Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thoughts about GDPR
Recently we got ourselves another "fun" EU regulation called General Data Protection Regulation.

The more I read about it, the more I wonder how does it affect our stores...

What are your thoughts about this?
First of all, thanks for posting this very important subject.

Well, as a customer and an online buyer myself, I very much welcome this new directive. I really think it is real progress and could help greatly in reducing the amount of spam and rubbish we are getting in our email inboxes from dodgy sources everyday. I'm not talking about opting-out of newsletters here, but stuff that we never applied for in the first place. I'm sure I am not the only one getting those ...

From a developer perspective it means more work needed to achieve compliance (within 90 days!).

If I understand correctly, the main idea here is Data Privacy, which extends to Customer Control over their Data.
That means we have to ensure that:

- Customers can View, Download and Print (print through download) All their personal data the platform collects, at any time.
- Customers can Close their account at any time (and delete All their personal data).

Now, although having the ability to close an account is great, it does bring the questions: What about the processed orders? the paid Vouchers? the Reviews?
The trick will then be to close the account without affecting the orders and transactions still required for accounting purposes, as they must be kept for another 3 years for tax reasons!
Are Reviews considered private data? surely not.
That's going to be fiddly!

The other interesting clause in this directive is the Data Portability one. I'm not too sure how to interpret that: is it a "Login with Facebook" API type thing reserved for the big Social Media companies? or is it a standardized file format (pdf, xml, csv or else) that can be exchanged between small/medium vendors?
Maybe one of you can help clarifying this ...

I guess from the Overclocked Edition point of view, Affiliates will also need to have similar account features too.

Great! The good news is ... we are all in the same boat Smile

Most Ecommerce platforms will have to step-up to the challenge too. Some will succeed while other will fail. In a way this is a good thing because this will narrow the field of choice down for entrepreneurs looking for an Ecommerce online software solution. So yes! bring it on!
OpenCart Overclocked Edition Lead developer
I'm glad you're ready and up to the challenge! But I believe this is a case of over-regulating things. I don't like that. Maybe I just don't know enough about it though, that's certainly possible.
Found some more interesting things regarding this topic:

1. What constitutes personal data?
Any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

2. Consent
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

3. Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. 

Some other things we need to do to meet these new regulations:
- We need to deactivate all default opt-ins we might have in place. Customers will need to give explicit consent. This means any pre-checked consent boxes do not count as a valid indication of consent - from what I've seen, we already meet this requirement.

- Data subjects can also withdraw data at any time, which means eCommerce stores should think about any auto-renewals or subscription payments, and how that will work going forwards.

- Data needs to be asked for separately for each purpose. A name and address can be ‘bundled’ for the single purpose of delivering something, but you can't sneak a date of birth into that bundle, as it's not relevant to the purpose.
Here we have 2 options in the Settings that we need to take care of: Request Gender and Request Date of Birth.
If we enable them, we need to offer an explanation on why they are needed, like in the image below.

- Retailers must be aware of third parties they're using to power their website. For example, if any website videos on Vimeo or YouTube are embedded on the website.
“Having an embedded video on your website means that the website is not in control of the data gathered by the embedded resource. This policy highlights embedded YouTube videos on the site being checked.”

- We need an option to quickly download a user report (I would say a PDF) showing all the information we store about that user (email, IP, browser used, address, even the custom fields - gender etc.), and give it to him if he requests it.
Maybe a button like this:
[Image: MQbzdCd.jpg]

- We need to give the user, the ability to delete his account, with us storing limited account data here.

[Image: pn-cop-just-in-time-notice-animation.gif]
I'm making a lot of progress on this  Smile
OpenCart Overclocked Edition Lead developer
(02-25-2018, 09:25 PM)Tango Wrote: - Retailers must be aware of third parties they're using to power their website. For example, if any website videos on Vimeo or YouTube are embedded on the website.
“Having an embedded video on your website means that the website is not in control of the data gathered by the embedded resource. This policy highlights embedded YouTube videos on the site being checked.”

I think the above only need to be clearly mentioned in the Privacy Policy of websites. OCE uses Google Maps and YouTube videos by default but they are optional, so I think it is up to the administrators to ensure they make the customers aware of these external resources, if they choose to use them.

For the rest, I think I have got it all covered now: View, Download and Print personal data, Delete own account, and contextual dialogs for Date of Birth and Gender.

If I missed anything, do let me know.
OpenCart Overclocked Edition Lead developer
Amazing job Philippe!
The system you have implemented works perfectly.

Thanks a lot!
Quick question: aren't the Affiliate accounts covered by GDPR?
If so, shouldn't we add it for them also?
I thought of that too, but came to the conclusion that Affiliates must not have the same privileges as the customers because they have entered a contract with us as re-sellers.

I strongly believe that Affiliates are part of a business relationship with the store owner, they don't buy anything, only benefit from a mutual agreement, so both parties must be protected.

If an Affiliate wants to leave the business agreement, then he/she should notify the store owner personally and settle accounts and terms first, but certainly not be able to leave at the click of a button without notice.
OpenCart Overclocked Edition Lead developer
Signal these extensions:
GDPR Toolkit for Opencart
GDPR Complete Suite

Forum Jump:

Users browsing this thread: 1 Guest(s)