GDPR: what is and what it means for e‑commerce businesses?

Risultati immagini per gdpr

Everyone is talking about it: The EU’s General Data Protection Regulation (GDPR) comes into effect 25 May 2018.

But what does this mean for e-commerce businesses?


What is GDPR?

GDPR is short for General Data Protection Regulation. Adopted in April 2016, GDPR creates rules for how all European residents’ data must be managed.

There are two main factors behind the introduction of GDPR.


  1. Protection to the use of the data by big organisations

The biggest one is the EU’s desire to bring  data protection law in line with how people’s data is being used.

Basically, the internet and the cloud allowed organisations to invent numerous methods to use (and abuse) people’s data, and GDPR aims to rectify this. A good exemple can be the recent Cambridge Analytica Scandal.


  1. Standardize data protection legislation in EU territory

The second driver is the EU’s desire to give organisations more clarity over the legal environment that dictates how they can behave. By making data protection law identical throughout member states, the EU believes this will collectively save companies €2.3 billion annually.


Who does the GDPR apply to?

GDPR distinguishes three profiles when it comes to handling data:

The Data Subject: The customer, user, employee – anyone providing identifying personal data.

The Data Controller: The businesses offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data.

The Data Processor: This can be considered as all third-party suppliers such as Shopify, ERP systems, MailChimp, UPS and any internal teams employed to do similar work, such as an internal accounts team.


What will this law change?

Risultati immagini per gdpr
Source: IT governance

In its most simple terms, the GDPR empowers the consumer to be the all-encompassing owner of their data.


Specifically, it gives individuals in the EU the right to review, adjust, erase, and restrict the processing of their data. These requests must be facilitated online by the controller (aka eCommerce company) and provided to the individual no longer than one month after the initial request.


In addition to this, organizations are required to inform other organizations, like Google, to delete any copies of the public personal data. To help tackle this, Google has already set up a process to speed things up for businesses.


How will this affect e-commerce business?

Data protection and storage requirements will become more strict. The GDPR applies to all databases, marketing, sales, HR, accounting; Any way data is stored or processed, will fall under the new regulation


E-commerce for GDPR: the 3 essential parts

the essence of the GDPR concerns the following three areas:

The 3 essential parts of the GDPR: consent, data protection, and deletion and correction
Source: Omnisend

Get consent: the user must agree to be included in your marketing campaigns

Provide adequate protection: you must protect the user’s personal data adequately

Delete, correct, or restrict when asked: if the user requests you delete, correct, or restrict the personal data you have, you must comply quickly



To better protect consumers from having their data mishandled, various measures will come into place.


Sensitive Data: Data such as race, health, sexual orientation, religion, and political beliefs must be protected with additional safeguards.

Data Protection by Design: When working with third parties (i.e., processors), make sure that their product has the appropriate safeguards, like pseudonymisation. See Article 25 for more information.

Data Protection Officer: If your organization collects data on a large scale or deals with sensitive data, you need to appoint a data protection officer that has expert knowledge of data protection law. See Articles 37–39 for more information.

Data Breaches: You will need to inform affected customers within 72 hours of a serious data breach.

Lead Supervisory Authority: If your organization has offices in multiple countries, there needs to be a lead supervisory authority as the central point of enforcement.

Record Maintenance: Records must be kept of all processing activity.

Data Transfer Outside EU: Additional arrangements must be made when transferring data outside of the EU.


what happens for those who do not comply?

With fines up to €20 million, or 4% of annual revenue, SME’s simply can’t afford to make mistakes. Data must be stored securely. Businesses must be responsible for how and where their data is stored, and this may be multiple locations for e-commerce companies utilising third-party software partners. Encryption is a must and strict rules must be in place for data access.




GDPR takes effect in May, 25th 2018 and will impact the handling of data pertaining to everything from medical history to financial records to internet activity. Read the full regulation here