Exit e-book
Show all chapters
Remember about GDPR
Remember about GDPR
How to build a modern e-commerce platform - the key questions to start with

Remember about GDPR

The arrival of General Data Protection Regulation in Europe complicated matters – not only for Europe-based sellers. E-commerce stores cannot afford to ignore this law, for this can result in massive fines.

What is the aim of GDPR?

The general premise of GDPR was to handle the data protection of European citizens in a better way than up to now. Although the goal is noble, e-commerce stores might find it difficult to comply. During the first year after the GDPR started being enforced, there were about 145,000 queries and complaints, as well as nearly 90,000 notifications of data breaches. 

GDPR is expected to be enforced by all businesses operating in European Union, even if they are based outside it. Failure to live up to the obligations of the directive might result in hefty fines that already became legendary. And the reason isn’t always that easy to understand. For example, a Polish insurer got punished for sending an e-mail with personal data to the wrong person – even though it was the client who provided an incorrect address.

How to check if e-store is compliant with GDPR?

A simple way to perform the check is to browse the e-commerce website and stop for a moment each time you’re asked for any data (i.e. name, e-mail, or phone number).

  • Is it clear what kind of data is being collected and what is it going to be used for?
  • Is this data really needed for the process to be successful?
  • Is it possible to modify or delete data? Is there any information on how to do that?
  • Is there any privacy policy available on the website? Is the customer clearly informed about their rights regarding data protection?

The answers to these questions should help you in determining the state of GDPR compliance in your e-store. 


Main principles of GDPR


  • Lawfulness, fairness, and transparency. The details of data processes must be visible to the user and at any time accessible for him.
  • Purpose limitation. If you claim you collect data for e-mail newsletters, you cannot use them for any other purpose, even if it is only for some sort of statistics.
  • Data minimization. Collect data only for the necessary purposes. Do not gather more data than actually needed.
  • Accuracy. Make sure processed information is up to date. If some detail is inaccurate or the user declined to process his data, it should be immediately deleted from any databases.
  • Storage limitation. You can only store data for as long time as necessary – and not for any day longer. If the user signed up for a survey and confirmed the will to have his data processed for up to 5 years, it is reasonable to expect that after this deadline it will be no longer stored by your entity.
  • Integrity, confidentiality, security. You are responsible for the data stored by you. If you do not have adequate security measures in place, you might receive a fine for failing to take proper care of the processed information.
  • Accountability. Keep clear records of steps you took in order to be compliant with the GDPR, i.e. reviewing and removing old records or hiring a data protection specialist. In case of a data breach, you need to inform appropriate authorities and customers. That should be followed by transparent information on the next steps and where the customers can report their questions.

How to make sure that you have the consent to process the data?

It’s actually pretty straightforward. Don’t use pre-ticked boxes or pre-selected choices. The user has to voluntarily and consciously choose to share their data with you. Even if they signed up for the newsletter, they still have to confirm the willingness to receive it. 

Of course, this makes sense, as someone else could sign them up to spam their inbox, but as you have probably noticed by now, many of the data protection measures might increase the rate of customers’ disinterest. Large pop-ups informing about the data processing that needs to be closed before moving forward with any action, extra steps to confirm everything, etc.

– in a fast-paced world this might discourage users to shop in your e-store. That’s why, although GDPR compliance is a necessity, you also should think carefully about how to implement it without decreasing the quality of user experience.