What is ecommerce GDPR and how to comply with?

What is ecommerce GDPR and why is it important?

Table of Content

GDPR stands for General Data Protection Regulation. This is a European privacy law that requires companies and organisations to handle personal data with care. This law has been in force since 25 May 2018. This law applies to all member states of the European Union and replaces the 28 separate laws on protecting personal data. As webshops collect data from their customers and then use and store it, the GDPR law therefore also applies to webshops. This data are things like name, e-mail address, financial data, residential address and telephone number.

What measures must an online shop comply with regarding the eCommerce GDPR?

As an online shop owner, it is therefore important that you have your ecommerce’s GDPR in order. After all, it is important that you process as little personal data as possible and only keep the really necessary data. In addition, it is important that you, as an entrepreneur, can demonstrate that you are actively engaged in complying with the eCommerce GDPR law. GDPR for web shops is comprehensive. As a webshop owner, there are quite a few things you need to take into account:

  • Offer users control over what data they offer each site and how they do it.
  • Request express permission before saving any data.
  • Include age verification measures to protect the data of children under 16 years of age.
  • Guarantee the privacy of a user and purchase data stored in encrypted form.
  • Have a good understanding of the life cycle of the lead: how long you need to store their data, how to use it, and when to delete it.
  • Document the website with all the legal information written by professionals.
  • Avoid the use of data obtained from third parties.
  • Comply with the rights of access, deletion, or cancellation of the data of each user.
  • Declare the commercial purposes of the use of stored data.

You can read exactly which issues, including a few ecommerce GDPR checklists and a guide for GDPR eCommerce, in the article below.

How to comply with the GDPR in your E-commerce?

How to comply with the GDPR in your E-commerce?

1. Show responsibility

As a website owner, you are responsible for complying with the ecommerce GDPR. It is important that you take this responsibility seriously. No matter where you host your webshop, the responsibility for protecting your customers’ personal data lies with you. Do you have personal data processed by a third party, such as your suppliers? Then it is important that they too meet the requirements set by the GDPR legislation. For this reason, it is important that you enter into a processing agreement with your suppliers and other parties involved. In it, you can lay down agreements on the processing of ‘your’ data by third parties.

Example: if you outsource the shipment of the products in your webshop to an external party, you will have to pass on the required customer data to this party. It is not the intention that this external party simply spreads this customer data around. You can lay down the agreements on this in a processor agreement. This is not only to protect your customers, but also to protect yourself as a webshop owner against any unwanted events.

Should a problem arise, it is important that you can refer to the processor agreement. Do you need to start drafting a processor agreement? Then make sure it includes at least the following points:

  • What are the personal data used for?
  • What safety measures should be taken?
  • Where will personal data be stored?
  • Who is responsible for what?
  • What will be done on termination?
  • What costs are involved in cancelling the agreement and who pays them?
  • How do you deal with data breaches or damage to your reputation when agreements made have not been kept?

2. Clear privacy statement

A clear privacy statement on your webshop is mandatory. As a webshop owner, you are obliged to inform your customers about the privacy-sensitive data you collect. You must also be able to inform your customers about the purpose of collecting this data. In a privacy statement, you should certainly include the following points:

  • your own company data
  • the reasons why you process personal data
  • what personal data you process
  • the security measures you have taken
  • the right of inspection, deletion and possible modification for your customers
  • why the personal data is processed
  • the use of cookies on your website

When considering the GDPR for ecommerce, it is important that you draw up a comprehensible privacy statement for your customers. This statement should be easy to find on your webshop. For example, you can place a hyperlink to this statement on the order form.

3. Security measures

Where are your customers’ passwords stored? Who can see these passwords? As a website owner, it is important that you can demonstrate that the security measures you take are actually in order. In addition, the measures you take to process customers’ personal data are also important. Think of the plugins you have installed on your website that allow customers to leave personal data. Think about order forms, account creation, etc.

4. Cookie policy

The GDPR for online shops affects the use of cookies on your website. A cookie is a small text file on a website containing information. Are your webshop settings set to allow visitors to your website to automatically accept cookies? If so, this is not good enough. You have to give your visitors the opportunity to accept or reject cookies themselves. For example, you can choose to give visitors to your webshop a choice between accepting only functional cookies or accepting all cookies. You can even give them the option of not accepting any cookies. This will have consequences for the visitor. As a result, your webshop may not function as well. Either way, make sure your webshop has a careful cookie policy.

We have already spoken on other occasions of the importance of having the web with all legal things in order to avoid fines and complications. Before, your website needed to have the notice that this website works with Cookies you accepted, and that’s it; now, it is very important not only that you accept but also that the user can reject it and see what cookies your website uses.

In WordPress, there are many plugins for this. We make a list of the best best WordPress cookie plugins for GDPR.

 

5. You customers’ rights

The GDPR for online shops also refers to your customers’ rights. These do not only include guarantee periods and return options, but your webshop’s customers have the right to view the personal data they have left with you at any time. This also gives them the opportunity to change their personal data where necessary. Are your customers not satisfied with the way you apply the GDPR legislation? Then they have the right to object to the way you process personal data.

6. Data breach

Every webshop owner may have to deal with data breaches sooner or later. When this is the case, you need to report this to the supervisory authority. Sometimes it can even mean that a data leak must be reported to all parties involved. This includes your customers. This can damage your reputation as a webshop owner. To prevent this, it is important that you draw up a protocol. In it, you not only note what you do to prevent a data leak, but also what the consequences are if you do have to deal with a data leak.

Conclusion

As a webshop owner, it is therefore incredibly important that you adhere to all the rules set by the ecommerce GDPR legislation for webshops. This is not only important for the visitors to your webshop and your customers, but also for yourself. After all, if you do not comply with the GDPR for online shops properly, this could cost you dearly. You could be fined millions or you may have to pay a certain percentage of your annual turnover as a fine.

Are you attracted by entrepreneurship and do you want to start your own webshop? Then make sure you are well prepared. This will avoid any unwanted surprises in the future.

GDPR for ecommerce FAQs

1. Is a privacy statement mandatory?

As a website owner, you are obliged to inform your customers about the privacy policy you have implemented. The AP (Personal Data Authority) monitors compliance with privacy laws. Everything is aimed at protecting your customers’ personal data.

2. What do I need to comply with the GDPR for online shops?

As a website owner, you need to be able to prove that you only process personal data that is necessary. In addition, it is important that you demonstrate that you have obtained all personal data in a lawful way and only use it for certain purposes. For example, using the address data for shipping the products.

3. What is not allowed by the GDPR for ecommerce?

Besides standard personal data, there are also special personal data. For example, these may concern someone’s health, past, etc. You can obtain this data as a website owner when you send out surveys or questionnaires. However, it is strictly forbidden to use this data. This is only possible if you have a legal exception for this. This is sometimes the case with healthcare organisations, for example.