GDPR solution for Magento 2? Let’s see

As you all would have heard by now, GDPR is here. And although most consumers aren’t that bothered about the new regulations, it still affects most eCommerce Businesses – Especially those with customers within the EU.

Well, today I was invited to a webinar hosted by Aheadworks to watch a demonstration of their upcoming GDPR Extension for Magento 2. I’ll cover some of the highlights and features of their upcoming extension (along with my first impressions) and see if it really is the GDPR solution for Magento 2 that we all need.

So the aheadworks GDPR extension allows your customers to exercise the right to access, change, and delete their personal data – A regulatory requirement of GDPR. And it allows you, as an administrator, to review and requests and monitor their progress easily from the backend of Magento.

Although GDPR consists of many new rules and regulations, this extension sets out to cover the following 4 use cases:

  • Keep customer data legitimate
  • Make personal data accessible to customers
  • Right to erasure
  • Consent date and time logging

Administering some of these tasks can already be done right now. But running a business doesn’t leave us with a lot of time on our hands to do it – Let alone find the time to manually dig out data within Magento and send it to a customer or anonymise it. I’ve already had to carry out one such request on a Magento store for a customer and it was definitely a time killer. So to have a system to automate the process is definitely a huge win. If by know you’re already interested, you can order your new GDPR extension by aheadworks here. You can also find a collection of other Magento 2 Extension Reviews here on our website.

Collecting consent: Checkout

As a guest looking to purchase something from your eCommerce store, they are now presented with a popup at the checkout. This popup asks the customer for consent to collect and process their personal data.

As you can see, there are 4 things we can interactive with.

  1. The first is a link that will take the customer to your Privacy Policy page, if they wish to review that information.
  2. The I AGREE button allows the customer to continue with the checkout process.
  3. The I DISAGREE button presents a warning. This notifies the customer that you won’t be able to take the order because you can’t process their personal data.
  4. Finally the ASK ME LATER link takes the customer back to the homepage.

Collecting consent: Account Registration

As a guest customer looking to create an account before making a purchase from your store, you’ll notice that a checkbox has been added to the registration form. A customer will not be able to create an account until they have provided consent for you to use their data. This also means that they won’t have to keep providing consent at the checkout when they make future purchases.


Collecting consent: Existing customers

As an existing customer, who was registered with your website before installing this extension – They will see something slightly different. When they next log into their account, they will be presented with a pop giving them 3 options.

The first is to dismiss the notification. However, the notification will continue to be displayed whenever they load a new page.

The second is the I AGREE button, which provides you with their consent and allows them to continue.

And the third is the I DISAGREE button, which takes them to a section of their account where they can either request that their personal information be deleted, or request a copy of the personal data that you already hold about them.

Request Verification

When an existing customer decides to make a data request (which can be done from within their account), they’ll be asked to confirm their identity by clicking on a link on an automated email that is sent from your store. This applies for both the removal of personal data and the request for personal data.

Once they have verified their identity by clicking the link in the email, the request will be submitted to the backend of Magento where you can administer it.

Email Templates

From the backend of Magento, you can choose which contact is displayed as the Sender of the GDPR emails. As well as the templates that you might wish to use. These templates can also be modified in the backend of Magento. A very useful feature if you want to fine-tune any wording.

Administration: Existing Customers

There are also 3 additional pages that can be found in the backend of Magento. The first lists all of your existing customers. Specifically, it tells you whether consent has been provided as well as the date and time it was (or was not) given. It’s also possible the erase a customers personal data from here by using the ACTIONS tab. As you can see, it anonymises the existing data with a string of asterixis. It’s important to note that although the personal data does get removed, the sales record will still exist within Magento.

By now you might be wondering how you would cater for after-sales services. For example, how do you as a business owner follow up on a product warranty if a customer contacts you after their data has been removed. Well, that is a limitation of GDPR (not the extension). After a customer requests their personal data to be removed, they are also waiving their right to any after-sales services (as you won’t be able to identify them as an existing customer). Just be sure to highlight clearly in both your Privacy Policy and you Email Template.

Administration: Personal Data Request

The next page shows a list of any customer request for personal data. As you can see from the table, there is a Status column that informs you that the request needs to be actioned or has been dealt with. Along with a date a time of the request and the resolution.

From the actions tab, you could choose to download the customers personal data in the form of either a PDF or an XML file. You’ll also notice that there are options to update the status of each request. This is a useful feature for keeping your colleagues informed in case you both try to resolve the same request.

Administration: Personal Data Removal

Finally, we have a table to see all of the customer requests for the removal of personal data. This works in the same way as the last table that we looked at. However, choosing to Change the Status to COMPLETE will remove the customers personal data from the database.

More to come…

So right now, the features that I’ve discussed make a great start to help us get Magento 2 ready for GDPR. In fact, I’d say it’s been the best solution that I’ve found so far. Bare in mind, that some features may change (or get added) before launch.

The beauty of this extension is that aheadworks also have a plan to keep improving this extensions even after it launches. Some of these planned features include:

  • Email notifications to administrators when a customer makes a request
  • Display all of the customers personal data that’s held in Magento from their account page, including third party apps like Mailchimp
  • Collection of Cookie consent
  • Timeline to allow administrators to keep a progress check on data requests
  • And Integration with even more of their own extensions

How much?

So the listed price of this extension is going for $199, which isn’t a bad price when you look at the current features and what’s to come. However, if you get in on the pre-order, you can save yourself a ton of cash and only pay $139. There isn’t a final launch date just yet, but I’m told they expect it to be by the end of next week. So if you’re interested in this extension or would like to learn more, checkout this link for the GDPR extension by aheadworks.

What other solutions have you found to help get Magento 2 ready for GDPR? Please, share in the comments below.