The General Data Protection Regulation is Almost There

On May, 25, 2018 something big is going to happen, affecting non-EU companies across multiple industries, and ecommerce is no exception. Next year the General Data Protection Regulation, or GDPR, will come into force. Since any ecommerce business inherently deals with huge amounts of data, merchants, distributors, marketers and other professionals will have to introduce some serious changes in order to comply. Let’s try to throw light on this issue and see what actions you should take to prepare your ecommerce business for the GDPR.


With rapid evolution of technology these days, the way people communicate and commercialize goods and services has dramatically changed. This interconnected and globalized world has brought enormous opportunities to run businesses online with almost no boundaries. Opening a bank account, buying products or getting a master's degree – any of this can be easily done online now. Just provide some of your personal data, and there you are – a happy owner of a new electronic device or a pair of snickers.

But have you thought about privacy concerns? What if your personal data gets lost or, what’s even worse, falls into unworthy hands? To get back control over sensitive data to individuals and optimize legislative environment, the GDPR is here to take the stage.

So, what is The GDPR? 

The EU General Data Protection Regulation, also referred to as Regulation (EU) 2016/679, is the new legal framework in data privacy legislation. According to the official statement, the GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Just as Data Protection Act, GDPR embraces company data controllers and data processors. For controllers, the GDPR puts emphasis on addressing contractual obligations with the processor to ensure they comply with GDPR. In case you are the processor, you have to maintain records of all data processing activities and personal data use.


In a nutshell, the new regulation requires complete transparency and security of personal data for every company dealing with it. Thus, no matter where you're based - a European country, or any place outside the union - GDPR will impact your data handling process.

Failure to comply with the new regulations is definitely not something you’d like to face. If a company doesn’t comply with the GDPR, it’ll be fined 20 million euros or up to 4% of turnover. The exact amount depends on what is bigger. In view of this, your preparation for the GDPR should start at the earliest.


To be in line with the GDPR, every organization will have to address a number of major requirements towards the way they manage private data. We’d like to outline some of the critical points for ecommerce businesses to consider here.

1. Ensure full visibility of data and transparency of its usage.

Ensuring complete visibility of your business operations is the key aspect to follow under the GDPR. You also have to be very specific on the purpose of personal data collection. There’s no way you can utilize the data for any purpose, rather than the one it was originally intended for. Analyze your data flows and define areas for potential risk or vulnerabilities. Double check third-party systems and services you use. Make sure you share sensitive information with only authorized and reliable members of your supply chain.

2. Provide a clear consent for marketing activities.

We believe email marketing forms one of the bricks of any marketing strategy for ecommerce ventures. GDPR sets a new standard for receiving consent from your customers and prospects. Now they will have to confirm they were the ones to provide data in a follow-up email. Which basically means the end of era of automatically checked boxes for consent indication.

3. Deactivate opt-ins.

Along with having a clear consent, customers also receive the right to change it or opt out at any time. Thus, you have to ensure private accounts can be deleted easily in case customers don’t want to be contacted anymore. Deactivating default opt-ins is yet another step forward towards the GDPR compliance.

4. Ensure fast incident management.

Enhancing both internal and external security systems is a must for ecommerce business to be GDPR-compliant. The regulation specifies that private data breaches must be reported within 72 hours. Therefore, you have to adopt a proper security and incident management policy. This way you'll be able to prevent data loss or discrimination, and ensure its quick detection and reporting if the case takes place.

So, if your organization falls under the GDPR regulation, you must be ready to answer the following questions:

  • What type of information are you dealing with?
  • Where and when was this data gathered?
  • What's the purpose of this data?
  • Who can you share this data with?
  • What steps did customers take to opt-in?
  • Are customers clearly aware of how to opt-out?

Even though GDPR involves considerable implications for companies, its aim is not to make running businesses harder. The ecommerce industry has always been open for innovation, from both technology and marketing perspectives, so GDPR has to be viewed as yet another change.

This regulation is therefore about improving existing processes and guaranteeing more security to both customers and organizations across the EU. Clear, well-protected processes around data collection and usage will bring you the opportunity to build transparent and trustworthy relationships with your customers. And as a result, their loyalty, confidence and faith in your brand won’t take long to come.

Tell us what do you think about the GDPR?

How to Deal with Abandoned Carts in Magento? Previous Post
Make Your Products Stand out with Custom Product Designer Extension for Magento 2 Next Post