GDPR for eCommerce stores – What you need to do to comply

The GDPR, General Data Protection Regulations, are a set of laws that took effect on the 25th of May 2018 in the European Union.

GDPR changed how companies handle data and were a result of a number of data breaches and examples of companies mishandling personal data.

Like most laws, the intent behind it is good.

To provide robust protections for personal data collected and held by businesses.

Also like most laws, the reality isn’t so good.

If you get frustrated at having to agree to cookies on websites you visit, blame GDPR!

GDPR is confusing, burdensome and is almost as unpopular with the citizens it’s designed to protect as it is with businesses trying to comply.

If you’re planning to set up a new business in the European Union or will be working with clients or end customers in the EU, you need to know about GDPR.

That’s what this post is all about.

We’re going to cover the basics of GDPR, including:

• What GDPR is
• How GDPR works
• Why GDPR exists
• What you need to do to comply with GDPR

Don’t worry, we’ll keep it light and cover only the key points you need to know!

GDPR, the law, us and you

Let’s be clear from the outset, we’re not lawyers. We are WordPress experts and eCommerce enthusiasts who want to help you do more with your website.

The full GDPR legislation is 261 pages long. There’s no way we could cover even a percentage of that here.

This post doesn’t constitute legal advice in any way, shape or form. This is an overview for store owners, website owners and agencies who build websites and online stores for others.

Use this post for guidance only. Don’t base business decisions on what you read here, that’s what lawyers are for.

Now that’s out of the way, let’s get into the topic at hand!

What is GDPR and what is it intended to achieve?

GDPR is a set of regulations active across the EU that replaced out of date privacy laws from each country.

Existing laws had failed to keep up with technology and protect citizens and needed to be changed completely.

That’s where GDPR comes in.

At the time of writing, GDPR is the most stringent set of data protection rules in the world. It places more power in the hands of individuals and less in the hands of organizations.

GDPR has 7 governing principles:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Let’s take a quick look at each as they provide a better understanding of the law’s purpose.

Data for image:

Lawfulness, fairness and transparency

Organizations must be fair and transparent with the data they collect and remain within the spirit of GDPR.

Purpose limitation

You must only collect data necessary for a specific purpose, tell the visitor what that purpose is.

Data minimization

Collect the least amount of data possible to achieve its purpose. Keep it relevant and to an absolute minimum.

Accuracy

Take reasonable steps to ensure all data is as accurate as possible and users can delete or correct it.

Storage limitation

You must not keep the data longer than required to achieve its goal. How long depends on the purpose.

Integrity and confidentiality

You must take all reasonable measures to protect data at rest, in transit and while being processed.

Accountability

You must comply with all relevant aspects of GDPR and be accountable for all areas of data protection.

Lawfulness, fairness and transparency

Organizations must be fair and transparent with the data they collect, be transparent with why they need it and what they do with it. You must also remain within the spirit of the law.

Purpose limitation

Purpose limitation means only collecting personal data for a specific purpose. You must clearly state what that purpose is and only retain the data until that purpose is satisfied.

Data minimization

Data minimization means collecting the least data possible to achieve the stated goal.

Accuracy

Accuracy means “every reasonable step must be taken” to ensure the data held is accurate. It also requires that users must be able to delete or correct that data within 30 days of making a request.

Storage limitation

Storage limitation means not keeping the data longer than is necessary. This differs depending on the industry, the purpose of the data and a number of other considerations.

Integrity and confidentiality

Integrity and confidentiality means keeping the data safe from unauthorized access.

Data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”.

Accountability

Accountability rounds up the preceding 6 points and means organizations must demonstrate they comply with all rules within GDPR.

What data is covered by GDPR?

So that’s what GDPR is intended to achieve. Now let’s look at what data it concerns itself with.

You are subject to GDPR if your website or store:

• Operates within the EU
• Accesses, uses or stores data on EU citizens
• Has more than 250 employees
• Has fewer than 250 employees, but data-processing impacts the rights and freedoms of EU citizens

For example, if you run a website based in the US or any country that welcomes EU visitors, you need to be aware of GDPR regulations.

If you run an online store within the EU, you definitely need to be aware of GDPR regulations!

GDPR legislation covers:

• Identity data: Names, addresses, email addresses, phone numbers or other identity information
• Web data: Location, IP address and cookie data
• Private information: Health records, racial or ethnic identification, data on religious beliefs, political opinions and sexual orientation
• Images: Images of an individual, their family or home

Basically, if your website or eCommerce store does business within the EU or has EU users or customers, it’s safe to assume GDPR applies to you.

The Importance of GDPR for eCommerce websites

If you’re thinking that GDPR isn’t worth the hassle and offering services to EU citizens is too much like hard work, think again.

The EU is the world’s third largest economy after the US and China. It is estimated to be worth $16 trillion and has almost half a billion people.

Almost 80% of the population has internet access, which is why so many companies want to do business there.

How does GDPR impact non-EU stores?

Even if you’re not based in the European Union, you may still need to know GDPR law and how to comply.

Is GDPR relevant if my store isn’t in the EU?

Yes, GDPR can still be relevant even if your store isn’t in the EU. The principle of GDPR is to protect the data of EU citizens.

Article 3 of GDPR sums it up nicely:

“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

If your business, eCommerce or otherwise, offers goods or services to EU citizens, you’ll need to comply with GDPR.

GDPR requirements for eCommerce

Rather than spend pages and pages outlining what the law says and what it means, we think you would get much more benefit out of a shorter, more direct approach.

We’re going to list the GDPR requirements for eCommerce and share examples of how to comply.

The requirements include:

1. Maintain a list of all data you store and the sources
2. Maintain records on where you store the data and how it is accessed
3. Have an accessible privacy policy
4. Cover data processing in your terms and conditions
5. Keep data within the EU or compliant countries
6. Make someone responsible for that data
7. Secure your database and data
8. Have a data breach notification process
9. Third party contracts need to include GDPR elements
10. Customers must be informed of what they are consenting to
11. Customers must be able to withdraw consent
12. Customers must be able to view what data you hold
13. Customers must be able to correct data
14. Customers must be able to restrict or reject data processing
15. Inform customers of any updates to your privacy policy or terms and conditions
16. Regularly review store security

Don’t worry too much about how much is here. Most of the requirements will already be part of running an online store anyway.

Simple GDPR checklist for eCommerce stores

We appreciate we covered a lot of ground very quickly so have put together this quick checklist to help you comply.

GDPR checklist for eCommerce stores Maintain a list of all data you store and the sources Maintain records on where you store the data and how it is accessed Have an accessible privacy policy Cover data processing in your terms and conditions Keep data in the EU or transfer to compliant countries Assign someone responsible for data Secure your database and data Have a data breach notification process Third party contracts need to include GDPR elements Customers must be informed of what they are consenting to Customers must be able to withdraw consent Customers must be able to view what data you hold Customers must be able to correct data Customers must be able to restrict or reject data processing Inform customers of any updates to your privacy policy or terms and conditions Regularly review store security

Print this checklist or keep it in mind when setting up your store or checking for compliance.

You could also share it with customers to show them how seriously you take your obligations.

If in doubt, check with your lawyer to verify compliance, just in case.

1. Maintain a list of all data you store and the sources

You must maintain an up-to-date list of all personal data you store and where you get it from. You also need to include who you share it with and how it will be used.

For example, you’ll probably collect customer names and addresses to deliver products. If you use tracking cookies or other tracking like Facebook Pixel, you’ll need to mention that too.

You may need to share that data with shipping companies and payment gateways to help run your store. Those are legitimate uses but still need to be mentioned.

2. Maintain records on where you store the data and how it is accessed

You’ll need to record where you store personal data and how you access it. If you store it offsite, you’ll also need to document how you’ll transport the data.

For example, most WooCommerce stores will use the WordPress database to store customer data and access it from the dashboard.

If you use SureCart, customer data will be stored on our secure servers and should be transported via an encrypted HTTPS link or VPN.

3. Have an accessible privacy policy

Most online stores will already have a privacy policy, but to comply with GDPR, you’ll need a little more.

It should explain what data you collect, why and how you handle that data. You’ll also need to explain who you share that data with and why and the measures you’re taking to secure the data.

Here’s an outline of a compliant privacy policy plus a template you can use.

4. Cover data processing in your terms and conditions

There needs to be specific mention of data processing in your terms and conditions. It needs to cover why and how you process data and your justification for it.

For eCommerce stores, you typically need to store customer data for order processing, dispatch and customer service purposes. All of which are legitimate uses.

Termly has an intuitive wizard to help you create an EU-compliant terms and conditions page.

5. Keep data in the EU or EU Commission approved countries

One key requirement of GDPR is to keep any data on EU citizens within the EU or EU commission approved countries with adequate data protection.

In 2021, the US and EU agreed upon new standards for US-EU data flows. These new standards were officially approved by the European Commission in 2023, allowing data flows between the US and EU.

If you use SureCart, this means that the European Commission approves of how we store data, eliminating any GDPR-compliance concerns.

6. Assign someone responsible for data

Larger organizations need a formal Data Protection Officer but smaller organizations don’t. The average eCommerce store owner won’t need to hire someone specific to manage data.

You’ll need to be responsible for informing staff of GDPR and compliant data handling, controlling what data is stored and where and making sure it’s all secure.

Just add the responsibility to the list of the many hats you already wear!

7. Secure your database and data

A key component of GDPR is to keep data secure. That means encrypting data wherever possible, using barrier security measures such as firewalls, antivirus and malware scanners and using a secure web host.

MalCare is a comprehensive WordPress security plugin that includes a malware scanner and removal tool, all while its firewall blocks attacks from hackers and bots.

If you can encrypt your database, it secures your store as well as customer data. If you store data offsite, make sure to use a VPN or secure transport like SFTP or SSH.

If you use SureCart, data is stored in secure offsite servers and transported using an API validated by a unique key.

8. Have a data breach notification process

The GDPR is explicit in requiring you notify data protection authorities and anyone affected by a data breach within 72 hours.

You’ll need to mention the type and amount of data lost, an assessment of potential impact and steps you have taken to minimize further loss.

You’ll find the relevant data protection authorities for different EU countries here.

9. Third party contracts need to include GDPR

Third party agreements or contracts must explicitly mention GDPR and data processing.

If you work with third parties like payment gateways, shipping companies or dropshippers, you’ll need to make sure data processing is included within the agreement.

Ideally, you’ll work with GDPR-compliant third parties. If you don’t, you’ll need to mention what data is shared, why and how long it will be kept.

Stripe already has GDPR built into its data processing agreement. Many other organizations will have the same.

10. Customers must be informed of what they are consenting to

Customer consent must be freely given, specific, and informed. That means outlining what data you collect, why and how it is used and stored.

Your terms and conditions and privacy policy must also be in plain English so it can be universally understood and linked somewhere obvious, usually in your page footer.

There must also be an opt-in mechanism. Pre-checked boxes where a user must manually uncheck are not allowed.

Neither are terms like ‘if you continue using this store, we’ll assume you’re okay with us storing your data’. Silence does not equal consent in EU law.

11. Customers must be able to withdraw consent

A customer must always have the option to withdraw consent to you storing data.

That could be a simple unsubscribe link to your email newsletter or a box within an account page where a user can change their preferences.

Much will depend on the type of data you store.

Some cookie plugins also have opt-out mechanisms enabled by default.

12. Customers must be able to view what data you hold

Customers must be able to request a copy of all the information you hold on them.

This can be via a simple web form or email or a request via web chat. Mention it in your terms and conditions and make sure the user knows what they can access and how.

13. Customers must be able to correct data

Customers must also be able to correct any data you hold. They must be able to address inaccuracy or incomplete data whenever they like.

You can do this by allowing edit access to their customer profile or adding a mention of how to do it in your terms and conditions.

14. Customers must be able to restrict or reject data processing

If you plan to use personal data for anything other than order fulfillment, you must enable a customer to opt out of data collection.

You must also provide the opportunity for a user to reject data processing.

For example, if you state you only keep personal data to complete a shipment and then decide to provide anonymized data for a census, you must give customers the opportunity to opt out without impacting anything else.

15. Inform customers of any updates to your privacy policy or terms and conditions

You’ll need to inform all registered customers if you update your store’s privacy policy or terms and conditions.

You can use your email platform for these, including all customers from your database.

The email should mention what documents have been updated and how plus links to them for easy access.

16. Regularly review store security

Reviewing security is something you’ll probably do regularly as an eCommerce store owner, but it’s essential for GDPR compliance.

You’ll need to keep an eye on new security methodologies, use updated security where practical and update security policies if you make any big changes.

Most high quality web hosts will regularly update security and will handle much of this for you.

If you’re a SureCart user, we also keep up to date with all developments in security and implement the best of them to protect our servers.

Are there benefits to GDPR compliance for eCommerce stores?

As you’re probably now aware, GDPR places quite a burden on organizations that want to do business with EU citizens.

But it isn’t all bad news.

Some of the requirements to comply with GDPR can also benefit your business as a whole.

Increased trust

Being compliant with GDPR is a big trust signal both inside the EU and out.

Most people know how stringent the legislation is supposed to be even if they don’t know the details. If your eCommerce store advertises the fact it’s GDPR compliant, that should go a long way to increasing trust with customers.

Compliance with regulations

Legislation with this kind of profile gets a lot of scrutiny. Despite the overheads and potential work involved, it’s easier and often cheaper to comply rather than to ignore it.

Fines can be substantial:

“For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.”

This GDPR fine tracker justifies the effort quite succinctly.

Just look at some of those numbers!

Fits with user’s increased interest in privacy

Privacy has been a hot topic for years. We all know that some companies have played fast and loose with our data and GDPR seeks to reduce that.

Any eCommerce store that’s GDPR compliant demonstrates they are also on board with user privacy.

Mention it clearly somewhere and you’ll gain trust and, hopefully customers, as a result.

Increased security measures benefit the entire business

GDPR has a few basic security measures you need to take to comply. They include securing databases, reducing user access to data and documenting the data you keep and why.

All these things also protect your business. Your database is the core of your online store so the more it’s protected, the better for your business.

That’s one benefit of SureCart and headless eCommerce. SureCart servers are where customer data will be stored, which places the burden on the provider rather than you.

Final thoughts on GDPR and you

Complying with the GDPR seems like a lot of hard work, and it can be. The good news is that many areas can be handled by SureCart and store plugins.

You will have some work to do, but use this guide, choose the right plugins and the right approach and there’s no reason to feel burdened by compliance.

If you’re ever in doubt about whether your store complies or not, ask an expert. Only they can tell you definitively whether you’re compliant with GDPR or not.

Have you adapted your store to comply with GDPR recently? Have any advice to share? Stories to tell?