Is your eCommerce GDPR Compliant?


Recently, Europe got itself covered by the world’s strongest data protection rules under the General Data Protection Regulation that came into force on May 25, 2018. The new regulation law is basically designed to modernize laws that protect the personal information of individuals. Any company, even if it is outside the European Union (EU), that collects and processes the data belonging to the EU citizens has to comply with the GDPR laws. This includes any company that operates in the EU or a website or any app that collects and processes EU citizen data. To cut it short, this regulation will reshape the means to do eCommerce business in Europe, influencing how you engage with your customers, the tools that you use, and how you use the customer information. Of course, GDPR not only applies to just the website owners but the compliance is also applied to all other online tools that are being used in day-to-day business e.g. Google, Facebook, MailChimp etc. to name a few, and all such online applications must also comply with GDPR.

Companies covered by the GDPR are accountable for their handling of people’s personal information.

The differentiators and consequences

It is to note that, GDPR doesn’t treat eCommerce owners the same way it treats large businesses. For example, for companies that have more than 250 employees, it is required to maintain a documentation of various factors of data collection like why is people’s information being collected and processed along with descriptions of the information that’s held and how long will it be kept for and descriptions of technical security measures in place.

Also, larger companies need to appoint a Data Protection Officer whose first responsibility is to report data breaches and misconduct. It is necessary for online businesses to have a stringent procedure to follow in case of a data breach and report within 72 hours.

Increased fines for non-compliance, breaches and misuse

All customer data must be stored securely by the eCommerce companies. If a company is found non-compliant with these regulations or guilty of a breach that compromises an EU citizen’s data, hefty fines of up to €20 million, or 4% of an enterprise’s worldwide annual revenue, whichever is larger! With fees high enough to put a company out of business, it’s simply not worth the risk.

Large entities will have the resources to commit to becoming fully compliant. However, businesses that rely on 3rd party servers or custom-built software will need to hire a team to audit and test their security for weaknesses and put in place processes to protect the data from input to deletion.

What GDPR has for eCommerce?

Clear and Transparent Consent

The biggest changes for most of the organisations on the front-end side, is to address the tightened regulations around explicit consent for data collection. According to GDPR, you as a service provider are not allowed to assume what your customers or users what from you. With this, it empowers everyone in Europe to control exactly how their data is being or can be used.

New rights of the Data Subject (anyone providing identifying personal data i.e. customers, employees or users) must actively opt into marketing activities. This basically leads to elimination of blanket or bundled consent, consent by default, consent below the fold, consent as a condition of sale, service, or general Ts & Cs and even the pre-ticked checkboxes, complex legalese and confusing double negatives.

For example, GDPR says, “Silence, pre-ticked boxes or inactivity should not constitute consent.” That means you should avoid stuff like this:

What are we doing with our cookies?

The Data Subject’s right to consent also applies to cookies. Cookies also qualify as personal data, so in order to be compliant, websites must accept individual consent for the cookies too. Now, according to GDPR, the individuals must give a specific statement of consent via a “clear affirmative action” and also the language used must be concise, transparent and intelligible and should let the Data Subject know what they are consenting to, to who they are consenting to (including any third parties if required), for what purpose and also importantly the length of time the data is stored. Hence the marketers now must list the third parties that may have access to their data specifically.

The best practice is to offer customers to manually opt-in instead of requiring web visitors to opt-out of the data collection. This means that websites will no longer be able to populate consent forms from the beginning. The idea is that consumers will be more conscious of what they’re agreeing to, as they will have to check a box and agree with two clicks instead of just one.

The right to be forgotten

Another important change under the GDPR is the Right to erase or ‘to be forgotten’. Under this the individuals should be able to easily withdraw their consent for data processing if there is there is “no overriding legitimate interest” for the Data Controller to hold it. They even have the right to erase the data if the purpose for which the data was originally collected has been fulfilled. Also, it must be easy for customers to not only edit the data provided by them and even delete their account and information entirely from a system if they feel so.

The data cannot be kept for an indefinite period. According to GDPR, the organizations are required to completely erase data from all repositories when:

  • Data subjects revoke their consent
  • A partner organization requests data deletion, or
  • A service or agreement comes to an end

You can offer an option of account deletion of the customers with no transaction history; however, having a record of a transaction would arguably count as an overriding legitimate interest for you hanging on to their data. So your primary concern should be how to delete customers with accounts but no transaction history.

It is worth noting, however, that Data subjects do not enjoy a complete free right for their data to be erased. If there are legal reasons — specified in the regulation — there are exceptions where an organization can retain and process a subject’s data.

What do we need to do right now?

  • Review your processes: Sit down with your own lawyer and appointed Data Protection Officer and audit your website.
  • Create a Data register for clear documentation: Make a list of all instances where data is being collected or referenced. If you are asking customers to consent to data collection, record why and how you are asking for it. If you are using non-essential cookies, record what their end use is. When asking for consent, ask it is written in a clear and intelligible way.
  • Begin with critical data and procedures: Work through the list looking at how each instance can be made compliant, in line with the backend process changes being made.
  • Assess and document additional risks and processes: Investigate any other risks to data not included in previous assessments.
  • Revise and repeat: Repeat the steps again and adjust the findings where it seems necessary.

Conclusions on GDPR Compliance for Store Owners

So what does all that mean for GDPR and your online store? Here is the conclusion:

GDPR affects businesses that interact with consumers in Europe — or that might interact with Europeans — irrespective of the companies’ location. The compliance is a bit simpler for small companies. Which means GDPR compliance is different for your eCommerce business than it is for a massive company.

You can help your store with GDPR compliance by making sure your terms and conditions are clear; removing pre-ticked boxes; and generally respecting the privacy of your customers and potential customers. The marketing tools and channels that you use in your online store will need to be GDPR compliant too and you need to keep an eye on this and contact them directly if you have questions.

Also, the main thing is that your eCommerce business can take advantage of GDPR as the data privacy is a huge deal in Europe. So if you take appropriate steps toward the GDPR compliance of your firm, you can let all your European shoppers know about it.

This guide is for informational purposes only. By providing this guide, we are not acting as your lawyer or providing legal advice, and we are not responsible for how you use it. Yet, in case you what to know about the GDPR in detail you may access all the information from the actual text of the General Data Protection Regulation.


Leave a Comment

Scroll to Top