We're just months away from one of the most significant changes ever to online privacy, and Magento has been working hard to make sure we are prepared.
The General Data Protection Regulation, better known as GDPR, goes into effect on May 25th, 2018. It's a sweeping set of laws being enacted by the European Union, but you don't have to be in the EU to feel its impact.
Here are five things you should know about GDPR:
Don't let the fact that GDPR is tied to the EU fool you. This order will affect businesses all over the world.
The reason? GDPR is designed to protect the data of EU-based individuals—and so it applies to any organization that handles EU-oriented data, regardless of where the organization itself is located.
In other words, if your company touches the data of even a single EU-based individual, it's up to you to have proper protections in place.
"Personal data" is a vague term, and GDPR's definition is about as broad as it gets. Under the regulation, any information that could be used to identify a person in any way, even indirectly, is covered. That means names, email addresses, photos, ID numbers, and financial info are all included. So, too, are IP addresses, social network posts, and web-based cookie data.
Heck, if something is even remotely relevant to the "physical, physiological, genetic, mental, economic, cultural, or social identity" of a person—to use the GDPR's own language—it counts.
For example, companies can store or process affected data only when the associated individual explicitly authorizes it—and even then, GDPR puts firm limits on the length of time the data can be kept. In addition, the law also requires companies to erase a person's data upon request and to report any data breaches to both authorities and anyone affected within 72 hours of a breach's discovery.
We are proactively reviewing and revising (where required) our customer and partner contracts and our policies and processes surrounding privacy and data protection. We are also assessing our products to assist customers in determining what data is being stored by Magento and where it resides.
Because Magento Marketplace extensions are developed by third parties, you'll need to assess any extensions associated with your account. Magento Marketplace extensions may store personal data in different locations than our core eCommerce platform, and some of them may also send data to external services. As you're finalizing your GDPR strategy, it's up to you to be aware of the data usage policies and behaviors of any extensions you choose to use.
Magento can't provide you with legal advice—but generally speaking, we'd encourage you to review all services and contracts connected to third-party companies in order to confirm GDPR compliance. We'd also recommend consulting with your own legal counsel to figure out what GDPR requirements apply to you and how you can best address them.