Note: Avoid at all times storing this data in other custom locations, or you will be responsible for keeping track of PII data that could be susceptible to GDPR compliance.
Any page requesting input of PII data should be using HTTPS protocol, TLS 1.2 or later.
You should by default enable double opt-in informing the end user of their rights and asking for consent. An example of double opt-in is available in the Episerver Commerce reference site Quicksilver.
On-premise installations require encryption of your database instance TDE and encryption at rest.
In Episerver DXC, TDE is enabled by default.
You should inform the end user about how the user data is used and to what purpose.
You should be able to fetch most types of data by querying the Commerce database. A request to the Managed Services team for fetching data about a user can be made in cases where you cannot fetch the data yourself.
You should be able to delete most types of data by querying the Episerver Commerce database. A request to the Managed Services team for deleting data can be made in cases where you cannot delete the data yourself.
Last updated: Jun 19, 2018