Ensuring Your E-commerce Business Complies with the New European Data Protection Regulations

Wednesday, April 11, 2018

In our previous article, we looked at how the new European General Data Protection Regulations will affect all types of businesses that collect, hold, and collate personal information from emails to addresses and more. In the following, we will take a more detailed look at how some specifics of the new rules are likely to affect eCommerce businesses and websites that use such data.

Apart from the implications that the new rules will have for online and web trading businesses, there are of course, pertinent and crucial issues to be considered by developers. From creating brand new platforms to updating or improving existing eCommerce systems, there are more than just a few potential pitfalls that owners and developers should be aware of.

Is your eCommerce business leaving it too late?

According to recent statistics collected by leading business analyst Deloitte, only 15% of the organisations surveyed felt confident that they were prepared for the new GDPR. With the deadline of May 25th just around the corner, it is essential that eCommerce businesses and others using websites ensure that they are, in fact, in compliance.

Taking a closer look

Owners of eCommerce sites and developers have long been aware of the need for privacy policies and how they appertain to the use of cookies and other invisible data collection methods. While onsite disclaimers and links to a simple privacy policies page may have been adequate in the past, they are unlikely, however, to conform to the requirements of the new regulations.

It could, therefore, be prudent to take a more in-depth look at the types of data a typical eCommerce site is likely to be dealing with. More importantly, how they are likely to affect the owners of such sites under the new regulations. While many of those who are reading this article may already be thinking that it is obvious what types of data they are collecting, there will most likely be “incidental” information coming through along with it.

The burden of proof

With the new rules giving increased power to the data subjects (your clients), there is certain to be a marked increase in the number of data privacy breach claims and requests for data information.

One of the key factors that all digital business owners need to consider is that the burden of proof in all aspects of both breaches and permissions will rest squarely with them. This should form the basis on which site owners and developers collect, store, and use all types of personal data. By laying the right foundational structure at this level, virtually every possible issue further up the data chain will be much easier to resolve.

Permission is crucial

One of the most important aspects of the new laws that are likely to affect digital marketers is the whole area of permissions. It will no longer be sufficient for site owners to simply place a disclaimer on their pages advising clients of their options.

Likewise, while privacy policies will still have their part to play, simply advising the client in this way could potentially leave business owners open to none conformity and data privacy breach claims.

eCommerce, data, and the new regulations

The fact is that while businesses are busy focusing on their prime data functions, other data is often being collected along with it purely by default. So what kind of data do eCommerce sites collect and how are these affected by the new regulations? In the following, we take a look at the types of data and their relationships with the European GDPR.


Whether you operate a full blown eCommerce site that sells goods and /or services directly or a simple website that attracts subscribers, your activities already come within the remit of the new regulations. The fact is that simply by holding your follower's email addresses, you are collecting and holding their data.

The new regulations take on board the whole spectrum of data from simple contact details right through to more complex and “sensitive” information. Owners of such sites should carefully consider therefore how they acquire, store, and utilise such data.

As with all other types of data that come within the remit of the new laws, site owners will have to provide clear evidence that the data subjects (the clients) were made fully aware of how it was collected and is now being handled.

Credit cards and other payment methods

The security aspect aside, payment details are possibly one of the most sensitive types of data covered by the new regulations. The reality is that if your business processes online payments (and what eCommerce business doesn’t?), how those credit/debit card and other digital payments are stored and handled is crucial.

Even if your site uses a third party client to process payments, you should be checking up to ensure that they are also complying to the new regulations because in the event of a data breach the buck may well stop with you. The software and website plugins that you use in relation to payments on your site will also need to conform to the rules so it will be prudent to check and update as necessary.

Delivery and payment addresses

Whatever type of online operation you have and irrespective of the size of your client base, if you obtain a delivery address, you have personal data. This applies even if it is being delivered to someone other than the original purchaser. While this action may not be the prime function of either your manual system or your digital database, you will still have collated and used the personal data appertaining to someone’s physical address.

This is just one of many data types that can slip through the net. It is understandable that a busy digital sales business would be focused on the client in respect of providing good service and also in taking proper care of their personal data.

eCommerce and web-based businesses should consider that they will be accountable for all and any data that passes through their systems whether they put it to use for their businesses or not. Therefore, ensuring that systems and/or software are in place to catch such data should be a major consideration whether you own or develop eCommerce sites.

Email lists

Apart from the use of cookies, email marketing and list building is probably right at the top of any list of eCommerce tools. Online marketers are already familiar with the complex double-opt-in systems that have evolved over the years and the multi-layered disclaimers that have accompanied them. Though these were originally born out of a response to the anti-spam laws, they have already leant themselves extremely well to the existing data protection regulations.

Website owners and developers should not be tempted into complacency in this data collection area, however, because many of the systems that have been around for a long time may no longer comply. With the burden of proof in demonstrating that opt-ins were fully advised now resting with site owners and managers, there is a need for both physical evidence and a crystal clear data trail.

Purchase history

In some ways, the new data protection regulations will actually work in practical ways to enhance your online business practices. One such area where eCommerce site owners could benefit is in improved “data packaging”. Due to the requirements for businesses to make data packages available, there will be a need to format or “package” data in a specific form.

This is to enable data to be portable and easily available for the client in situations where they may want to forward it to another user such as from a utility company to a bank. The upshot of this requirement is that data will need to be formatted in line with such request and that, in turn, will make the whole business of transporting data much more streamlined.

The importance of getting it right

eCommerce and website sales businesses figure so strongly under the new European General Data Protection Regulations (GDPR) due to the way in which they collect and process data. The fact is that such businesses rely heavily on software and other digital systems to promote and sell their goods and services. This not only means that they handle data in specific ways that come under the new rules, they also, by their very nature, usually handle large quantities of such data.

With online businesses and company websites operating 24/7 and virtually running on autopilot, it cannot be stressed enough, just how important the whole data processing system is under the new rules. By getting it right from the outset, such businesses will be laying solid processes in data management and possibly work to avoid some potentially expensive issues in the future.

Coming next

We trust that some of the above have proved useful to our readers who own websites and eCommerce sites. In the next article, we will be looking more specifically at the implications the new data rules will have for businesses that use list building and auto-emailing campaigns so visit us soon to learn more.

Subscribe for free resources
& news updates.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form


stay in touch

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form