that you keep a thorough document

Even though GDPR is complicated, the spirit and effort to comply with it will be easier and more high evaluated if merchants are able to demonstrate diligent, authentic striving. The more merchants can show they operate as they say and demonstrate a healthy respect for client’s privacy, the better they will be.

  • Comply GDPR even when your business is not based in the EU

Each company has a potential of growth. If you are global business or have the ambition of globally scalable products or services, you need to comply with GDPR. With practical manners, all of your data processes and disclosure to global customers will be require to be compliant with GDPR.

What Web owners of Magento should do to limit the influence of GDPR?

Gradually take control data for long-term benefits step-by-step

  1. Only collect needed data. If it’s not necessary to collect further information, then don’t ask for it.
  2. Deactivate opt-ins by default and any pre-checked boxes. As stated in the complete text: “Silence, pre-ticked boxes or inactivity should not… constitute consent.”
  3. Update privacy policies and disclosure documents to inform customers who are collecting their data and how the data is being stored.
  4. Be transparent and provide links to website footers for privacy policies and unsubscribing from marketing content.
  5. Confirm your third-party vendors and tools are compliant with GDPR.
  6. Review your processes for obtaining customers consent and make sure that you have authentic consent from individuals.
  7. Confirm that any data you or third parties collect from customers is secure against external threats.
  8. Establish procedures for handling personal data requests within the mandatory response timeframe.
  9. Ensure methods are in place to document consent, including what was consented to and how to withdraw consents for customers.
  1. Establish procedures for notifying clients of the data breach as soon as possible.

For instance:

In terms of Blog

  • Blog posts to inform that your company is getting prepared for GDPR
  • Blog posts about GDPR for merchants.
  • Blog post to inform that your company is finally ready for GDPR.


  • Prepare content and newsletter about updating Privacy Policies
  • Send all of the newsletters to subscribers details about updating Privacy Policies.

Cookie Setup

  • Review the benefit of current cookies on your site

This task belongs to the developer team who knows exactly what kind of cookies exist on your sites and their benefits. After answering this question, they can follow up with keeping essential cookies and eliminating unnecessary ones.

  • Divided cookies into different categories

Some cookies are essential for your site to function while others help you understand behavior. Divide your cookies into categories according to their benefits.

  • Find the way to turn on/off groups of cookie and bring them into pop-up on site

This part concerns to UI/UX issue on site, your team can optimize the website by arranging layout as well as content for friendly user experience.

  • Create pop-up cookies if visitors accessed your site for the first time (content, link, button)

Build a pop-up on site to ask agreement to use cookies, like Sainsbury does on its site:

GDPR - Cookie Popup

By clicking orange button “Accept and Close”, site-visitors allow Sainsbury to use their personal cookies.

Form and Consent

– Review websites and forms on site

Reviewing Website: This part requires different departments to involve such as Developer, Digital Marketing, Product, Sales and so on. Each of them, due to the different main tasks will know which form is necessary or unnecessary on site. The process of reviewing websites will help you determine essential forms and make the decision to disable unnecessary ones. This step is based on the legal number 3 of 7 principles from GDPR named Data Minimisation. It demands clearly that organizations should only collect adequate, relevant and limited data to what is necessary.

Reviewing forms on site: Your staff should answer clearly these questions to measure the effectiveness of forms on your site:

  • What information does your company collect from clients?
  • Where is data stored after that?
  • Who has access to this data?
  • Is it really necessary to store this kind of data?

– Classify content which requires opt-in

What is Opt-in?  It’s an action from the customers to confirm that your company can use their personal data.

Anyway, since the day that GDPR went in force, content on site need to be classified into 2 different kinds. One of them is to complete a contract. With this data, organizations do not need to obtain further consent from the clients. On the other hand, the other kind of content that requires opt-in actions from customers is called consent. It means that organizations have to ask clients if they allow your organization to use this kind of data.

Thus, it’s essential to classify processing activities on your site to determine which processes require opt-in. , then you will know how to do this legally without creating the breach of GDPR.

– Determine kinds of opt-in

In this step, Web owners will have to decide which method they choose to let customers opt-in. This part is related to the UI/UX issue on site. The most simple method is ticking a box on your site. By clicking, clients confirm that they let you use their personal data. Or your company can use other methods to show opt-in actions to customers. However, you need to assure that all contents on the consent form must be clear and easy to understand.

To illustrate, here is an example of how Age UK display op-tin on site:

GDPR - Age UK opt-in form

Or the Woolworth and Guardian:

GDPR - Woolworth opt-in form

GDPR - Guardian opt-in form

  • Create subscribe function for each kind of opt-in

Generally, there should be many opt-in functions your customers can choose from. For example, one will send materials as soon as after your customers finish opting in.  Another function can be choosing the method they receive updates and materials from your company. For example, they can select a frequency of receiving information from your company. It might be daily, weekly, monthly and so on. Or they can choose the way you send it to them like Age UK does it well on its site. Age UK offers clients various selection to engage. It can be by email, by telephone, by mobile, or by post. It’s up to client’s decision and their opt-in action.

GDPR - Age UK opt-in form

Therefore, it’s also essential for your organizations to classify and make clear subscribe function for each kind of opt-in to eliminate the chance of disturbing customers through subscribe button.

  • Add in notes or explanations for op-tin option and link policy for forms

In other words, in this part, companies have to show clear description for op-tin action on their sites. We can take Walmart as an example:

GDPR - Walmart Example

  • Make it Easier to withdraw consent and delete data

GDPR clearly points out the right to object data processing and the right to be forgotten. It means that clients have the right to delete their individual data permanently. They can demand companies and organization to erase personal information at any time they want. Therefore, as a controller of data information, companies and organizations have to prepare well for those situations.

For instance, we can see the afford of Guardian in this part:

GDPR - Guardian - Account Delete

Directly install GDPR extensions

To effectively support merchants in the process of complying with GDPR, some suppliers offer GDPR extensions on the market. Nevertheless,  remember that GDPR extensions are just a temporary strategy. It may not cover all problems and issues of GDPR to serve long-term benefits.


Highlight Recommendation

Regardless the selection of each Magento Merchants, here are some highlights recommendations which they need to take into account:

  • They have options for data stored in EU’s location and Magento will not store personal data at locations outside of customers’ stated preference
  • Magento Marketplace Extensions may store personal data in different locations from the core eCommerce platform and may also send data to external services. Magento’s Customers, as well as Extension Users, have to be aware of the data usage policies and behaviors of any extensions you choose to use.
  • Magento Customers should review all services and contracts related to third-party to confirm GDPR compliance. They should also consult with their own legal advisers to decide what GDPR demands them to comply with and how they can best address those issues.

Kate N. is now working as a Retail Solution Specialist at Magestore. She has 3+ years of experience in brand management, marketing, and customer's insights. Kate loves to travel to experience new cultures and discover what is happening with retail all around the world.

Write A Comment