Forums / General Questions / General Data Protection Rules GDPR

General Data Protection Rules GDPR

Results 1 to 20 of 177
06 Feb 2017, 16:29
#1
nickw avatar

nickw

New Zenner

Join Date:
Feb 2017
Posts:
3
Plugin Contributions:
0

General Data Protection Rules GDPR

I'm interested in the implications of compliance with the upcoming GDPR EU-regulation due to be law in May 2018.
06 Feb 2017, 16:50
#2
nickw avatar

nickw

New Zenner

Join Date:
Feb 2017
Posts:
3
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

As I understand it the law will apply to any data system serving EU-citizens, so presumably any ecommerce or CRM website on the internet will need to comply unless it blocks eu-registrations. This article suggests that it maybe advisable to save further data at the time of registration, eg to save a 'consent record' when agreeing to the website terms and conditions, one that includes a copy of the T&C's that were published at the time of registration, to provide sufficient evidence should it be needed.

This is another article I found useful.
06 Feb 2017, 17:04
#3
nickw avatar

nickw

New Zenner

Join Date:
Feb 2017
Posts:
3
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

Actually this article states:
Data encryption shall be used, when possible: Recitals 83 and Articles 6-4(e), 32-1(a)
Data pseudonymization shall be used, when possible: Recitals 26, 28, 29, 78 and Articles 6-4(e), 25-1, 32-1(a)

This article gives further information.
15 Oct 2017, 13:39
#4
andy_c27 avatar

andy_c27

Zen Follower

Join Date:
Oct 2010
Posts:
477
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

or GDPR for short
Can't find anything new about this and time is passing by rather quickly
Can Zencart do this or will it be able to do this in the future as this is something that will be needed in the not to far distant future for most of us in the EU......
Apologies if this can already be done but I can't find much on it in regards to Zencart

Details to a full link https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
05 Dec 2017, 14:51
#5
macgrc avatar

macgrc

New Zenner

Join Date:
Dec 2017
Posts:
1
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

What are you expecting Zen Cart to do that it doesn't do now?

In the real world, ie not one populated by scare mongering consultants, the privacy policy has always been up to you, you do not have to auto enrol anyone for anything and you can delete users from the admin panel and/or PHPMyadmin. The only teeny tiny thing missing is a date stamp for when they positively agree to newsletters etc.

All this talk of multi million pound fines is Y2K all over again...... for most normal people and companies it is a non issue.
12 Mar 2018, 16:43
#6
ianhg avatar

ianhg

Zen Follower

Join Date:
Jul 2007
Posts:
345
Plugin Contributions:
3

Re: General Data Protection Rules GDPR

Hi
Can anyone tell me please if the current version of zencart and my older 1.5.4 will OK with the new EU laws due in May this year?
Thanks
Ian
26 Mar 2018, 18:38
#7
congerman avatar

congerman

Zen Follower

Join Date:
Oct 2008
Posts:
392
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

ianhg:

Hi
Can anyone tell me please if the current version of zencart and my older 1.5.4 will OK with the new EU laws due in May this year?
Thanks
Ian


The other major shopping carts have produced plugins for GDPR which include extra check boxes on forms, the right to be forgotten, click here to see what data we hold about you, etc etc. Zen Cart has not yet as far as I can see. You think a boffin would come up with something, even if is is paid for, to help the small shop keepers out here to comply.
27 Mar 2018, 10:08
#8
simon1066 avatar

simon1066

Totally Zenned

Join Date:
Feb 2009
Posts:
1,326
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

Reiterating the last post. While some points of the GDPR are not in Zen Cart's core remit, I think there are a couple of things that will need code adaptations.

The right to be forgotten - allowing the customer to delete their account

As I read it, a user's browser settings can be used as the consent for cookies 'strictly necessary for the legitimate purpose of enabling the use of a specific service requested by the subscriber or user' i.e. Zen Cart cookies. Consent would be needed for analytical/advertising cookies. Not sure if the latter would need ZC core code modifications.

'Even after getting valid consent, there must be a route for people to change their mind' i.e opt-out at any time. As this would have to include ZC cookies I suspect core code changes would be needed.

Probably a lot more questions will arise, hopefully things will be clearer once the final regulations are wriiten - closer to May.
27 Mar 2018, 11:55
#9
lat9 avatar

lat9

Administrator

Join Date:
Sep 2009
Posts:
13,980
Plugin Contributions:
46

Re: General Data Protection Rules GDPR

I took a quick look at the current GDPR documentation and got a headache. Does anyone have a link they could share that boils the bureaucratic babble-speak down into a set of requirements?
27 Mar 2018, 13:06
#10
design75 avatar

design75

Totally Zenned

Join Date:
Dec 2009
Posts:
2,862
Plugin Contributions:
5

Re: General Data Protection Rules GDPR

There was an interesting discussion about GDPR over at the dark side :D (osCommerce forum), and there was this link, that has some useful information
27 Mar 2018, 16:09
#11
mesnitu avatar

mesnitu

Totally Zenned

Join Date:
Aug 2014
Posts:
597
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

Great article.
I guess a new ticket box at registration page is needed ? ( like newsletters ? ), making a new field at customers table ?
I still don't know what it's done with existing customers. Do we have to email them to agree with the new terms ? That would be easy, but, reading this thread, (actually I never thought on that), there is no way that a customer can delete their account now... never search the forum or modules on that.
I don't have 250 employees ( only 249 :smile:), but even so, I think this is a important thread.
27 Mar 2018, 16:57
#12
mesnitu avatar

mesnitu

Totally Zenned

Join Date:
Aug 2014
Posts:
597
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.


https://www.eugdpr.org/key-changes.html

I love EU. It makes us think. So what data is zencart default core, collecting from customers (extra modules apart) ?
Registration fields ( that can or not be required)
Last login / logout
Customer basket

So I guess that one also has to make some kind of export / display at customer page.
27 Mar 2018, 17:19
#13
lat9 avatar

lat9

Administrator

Join Date:
Sep 2009
Posts:
13,980
Plugin Contributions:
46

Re: General Data Protection Rules GDPR

mesnitu:

Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.


https://www.eugdpr.org/key-changes.html

I love EU. It makes us think. So what data is zencart default core, collecting from customers (extra modules apart) ?
Registration fields ( that can or not be required)
Last login / logout
Customer basket

So I guess that one also has to make some kind of export / display at customer page.

That data would include all fields in the following Zen Cart database tables:

  1. address_book (one entry for each stored customer address)
  2. customers (name, email, newsletter opt-in and more)
  3. customers_info (last login, account-creation date and more)
  4. customers_basket, customers_basket_attributes (products, with optional attributes, stored in their basket)
  5. orders, orders_products, orders_products_attributes (orders that the customer has placed, along with the purchased products and their optional attributes).
  6. paypal (if your store uses one of the PayPal payment variants, for any order paid via PayPal).
  7. reviews (could contain the customer's full name)
27 Mar 2018, 17:30
#14
simon1066 avatar

simon1066

Totally Zenned

Join Date:
Feb 2009
Posts:
1,326
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

lat9:

That data would include all fields in the following Zen Cart database tables:

  1. address_book (one entry for each stored customer address)
  2. customers (name, email, newsletter opt-in and more)
  3. customers_info (last login, account-creation date and more)
  4. customers_basket, customers_basket_attributes (products, with optional attributes, stored in their basket)
  5. orders, orders_products, orders_products_attributes (orders that the customer has placed, along with the purchased products and their optional attributes).
  6. paypal (if your store uses one of the PayPal payment variants, for any order paid via PayPal).
  7. reviews (could contain the customer's full name)


and

8. authorizenet (if used)
9. coupon_gv_customer, coupon_gv_queue, coupon_redeem_track (I've never used coupons so not entirely sure what exactly is captured)
10. whos_online (surely not!)
11. files_uploaded
12. products_notification

Non ZC table that will cause a headache - user_tracking!
27 Mar 2018, 17:52
#15
lat9 avatar

lat9

Administrator

Join Date:
Sep 2009
Posts:
13,980
Plugin Contributions:
46

Re: General Data Protection Rules GDPR

simon1066:

and

8. authorizenet (if used)
9. coupon_gv_customer, coupon_gv_queue, coupon_redeem_track (I've never used coupons so not entirely sure what exactly is captured)
10. whos_online (surely not!)
11. files_uploaded
12. products_notification

Non ZC table that will cause a headache - user_tracking!

Thanks for the follow-up!

Note that stores that provide one-time coupons could have issues when removing a customer's account (since the one-time usage is tied to a customers_id). Once the account is removed, the customer is free to re-create their account and, again, enjoy the benefits of that coupon.
27 Mar 2018, 20:31
#16
mc12345678 avatar

mc12345678

Totally Zenned

Join Date:
Jul 2012
Posts:
16,907
Plugin Contributions:
1

Re: General Data Protection Rules GDPR

Also,

13. admin_activity_log
14. coupon_email_track
15. coupon_gv_queue
16. coupon_redeem_track
17. email_archive
18. In addition to the reviews table (perhaps eluded to) reviews_description.

These all potentially contain information about the customer and/or their activities, etc. Yes, even the admin_activity_log contains operations performed on the admin side related to processing a customer's data.
27 Mar 2018, 20:52
#17
lat9 avatar

lat9

Administrator

Join Date:
Sep 2009
Posts:
13,980
Plugin Contributions:
46

Re: General Data Protection Rules GDPR

mc12345678:

Also,

13. admin_activity_log
14. coupon_email_track
15. coupon_gv_queue
16. coupon_redeem_track
17. email_archive
18. In addition to the reviews table (perhaps eluded to) reviews_description.

These all potentially contain information about the customer and/or their activities, etc. Yes, even the admin_activity_log contains operations performed on the admin side related to processing a customer's data.

I'm not sure (and didn't allude to) the reviews_description is a candidate, as it points back to the reviews_id and (unless the customer included personal information in their review) doesn't directly contain customer-specific information.
27 Mar 2018, 21:38
#18
brittainmark avatar

brittainmark

Zen Follower

Join Date:
Apr 2009
Posts:
488
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

Under GDPR do we need consent to tell a customer we have despatched their goods? The way I read it we do. If this is the case then changes will be required to the order system, create account etc. to allow us to know if they want this contact. Additionally changes may be required to admin to allow/block e-mails or any other form of contact that we may choose to make.

Additionally is suggest that all customer data should be encrypted. Would this be a core change to the database/zen cart.
27 Mar 2018, 22:15
#19
mesnitu avatar

mesnitu

Totally Zenned

Join Date:
Aug 2014
Posts:
597
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

But if a site uses SSL I guess it's encrypted.
So, the list gets bigger.
In sum: zencart admin function to delete an account could be "altered" to allow a customer to delete is own account killing the session.
I'm thinking out loud, cause I don't use zencart with his full power and features.
In terms of export data ( still thinking out loud), it seems that two kind of exports have to exists.
One to deal with a customer request, another from some other auditorie .
This could be accomplished using EP4 ( or DB I/O), for a complete export.
The personal data export, could follow the same principles.
Of course this would implie the use of this scripts.
So maybe it's better to start from scratch...
27 Mar 2018, 23:08
#20
gilby avatar

gilby

Totally Zenned

Join Date:
Aug 2005
Posts:
1,816
Plugin Contributions:
0

Re: General Data Protection Rules GDPR

Not sure what "deleting their account" actually means?
What about all their "orders"?
Can't delete those as by law we need to keep this info for at least 7 years for tax purposes here in Oz
As well if you actually deleted "orders" we wouldn't be able to do basic stock control and profit and loss etc....

Perhaps it means renaming the account somehow to keep the actual data but to remove all customer identifying details?
If so then how would you handle cases when the government wants details on who you sold stuff to?

Perhaps it only applies to online data. Maybe you can keep printed offline records of all this stuff?
Just thinking here....