On 25 May 2018 the General Data Protection Regulation of the European Union will become enforceable. It means that organizations could be fined for non-compliance. CS-Cart and Multi-Vendor 4.7.4 (to be released in the first half of May) will have the tools to help you comply with the regulation.
What is GDPR and How Does It Affect E-Commerce?
The GDPR (General Data Protection Regulation) describes how you can acquire, store, and process personal data of EU citizens and residents. You and your lawyers have probably familiarized yourselves with it already, but here is the full text of the GDPR just in case. It’s a long read, so we’ve listed some of the important points with references to GDPR articles:
- In most cases (Article 6) you’ll need an explicit permission to collect and use someone’s personal data. You’ll also need proof that such permission was given (Article 7).
- When you collect personal data, you need to inform people who you are, why you need the data, how you’ll use it, and more (Article 13).
- People have the right to withdraw their consent at any time (Article 7), to request a copy of their personal data (Article 20), and “to be forgotten” (Article 17).
- Fines for non-compliance can be up to €20,000,000 or 4% of the company’s total worldwide annual turnover (Article 83).
- The regulation applies outside of the European Union as well, as long as you process personal data of EU citizens and residents (Article 3).
We don’t claim to have summarized an 80-page law in one article. But as you can see, these points do affect online stores. For example, when a customer gives you an email address for account registration or newsletter subscription, that counts as personal data processing too. That’s why your online store may need some changes.
How Are CS-Cart and Multi-Vendor Prepared for GDPR?
CS-Cart and Multi-Vendor 4.7.4 (to be released in the first half of May) will include an add-on called GDPR Compliance (EU). Currently the add-on is available for testing at dev.demo.cs-cart.com.
Normally we don’t port new functionality to older versions. But we understand the importance of GDPR compliance. That’s why our support staff can offer guidance to those who use older versions; for a small fee we can even adapt the GDPR Compliance (EU) add-on from 4.7.4 for your store.
If you have extensive customizations (such as a custom theme) or won’t be able to upgrade to version 4.7.4 for some other reason, you’re welcome to contact our technical support via Help Desk.
The add-on will provide the tools to:
- Ask for consent. Add optional checkboxes to the standard places where personal data is collected (such as checkout, registration, newsletter subscription, etc.). These checkboxes are accompanied by notices about personal data processing. The text of every notice can be edited separately.
- Keep consent history. Keep the log of everyone and everything that they have consented to. This history is only accessible via the database (in the cscart_gdpr_user_agreements table) and includes the texts of personal data notices as they were at the time when consent was given.
- Manage personal data. View all the personal data of a customer in the Administration panel in a separate tab on the customer editing page. If customers contact you by email, export all their personal data to XML files or anonymize customers on request.
Is There Anything Else That Should Be Done?
Yes. The add-on alone won’t make you GDPR-compliant. After you get the add-on (either with version 4.7.4, or for your older version via Help Desk), there are some things that you should do.
- Check all the places where you collect personal data. Make sure that the notices about data processing are there, that they adhere to the GDPR and reflect how your organization handles personal data.
- Test the workflow of granting and withdrawing consent. Register as a new customer and give consent for personal data processing in various places. Then, as an administrator, check the consent logs, export personal data, and anonymize the customer.
- Review and update your legal documents. Once you have figured out what data you collect and how you use it, address the requirements of the GDPR in your legal documents. For your online store those documents could be:
- Privacy Policy. It exists by default under Website → Pages in the Administration panel, unless you have deleted it. You can edit it like any other content page in your store.
- Terms of Service. They appear at checkout if you Ask customers to agree with terms & conditions during checkout under Settings → Checkout. The text can be edited under Administration → Languages → Translations in the following language variable: terms_and_conditions_content.
You’re welcome to discuss CS-Cart and Multi-Vendor GDPR compliance and the new add-on in the comments or on our forum.
UPD: CS-Cart and Multi-Vendor 4.7.4 with GDPR support were released. Read the article to find out about how to make your online store compliant with the new regulation.
Don’t forget to subscribe to the CS-Cart Facebook and Twitter pages. We announce news there, too.