top of page


General Data Protection Regulation

Deadline for compliance: May 25th 2018

We have 2 Magento extensions for GDPR

We have built two extensions for GDPR, one to manage Consent and the other the Cookies.


General Data Protection Regulation

We have two extensions to manage your GDPR compliance


General Data Protection Regulation

We have two extensions to manage your GDPR compliance

Consent Extension

This extension creates a new section in the checkout and the create new account page to allow you to get consent from your customer for the website, catalogues, newsletters & 3rd party mailings (depending on which you have).

All consent is date stamped and a timeline kept of each customers changes.

New Privacy section in the My Account section - These options will be manageable within a new Privacy page in the My Account section.


We can link into your existing extensions to change a customers consent preferences.


Please note: This extension has been built to run on a standard installation of Magento with no third party extensions or services attached. Should you have a third party checkout then extra work may be required to get it to display correctly. If you have third party extensions / services to manage your newsletters, catalogues or third party mailings then extra work may be required to plug into these.   

Cookie Extension

This extension gives the option to turn off 3rd party cookies and will actually turn them off.

Some cookies are essential to the running of the website and these we do not need to gain consent for, third party cookies such as Google Analytics and other tracking cookies, Youtube, Facebook, Twitter, Vimeo etc. are not essential and these we do need to gain consent for.

It will look like many of the other consent extensions that everyone is used to seeing.

Our cookie extension will turn off 3rd party cookies if this is chosen by your customer. 

As part of our work the essential and third party cookies will be split and the extension will then turn the third party cookies off if consent is not given, this will inevitably mean that some functionality in the site will not work and this is to be expected. 

New Privacy section in the My Account section - These options will be manageable within a new Privacy page in the My Account section.





Customer Request to View Data & Data Portability:

The ICO give you 30 days to respond to a request from a customer to see what data you have and to delete their data. We think that a section in a new Privacy page on your site that clearly says to the customer that if they want a copy of their data or if they want you to delete their data then they should get in touch with this request. The data can then be exported from Magento as required.

We think that this is much better dealt with face-to-face, so to speak.

Customer Request to Delete Data:

The ICO also say that you should not keep your customers data for any longer than necessary. Most companies seem to be heading for keeping data for 6 years and and then deleting. This functionality we will look at building into our consent extension in the near future.

In my mind I thought that it wouldn’t have been too far off the cost of an individual patch, could you maybe educate me as to what is being carried out compared to a patch install:

These are 2 extensions and so it should be viewed as if you are adding extensions not patches. Also, normally extensions do not interact with other extensions and that is where this one differs, it has to be able to control the data going through other extensions. If the customer does not want their data shared then these extensions have to stop that data and that is why there is a lot of config required to install them. Otherwise you would just be ticking a box that didn't actually do anything. GDPR says you have to act on your customer's choice and that's what these do, they physically stop data.

We can help you become GDPR compliant

We are operating on a first come first served basis. To add your name to the list get in touch without delay.

What is the General Data Protection Regulation (GDPR)?

Mandatory for all companies interacting with EU residents, regardless of where the company is located/headquartered and includes very hefty fines for any violation.

Sets requirements for the handling of personally identifiable information (PII), this includes:

Data collection – web, offline, POS, CRM.

Data storage – short term, data backups.

Data transfer – between companies.

Internal and external oversight – Information officer, government audits.

Deadline for compliance: May 25th 2018

These are some of the things you will need to do...

1. You must notify consumers of data collection, about the data you intend to collect and how it will be used. Data collection cannot occur prior to notification. 

2. You must receive consumer consent for data collection. Data collection must be blocked prior to consent. EU residents also have the right to amend or revoke authorisation at any time and this must be provided in an easy accessible format. Worth noting is that the GDPR explicitly highlights that inaction cannot be considered consent.

3. You must prevent unauthorised data collection. This includes data that is transferred to 3rd parties you may use.

4. You must be prepared for an audit of your data collection practices. Companies must be able to prove compliance (an event-level audit log of all user interactions) when audited by a Supervisory Authority (SA), which includes the ability to prove that consent was received for collected information. This includes setting out the data processes you use, what you use to hold that data, how long you intend to hold that data and be able to justify that decision, how you intend to destroy that data at the end of that period and what you would do should you have a data breach along with member/s of staff responsible for these processes.

bottom of page