Unless you have been living on a deserted island, you have probably heard about GDPR. The GDPR is one of the most comprehensive data privacy law till date and is bound to affect your online business (or company) if you operate globally or have customers within Europe. Every business is different, some of you might need more preparation than others to comply your nopCommerce site for GDPR. But, there is no need to panic. Here is a handy breakdown of what GDPR is, how it affects your online business and most importantly how you can prepare your nopCommerce site for GDPR.
Let’s get to the point - What is GDPR?
GDPR (General Data Protection Regulation) is a revised European Union’s new data privacy law which impacts how all companies collect, use and share personal data of their European customers. The regulation entered into force on May 24, 2016 and applies since May 25, 2018. The regulation is an essential step to strengthen individuals' fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market. For more information (please refer to this source): https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en Going forward, any sort of personal data collection must be in opt-in form, stored securely and used with customer’s content only. Here is an example of how your new cookie consent should look like as per GDPR: 
As per GDPR law, the data subject have the right to request (or obtain) all the saved personal information from the controller and to be forgotten (i.e. request to be deleted completely). Regardless of where you are based, GDPR applies to all companies that offer products or services to customers in Europe.
What is considered “personal data”?
Personal data is any information that relates to an identified or identifiable living individual. It can be something from email address to name, billing address or event I.P address. In fact personal data can also be referred to different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Here are some examples of what is considered as “personal data”:
- Name (or surname)
- Email address
- Home address or location information
- I.P address
- A website cookie ID
For more information (please refer to this source): https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
Configuring your nopCommerce site for GDPR
In the latest release (4.1 version), many new settings have been added in the administration area that makes it easier for store admins (business owners) to prepare for GDPR. You can enable GDPR settings on your nopCommerce by going to: Administration > Configuration > Settings > GDPR settings 
Additional settings will allow you to capture a log of the following activities:
- Log "accept privacy policy" consent
- Log "newsletter" consent
You can easily add consents on your nopCommerce site by clicking on “Add consent” button: 
While adding consents, you can define different options such as:
- If consent is required
- If consent will be displayed during registration
- If consent will be displayed on customer info page in my account
Here is an example of a consent option on customer info page: 
If you have enabled the consent log settings then you can see the log activity by going to: Administration > Customers > GDPR requests (log) 
When GDPR setting is ENABLED, store owner can also perform actions like:
- Permanent deletion of customer record
- Exporting customer data
Here is a video tutorial to show how to configure GDPR settings on your nopCommerce site:
Conclusions on GDPR for store owners
- Regardless of where you are based, GDPR applies to all companies that offer products or services to customers in Europe
- Make sure that terms and conditions (including privacy policy) of your online store are clear, remove any pre-selected options and respect the privacy of your customers
- While initial implementation can be little overwhelming; it’s all part of working towards a future to strengthen individuals' fundamental rights in the digital age