Being an online retailer, you must have heard about GDPR (EU’s General Data Protection Regulation) which may affect your business and the way you interact with the customers.
In this blog, we will explain GDPR and the reasons why global merchants should pay attention to it even if they are not situated in Europe, but only selling products to European citizens.
What is GDPR?
In 2016, The European Union passed the GDPR — a regulation which will heavily examine and potentially penalize websites for the ways they collect the information of European citizens. The law will become enforceable from 25th May 2018 and affect the handling of data ranging from financial records to medical history to other online activities.
The law holds equal rights to all forms of customer data: social media posts, bank details, IP addresses, photos, and any identifying numbers (SSNs or NI, for example). Every customer information regardless strictly needs to be stored securely and used only with the user’s permission.
Who does GDPR apply to?
General Data Protection Regulation applies to all businesses that offer products or services to customers based in Europe. Regardless of where you are based, if your products or services are provided to European citizens, you need to follow the regulation.
hbspt.cta.load(2112879, ‘83913608-6281-4ef1-98ca-b0351df7276e’, {});
The law also applies to companies that process data on behalf of a data controller such as cloud service providers. Besides, popular platforms Google, Facebook, Shopify, and MailChimp must comply with GDPR.
How GDPR will affect different industries
The GDPR is the most strict data privacy law which is bound to impact your business if you deal with individuals from European countries. As an online retailer or merchant, you need to think about how and why you are collecting user data for marketing or other purposes.
In the simple terms, the new law empowers the customers to be the all-encompassing owner of their information. Especially, it provides European citizens with the power to analyze, adjust, delete, and limit the processing of their data. Here, you also need to consider cookies at the moment. Most sites take the approach of giving the traditional close message ‘we use cookies’ to the users, and the cookie is already placed on the website as soon as a user enters.
When the GDPR comes into effect in May, the change will mean that every website visitor will need to clearly see an ‘I ACCEPT’ button. And once the visitor clicks on it, then the cookie can be placed on his/her browser. However, website visitors must give opt-in permission for their information to be collected and used in any way.
From opt-out consent to opt-in
From 25th May 2018, the websites will no longer be able to pre-populate cookies related consent forms. Instead of clicking on “Accept” button, web visitors will have to check a box and click on Agree button. Within this consent, websites need to clearly mention which parties are collecting user data. Besides, sites will not be able to use pre-ticked boxes which users have to spot and uncheck to protect their personal data.
What will happen if you fail to comply with GDPR?
When the GDPR comes into effect in May, Supervisory authorities will have the power to fine companies €20 million or 4% of their annual turnover – a considerable amount. But it may take a serious violation of the GDPR for a penalty close to this figure. And, the ICO (the information commissioner’s office in the UK) reassure that penalties will be the last resort. So, it is highly advisable for all the non-compliant companies to take serious steps to become compliant which will include updating their security processes.
How will GDPR impact e-commerce?
Even if your business is settled in the United States, Canada, China, or any other country, but you’re managing the data of a European resident, GDPR applies to your e-commerce business. Moreover, GDPR is not limited to a specific size of business; even small companies or startups must comply with the terms.
Since process, storing, and transferring customer data is central to the eCommerce transactions, so any online store selling to European citizens needs to take significant steps to ensure they are complying with GDPR.
What should e-commerce owners do for GDPR Compliance?
GDPR should not be a reason for headaches because it’s a great opportunity. Data protection and privacy is a big deal in European countries. If you are GDPR compliant, European customers will definitely prefer you than any other retailer.
Here are a few considerations that must be taken into account by online retailers or eCommerce owners:
Review your processes and make a plan
Without understanding the current practices of your business, it will be impracticable to make notable changes to comply with the GDPR. If you collect any customer data, you must ensure that it is secure. Even if you work with third parties, you need to be assured that the information you collect is protected against external threats and mishandling. Before making any remarkable change, prepare a plan on how to manage personal data requests.
Develop an easy process for your customers to communicate
The European Council has already made it easy for customers to issue complaints against non-compliant websites. So, you need to develop simple systems for users to request and communicate with you about their essential data. Moreover, your customers must be able to request a copy of their data or removal without any complication. The consent includes providing your web visitors with a comprehensive view of what they agree to while submitting their data.
Provide clear documentation of your data activity
When the GDPR comes into effect in May, you will need to inform your users exactly what is happening with their personal information which includes who is receiving it and how it’s stored. You must write a clear document about your data collection process and add it to your privacy policy. Make sure that all points of tracking, tagging, and cookie drops are explicitly specified in your privacy policy.
Understand how do you deal with a data breach
According to General Data Protection Regulation, it’s required in specific situations to identify and report a “supervisory authority” within 72 hours of data violation. Furthermore, companies need to notify the customer after becoming aware of a breach in certain situations. Being able to discover and report a breach immediately is a big leap for many businesses dealing with European countries. However, you need to take this as a responsibility to discuss your security teams about your company’s capability of detecting and working through a data breach.
Redesign consent forms
No more pre-checked boxes; make sure to deactivate all opt-ins.
Your website visitors must give their approval when it comes to storing or processing their data, and they must be able to withdraw any time. Whether you ask individuals for personal information to fulfil the order, for third parties (e.g. cookies), or for marketing purposes – you must put a separate checkbox for each request and explain it with simple language (see the image below).
Besides, you must state all third parties who will use their data. You cannot even make “select all” or pre-ticked checkboxes. Every individual must understand the requests for approval and agree to them.

Assure the customer on the legitimacy of collected data
With General Data Protection Regulation, you can’t ask consumers to provide the personal information which is not relevant to a product offered in your online store. Ask and collect user data only when it is essential to give your offer.
In case of an investigation, you will need to prove that this personal information is necessary. Moreover, don’t forget to check your existing databases.
If you keep any non-obligatory personal details, you will need to delete it. Besides, a pop-up or section where the customer is asked to create an account for 10% off or data collection points; all these fields have to mention explicitly what their information will be used for.
Make sure to have an SSL Certificate
In order to meet Webmaster Guidelines provided by Google, online stores should have full HTTPS coverage over the whole website including the checkout page. Now, this guideline also falls under the GDPR regulation since sites which use HTTPS process customer data over an encrypted connection. Hence, your whole eCommerce website must have an SSL certificate in order to comply with General Data Protection Regulation.
Appoint a Data Protection Officer and Consult a Lawyer
A Data Protection Officer may help you assure that your business best complies with the GDPR. It’s also recommended to consult a lawyer who has expertise in this area. You may have missed some important points in the online resources which are left unclear. Discussing with a specialist is the only way to assure that you’re fully prepared.
The process of complying with GDPR can be costly and time-consuming, depending on your existing procedures and infrastructure. Nevertheless, you must clarify all the steps you need to take before spending your valuable money.
All these tips mentioned above are just the start of working towards GDPR compliance in your business, but they will provide you with a great base to start with. Once you have implemented proper solutions to meet the GDPR requirements, you need to start working on the procedures to respond quickly and protect your customer’s rights. If you are transparent and following best practices, you won’t have to face the massive penalties that come with GDPR.
Conclusion
The GDPR is the most comprehensive update in data privacy regulation in last 20 years which is giving business owners a run for their money. But, it’s all for the better future. While these initial implementations and procedures are expensive, it’s all part of working for the future which is better prepared to deal with data protection.
hbspt.cta.load(2112879, ‘b614ee47-2b2c-4214-a285-adb49960ec32’, {});