When a customer creates an account on Kartris, we now have an extra checkbox signifying acceptance of the terms and conditions. This helps ensure that any time a record for a user is created, there is an explicit confirmation of terms and conditions.

This feature can be turned on or off using the config setting general.gdpr.enabled, though we would recommend it remains on whether you are EU based or not.

The aspect of GDPR that has perhaps been given the most publicity, is that users must explicitly opt-in to receive marketing information. It is no longer considered acceptable to imply consent because a user places an order or creates an account on a web site.

Kartris has always employed best practice with regard to adding users to mailing lists; an email confirmation is sent which the user must respond to by clicking a link, in order to confirm their addition to the mailing list. We have never considered it an acceptable practice to add users to mailing lists other that with an explicit approval, and an email verification to ensure consent is gained from the owner of the email address for this purpose. It also ensures that email addresses cannot be added to the mailing list by third parties, either maliciously, or accidentally (e.g. a typo).

The mailing list approval emails that Kartris sends are formatted using an email template, which you can find in the templates folder of a skin (see the Kartris default skin, if your own skin lacks this). Therefore, we would recommend expanding the text within this template to explain that clicking the confirmation link will give explicity consent to add your email address to the mailing list.

EU data privacy regulations have for many years given the public the right to request a copy of all the data an organization holds on them. The organization was allowed to charge a reasonable fee for this service, typically £10 in the UK or a similar amount in Euros. The nominal fee was in most cases not enough to cover the real cost of providing the data, but was at least a deterrent to spurious and unnecessary requests.

However, the GDPR requires that organizations provide the full data held on an individual free of charge, and within 28 days. This aspect may in time be the most onerous on businesses, though at present it is not getting much attention. While there will undoubtedly be an increase in legitimate, well intentioned requests, it's also possible that requesting data could also become a practice to test or inconvenience companies that consumers may have a dispute or disagreement with. Regardless, the company is compelled to respond.

To make this process as simple as possible from Kartris, we've created a data export button on the customer edit page. If a member of the public requests data, you can extract this from Kartris by simply finding the users record in Kartris with an email search, and then using the 'GDPR export' button.

This will format a plain text file containing all data linked to that email address:

• Customer data
• Street address records
• Details of all orders, including the items purchased in each
• Copies of all reviews submitted by the user
• All wishlists created by the user
• All saved baskets created by the user
• All support tickets created by the user, including full thread discussion

The data is formatted in a fairly raw state, with the database field name (in square brackets) followed by the value. This is to ensure that the user receives the full set of data and no fields are emitted.