On 25 May, the new AVG (General Data Protection Regulation) law goes into effect. In this blog, we will give you an overview of some of the actions that need to be taken for this legislation with regard to your Magento webshop.

What is the AVG?

The General Data Protection Regulation (GDG) or also known as GDPR (General Data Protection Regulation) is a European legislation that helps protect personal data. The legislation applies to all organisations that process personal data and are based in the European Union. In short, the law states that you may only process personal data lawfully, properly and transparently. For a complete overview, please refer to the website of home shopping guarantee where the various main topics are well described.

What does the AVG mean for your webshop?

Every webshop processes personal data. Below, we list the most important actions you need to take as a webshop owner to make sure your webshop complies with the legislation.

1. Updating your cookie statement and privacy policy.
   As a webshop owner, you need to inform your visitors and customers about what data you collect and for what purpose. In addition, a customer has to agree to the so-called cookies used on your website and the customer has to be able to change them again. To comply with this, we recommend using cookiebot. A standard solution that automatically scans your website and displays the correct cookies. This avoids you having to check for new cookies every month and adjust your privacy policy.
2. Secure web shop environment

Because you, as a webshop owner, are responsible for carefully managing personal data, it is even more important that your webshop is secure. So your shop should at least have the following in order:

• SSL security (https)
• Up to date: working with an older version puts you at extra risk
• Password policy: make sure you have strong passwords and review how often you need to change your passwords and who has access to which systems.

3. Retention & deletion of personal data

Important in the legislation is that personal data is not kept if it is not necessary and that customer data can be deleted. It is important to keep internal records of what data are kept in which systems and for what period of time.

4. Processing agreements

The new legislation makes it mandatory that if organisations can access your company's personal data that a processing agreement is in place. From us, you will therefore receive, for example, a processing agreement because we have access to customer data within our support.

5. Google Analytics data

If you use Google analytics, a number of adjustments need to be made. This is because Google analytics uses privacy-sensitive information. To comply with the AVG in this respect, the following adjustments need to be made:

• IP address should be anonymised.
• A processing agreement should be concluded with Google.
• Disable the sharing of statistics with Google.

 If you need help with these steps please contact us.

6. Plan in the event of a data breach
   Finally, it is important to think about a plan if data does get leaked. This is because it is important if this happens that you report it within 72 hours but also be able to demonstrate what actions you have taken.

Need help with these steps?

Need help with these steps or have questions about any of these topics please take contact with us. We will be happy to help you comply with the AVG legislation.