Deciding to start an e-commerce business, the first point to think over is what platform to choose. Each has its own pluses and minuses. Your choice surely will depend on their functionality.

Yet every online store owner should remember the importance of protection of customers’ data.  The key point here is privacy by design. It is not a new concept as it has been always included in data protection. Now it is a part of the law, i.e. the General Data Protection Regulation (GDPR). So skipping out on this regulation will put you at disadvantage, both legally and financially. Under the GDPR it is a juridical requirement to consider data protection and privacy policy from the start of an online store.

In this article, we focus on foundation concepts of Privacy by Design and how to ‘bake in’ data protection into your store operation. 

What are the basic principles of Privacy by Design?

Implementing privacy into design

Not every platform have inherently integrated privacy regulations. You need to embed necessary technical solutions into your service so that customers don’t have to take any special action to protect their privacy. It should be done by default, or by design.

You have to provide a simple way to make customers aware that the data they give is used and for certain purposes and is stored safely. For example, showing confirmation for data usage, while customers are registering, logging in, leaving a comment or another action is helpful. You could provide any notification with a link to your privacy policy or terms and conditions, as well as place them in the footer.

Full lifecycle data protection

Apply sound security measures from the first steps of ‘data lifecycle’ and continue to do it till the data is completely destroyed. Processing data, you always need to keep it safe. Encryption can be helpful for the storage of the sensitive data. The Magento uses encryption key for this purpose, which is generated during the Magento Installation.

It’s better no to forget about your responsibility for any data you take at every step. You can share information with a third party, delete data when there is no longer need in it. Anyway, all operations should be done securely.

You need to think over in advance about the limits of users’ access to their personal information, create a certain policy of “need to know” and apply it consistently throughout every stage of the data lifecycle

You need to make it not only possible but also convenient for customers to export all gathered info concerning them. For registered customers, it can be a special section in their accounts. And if customers are guests, you can add a link in the footer on your website, with the help of which they can enter an email where to send data in machine-readable format. 

Data minimizing

To minimize data means you only collect necessary information. Yet it must be sufficient to deliver your service properly. From the beginning you should decide how transparent on data processing to be and how much you can know about customers.

For example, there is a point in the law about 16 years old limit to leave personal data either while making an order or during registration, that is why to request age confirmation is quite rightful. It can be a checkboх to tick so that anyone doesn’t need to enter the exact date of birth. That is a good thing not to require any additional information from customers that in fact, you don’t need.

Giving freedom of actions

Customers should be free for managing any action. Offering strong privacy defaults and providing individuals with controls is crucial. This includes allowing to delete personal data, check its relevance and make corrections. It can be done with or without making a request to the admin.

Users must be able to withdraw the consent given by them with simple and efficient means at any time. All depends on the type of a customer, whether it’s a subscriber, guest or registered customer. The correspondent options for them are to unsubscribe, to erase bits of their information and delete an account at all.

Don’t be intrusive and don’t anticipate what your users have to do. As an example, there can’t be any pre-ticked boxes in your store. Leave the right to confirm and choose to your clients. 

Preventing of data breach instead of rectifying it 

Now it is in the first place to prevent any violations concerning processing personal data rather than to respond to a breach after it happened. Design is the best way to protect user information. A platform should have a possibility at least to encrypt personal data.

To destroy customers personal data, you can use two ways: if you delete personal data in Magento by default, some data will remain. But when you customize the settings, it’s possible to replace data that can’t be destroyed (e.g. from orders) with anonymous data. Thus you assure that any leakage will not take place in future.

Being trustworthy with customers

Besides all already mentioned points, do not forget that your policies are to be written in a clear language and have distinctive structure. To provide quick access to your terms you can link customers directly from the footer or checkboxes in main forms of the website. In such a way you earn the trust of your customers as they will know what to expect with the usage of their information.

As well you can send emails to customers to notify about changes in Privacy Policy. Asking to confirm updated policy is a plus to you. So customers will enjoy continuing using your service, knowing that their data are secured.

Control periodically the relevance of customers data you hold, and delete anything you don’t need. With special settings, you can send requests for refreshing personal data with a certain frequency. Once you enable it, you don’t think about checking anymore. For example, here in the admin panel, you can mark the checkbox that the content of privacy policy was updated and all your customers get notifications.

As you see it is not an easy task to put into practice all these guidelines. You should be sure that the store does not contradict the law requirements. It’s necessary to consider these numerous points and find how to cope with them.

With implementing certain technical measures, you can advance your e-commerce and create it in conformity with the regulation from the first design stages. Magento is an open source e-commerce platform and has unlimited customization options. And Extait provides a reasonable solution for making your store GDPR compliant from the very beginning.