What affect will new GDPR laws have on e-Commerce businesses?

Richard Jess

March 9, 2018

Many of you will have heard the phrase General Data Protection Regulation (or its acronym GDPR) mentioned recently in relation to new laws and regulations being introduced, but what exactly are they and how will it affect an e-Commerce business? Throughout this blog we will digest the new regulations to help everyone understand the requirements and how you can get yourself compliant.

What is the GDPR?

The GDRP is an EU privacy law which aims to change the way data is captured, managed and used in the European Union. The regulations, detailed on the ICO website, come into effect on 25th May 2018 (just months from now) and is designed to offer greater protection of personal data namely for employees, customers, suppliers and potential clients. The major adjustment to the GDPR is that the regulations for processing personalised data have now become standardised across the EU for all businesses and organisations.

What constitutes as personal data?

The protection of personal data under the new GDPR laws will cover: name, address, email address, location data, IP address, photos, social media posts, bank details and any identifying numbers (e.g. social security number). Under the new GDPR laws, not all data is equal however, with some types considered more sensitive than others and requires careful handling. This would include details on race, health status, sexual orientation, religious and political beliefs.

However, all personal data regardless of origin should be stored securely and from an e-Commerce perspective, businesses will have to adapt and include features such as opt-in permissions within their site. E-Commerce businesses, who have previously hidden data consent within the depths of their terms and conditions policy will need to update their permissions before 25th May 2018.

Is GDPR applied outside the EU?

Organisations who do business with EU citizens, provide goods or services to the EU or have a website tracking the behaviour of EU users need to be compliant with new GDPR regulations.

How will it affect e-Commerce businesses?

The GDPR law applies to all databases, sales, marketing, HR and accounting. Any data which is stored, managed and/or processed will be influenced by the new regulations. The following seven features and web functionality will be impacted by the new regulations:

1. Email Marketing

With the crux of the GDPR laws being consent focussed, any email marketing from e-Commerce businesses will adopt new rules for what can and can’t be done to engage with data subjects (e.g. customers, users, employees). From 25th May 2018, customers can only receive emails if they have given permission usually by opting-in to email marketing. Pre-selected signup form options are no longer permitted as consent must actively be given by an individual.

Marketing emails must also include why users are receiving emails and how they can opt-out from the service. This will have a big impact on the marketing industry, especially where personalisation and profiling is concerned. If your e-Commerce business uses third party email providers such as MailChimp you can read how they intend to comply with GDPR here.

2. User account information

It must be straightforward for customers to read, update and delete marketing consent from their e-Commerce account and also have the ability to delete their account or any personal information entirely. This should all be well documented and easy to navigate.

3. Signup forms

In addition to opt-in permissions, users must provide consent for each type of communication. For example, separate permissions are required for email, SMS, phone and post.

4. Policies and Terms & Conditions

Policies should outline:

  • what data you hold
  • where the data comes from
  • who can access the data
  • who you share the data with
  • why you store the data

This is crucial for demonstrating your GDPR compliance. In the unfortunate circumstance where a breach takes place, you must know who to contact and what to do and this would be reflected in any policy document. GDPR states that any business Privacy Policy must be:

“concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.”

Fines can be in the region of £16 million or 4% of annual revenue which makes any misuse/breach critical to any business (especially any SME e-Commerce business). E-Commerce businesses who rely on in-house custom-built software or servers, may need to hire an audit/test team to analyse security weaknesses.

5. Online payments

GDPR laws will mean all e-Commerce businesses who store customer’s personal details will need to remove this after a reasonable period. This includes all details as well as credit/debit card information. The legislation is not clear about what warrants a reasonable time period, instead it is expected that the business owner sticks to a justifiable length.

6. Live chat

If your e-Commerce site includes a live chat facility integrated from a third party, you need to ensure this is referred to in your Privacy Policy and a review of their GDPR policy is undertaken. The accessibility of the live chat transcript is also something which your business should be aware of and the regulations involved in storing this information with and without the user’s permission.

7. Google Analytics

Many would assume that Google Analytics would also be affected by the new GDPR regulations, however it uses an anonymous tracking system to collate results. This means there is no personal data collected or stored. Google have clearly advertised their commitment to data protection GDPR laws here.

10 first steps for GDPR compliance

1. Ensure customers are able to opt-in for all permissions and consent.

2. Refer to your database – can you see where users have supplied consent and when this was provided?

3. Write down all procedures and policies for handling personal data.

4. Encrypt your website with an SSL certificate. Odd Panda can do this for you, please get in touch.

5. Update the privacy policy on your e-Commerce site to ensure it is easily read and covers all relevant GDPR issues.

6. Ensure your backend admin facility is secure to ensure any personal information is securely stored.

7. Determine how your site is going to give users the ability to create, read, update and delete any of the personal data you store.

8. Check how long you currently store users’ personal data and update accordingly with a time that is reasonable.

9. Decide how long the opt-in user consent is binding for and determine the most effective method of retaining consent after this time period has past.

10. Update any forms on your website, especially where users are subscribing to a mailing list, to make sure it is compliant with GDPR regulations.


Hopefully this blog has outlined why the General Data Protection Regulation has been a major topic of conversation in the business world recently. As of 25th May 2018 this will all be legally enforceable so the sooner you address this and ensure your e-Commerce site is GDPR compliant the better. It is important to get to grips with what is applicable and what is not. Here is some useful links which may help provide more information about GDPR.

For Shopify users, more information is available here.

Find out more from the Information Commissioner’s Office (ICO) such as, what the GDPR entails in detail, what you should include in your Privacy Policy and the GDPR Checklist.

Speak to us about GDPR!