This document outlines the General Data Protection Regulation (GDPR) requirements for e-commerce merchants, emphasizing the importance of data protection and consumer rights in the EU. Key points include the responsibilities of data controllers and processors, provisions for obtaining consent, rights of data subjects regarding access and erasure, and the implications of data breaches including potential penalties. It also briefly discusses specific considerations for businesses using platforms like Magento to ensure compliance with GDPR.

1.
Reach Digital - 18 december 2017
General Data
Protection
Regulation for
eCommerce

2. GDPR for
eCommerce
This document is intended to determine the
recommendations and responsibilities for an
eCommerce merchant to adhere to the GDPR
regulations.1
• The GDPR legislates ‘common sense’ for
Personal Data.
• The GDPR is created to protect the personal
information of every persoon in the EU.
• The GDPR is a single legislation that will apply
to all member states of the EU.
• The GDPR will enforce heavier penalties when
data breaches occurs.
This is not a legal document. This is provided as a technical1
interpretation of the guidelines.

3. Inhoudsopgave
1. Roles
2. Personal Data
2.1. Personal Identifiable Information is not equal to
Personal Data
2.2. Giving consent for Personal Data
2.3. Right of access
2.4. Right to erasure
3. International companies
4. Breaches
5. Penalties
6. Data Minimisation
7. Pseudonymisation
8. Record keeping
9. General summary
10. GDPR for Magento

4. 1. Roles
The main new part the GDPR are the responsibilities of the
Data Processor. The Data Controller (merchant) already
has a lot of these responsibilities.
Data Subjects ‘Natural person /
customer’
• For the scope of GDPR: This is a citizen or resident of an
EU member state.
• The natural person is the rightful owner of the personal
data not the organization holding it.
Data Controller ‘Merchant’
• The organization that collects data from EU citizens or
residents.
• Determines the purpose, conditions a means of
processing personal data
• Existing DPD obligations (UK)
Data Processor ‘Hosting’:
• Processes data on behalf of the Data Controller
• Services like Cloud Providers
• Has direct statutory obligations
• May be subject to direct enforcement
Data Protection Officer:
• Directed by a company engaged in “regular and
systematic monitoring of individuals on a large scale”
• Works independently to ensure that an entity is
adhering to GDPR regulations
• Penalties exist when a company doesn’t have a DPO.
• A DPO is required when certain criteria is met
• This role has existed since 1979 in Germany
Data Protection Authority
• National Authority tasked with the protection of data.
• They have the powers to enforce

5. 2. Personal Data
Any information relating to an identifier or identifiable
natural person (data subject).
Examples:
• Name
• Date of birth
• Address
• Mobile device ID
• Social media posts
• Photographs2
Sensitive Personal Data
• Race
• Ethnicity
• Sexuality and Sex life
• Philosophical beliefs
• Trade union memberships
• Health
Genetic & Biometric Data
• Gene sequence
• Fingerprints
• Facial recognitions
• Retina scans
There are some IoT devices that could collect become sensitive. For example: Heart rate monitors.2

6. 2.1. Personal Identifiable
Information is not equal
to Personal Data
Personal Identifiable Information is Personal Data
Personal Data is not always Personal Identifiable
Information.
Examples:
• A photograph of a landscape is not Personal Identifiable
Information, but is is Personal Data.
• An IP-address alone is Personal Data (but isn’t in the US,
so definitions differ from country to country)

7. 2.2. Giving consent for
Personal Data
• Freely given: Data Subjects must give consent without
detriment
• Specific: The consent must be intelligible
• Informed: The purpose the data will be used for
• Unambiguous: “clear affirmative action” to signify
consent.
This will happen in de form of a message that is easily
readable to the customer where it dives consent to the
customer.
A child is required to obtain parental or guardian consent
for any data processing activity.
Giving explicit consent for Sensitive
Personal Data
Sensitive Data Collection is different from Personal Data
that a Data Subject must give Explicit Consent: Checking
a box that clearly states how data will be used.

8. 2.3. Right of access
Data Subject may obtain confirmation that their data is
being processed and gain access to the data itself.
2.4. Right to erasure
• Data Subject may request erasure of their data when
there is no compelling reason for it to be retained.
• Data should also be erased when the Data Subject
withdraws consent.
• Data should be stored as long as it is needed and then
it should be removed.

9. 3. International companies
“This Regulation applies to the processing of personal data
of Data Subjects who are in the Union by a controller or
processor not established in the Union”
If you target the EU you are required to follow GDPR.
- EU Office
- EU Currencies
- EU Languages
- EU Domainnames
If you offer a service that doesn’t explicitly target the EU,
you are not required to adhere to GDPR.

10. 4. Breaches
“As soon as the controller becomes aware that a personal
breach has occurred, the controller should notify the
personal data breach to the supervisory authority without
undue delay and where feasible, not later than 72 hours
after having become aware of it.” —Article 33, paragraph 1
In case of a breach the following information should be
provided to the supervisory authority:
- Categories of data
- Approximate number of Data Subjects concerned
- The likely consequences of the breach.
- Any measures to mitigate the effects
There is one mayor caveat to this:
Unless the personal data breach is to result in a risk to
the rights and freedoms of natural persons.
This means that in general all Personal Data breaches
must be reported.

11. 5. Penalties
When data is breached a penalty can be given:
“A fine up to €20M or 4% of the annual worldwide turnover
of the preceding financial year in case of an enterprise,
whichever is greater.”
This is the most heavy claim that there is available, but
there are smaller fines when for when example “the
obligations of the data controller aren’t met”:
- Smaller fines: Up to €10M or 2% of gross worldwide
turnover
- Audits: Regular periodic data protection audits
- Warnings: A warning in writing in cases of first and non-
intentional non-compliance.
GDPR talks about the penalties as
• Effective
• Proportionate
• Dissuasive

12. 6. Data Minimisation
Protection by Design and by Default. The objective is to
always protect the data.
“Personal data shall be adequate, relevant an limited to
what is necessary in relation to the purposes for which
they are processed.”
It tries to battle ‘Data Maximization’ Store as much data as
you can.
What Data?
“Determining if someone is above 18 years or older
requires to you ask for their birthday, but after knowing
that someone is older, you do not need this information
anymore after that.”
How Long?
“Signing up for a competition is required, the data is
stored as long as the competition runs, storing the data is
later not longer necessary”
Where?
“How many locations does that data need to exist in? Does
it really need to be in all those systems?”
What purpose?
“Is the data being used solely for the purpose it was
provided for? We see it being used for something different.
To promote something different or market another
product.”

13. 7. Pseudonymisation
“‘Pseudonymisation’ means the processing of personal
data in such manner that the personal data can no longer
be attributed to a specific data subject without the use of
additional information.”
It does significantly reduce the risk in case of a breach.
There should be no impact on the individuals them selves.
This is the common sense part of the GDPR.
• Encryption: Encrypted data can be leaked, but without
the private keys the individuals aren’t harmed.
Encryption at rest and Encryption in transit
• Hashing: Data can still be compared, but can’t be
unhashed.
• Masking: Replacing all or parts of the data. “Partial data
email addresses do not leak the complete email
address”
• Aggregation: So rather than individual records, rolling it
up in to a non-identifiable aggregation of that data
helps.
• Indirect references: Without direct references

14. 8. Record keeping
Each controller (and where applicable, the controllers
representative) shall maintain a record o processing
activities under its responsibility.
• Name and contract details of the controller
• The purpose of the processing
• The categories of data subjects and categories of
personal data.
• Categories of recipients to whom the personal data
have been or will be disclosed.
• Any transfer of the data to another country or
international organization
• Time limits for erasure.
• Technical and organizational security measures.
Exceptions
The Record Keeping obligations shall not apply to an
enterprise or an organization employing fewer than 250
persons. Except:
• If the processing likely to result in a risk to the rights
and freedoms of data subjects.
• If the processing is not occasional
• The processing includes special categories of data:
Sensitive personal data or Genetic and Biometric data

15. 9. General summary
• Are you in Scope: Establish wether GDPR affects your
business
• Understand your data: What do you have? Where is it?
Whose is it?
• Data Minimization: Retain only that which is adequate,
relevant and limited.
• Pseudonymisation: Protect the data that you have to
the full extend possible.
• Protection by Design: Begin with this at the inception of
the business concept.
• Common Sense: GDPR is regulating things that already
make sense!

16. 10. GDPR for Magento
Please note again: This is Reach Digital’s interpretation of
the information available on the subject. This is not legal
advise.
Magento does not store Sensitive Personal Data, but does
store Personal Data. This means that you do not need
Explicit Consent to store data.
To store Personal Data, a Magento shop needs Consent
that is: Freely given, Specific, Informed. Unambiguous
Magento currently offers a way to inform customers
about current Cookie policies, the texts should be
amended to also create the GDPR consent.
Right to access: When a customer requests for access, it
should be possible to provide all information to the
customer. It currently is possible export all the information
from Magento.
There are no automatic systems in place to provide
this functionality. Customer Service representatives
can export this information manually.
Right to erasure: When a customer requests for erasure, it
should be possible to delete all information from
Magento.
By default it is possible to delete a customer
completely, but it is not possible to delete order
information.
When a company is larger than 250 people you need to
track all your information that is send to other companies
or companies outside the EU.
Magento EE Admin Logging does track some of the
transactions.
Magento Order Comments track basic connection
information.
All connections that use API’s (Shipping, Payment
Service Providers, Marketing tools) should include
extensive logging and keep those logs for a long
time.
You are not allowed to send information to new services
the Data Subject hasn’t given consent to. For example: If

17. you never asked for consent to send Upsells via email, you
aren’t allowed to.
A system should be build to upgrade a customer to
the latest ‘Data opt in’ when the customer visits the
site.
You are required to host your Magento shop on a ‘Data
Processor’-compliant server / organization. This doesn’t
mean that you *need* to store information in the EU.
We expect Hosting companies we do business with
to adhere to the GDPR rules.
Data breach impacts should be minimized. Encryption,
Hashing, Masking, Aggregation, Indirect references.:
Take security seriously, if you don’t design with
security in mind you’re doing it wrong.
Magento 2 EE’s database separation is a great
example of the Indirect References.
Magento 2 offers top notch password hashing.

18. Conclusion
The new regulations seem to be a reasonable
step forward in the always changing digital
landscape. With the the recent breaches like the
‘Equifax’ hack it becomes more and more clear3
that companies don’t even implement the most
basic measures.
We expect that there will be fines when large
sums of personal data is leaked, but we expect
the larges companies to be fined first before the
regulators go after smaller companies. The
legislation isn’t in effect yet, we’ll have to wait
how heavy the penalties will be.
Questions?
Paul Hachmang
paul@reachdigital.nl
Information is taken from: www.informationisbeautiful.net3
Reach Digital
Veenderveld 5, 2371TS
Roelofarendsveen
KvK 61711454
BTW NL818554071B01
IBAN NL03KNAB0256355622
info@reachdigital.nl
www.reachdigital.nl
071 744 0084