BLOG / eCommerce

General Data Protection Regulation: What You Need To Know

The General Data Protection Regulation (“GDPR”) introduces a new privacy framework in the EU which was passed in 2016 and will come into play on May 25, 2018. The GDPR will replace existing EU data protection laws and bring about significant changes and requirements that will have a wide-ranging impact worldwide on the way organisations handle and use data.

GDPR. General Data Protection Regulation. What is it? What do I need to know? What should I do? These are all questions which we are hearing more and more frequently as we come closer to May 25th which is when this new law will come into effect.

As an eCommerce agency our focus is on what this means for our customers, all of whom are Australian based eCommerce stores and almost all of whom dispatch orders overseas.

After a lot of online reading and researching and struggling to find the answers our customers need, we decided to collate our findings and recommendations for our partners into one simple blog post.

Let’s start from the top. What is GDPR?

The EU is implementing a new privacy framework to protect the data of EU citizens regardless of their actual location. Data means their names, email addresses, order history, newsletter preferences, so on and so forth. Basically, any data you have collected from your EU customers will now fall under the jurisdiction of the GDPR. This Act will essentially give all the power back to the customer in terms of where their data is stored, how it is used and how they remain in control of it. Any requests the customer makes of you, the merchant, must be completed within 30 days in order to avoid a non-compliance fee.

What do I, the merchant, need to know?

If you are an eCommerce store dispatching orders and/or marketing to the EU, this affects you. To remain compliant, you must make it completely crystal clear to your customers how you collected their data, what you use it for and how they can opt out at any time.

You will be expected to put extremely high safeguards in place to ensure your customers data is protected. If you haven’t already, you might like to consider adding Two Factor Authentication sign ins to your email marketing platform sign in and eCommerce Admin.

So, what should I do?

Start this process sooner rather than later. Review your website end to end and note all the capture points at which you collect data. Make sure you clearly document this in a digestible format so your customers can see where you’re capturing their information. You should make this transparent on your website in a “Privacy and Cookie Policy”Page so your customers can easily access all this information, the most important thing to highlight for your users is how they can unsubscribe or delete their accounts.

It is of paramount importance that you do not collect any data without express permission from your customers. For example, make sure none of your check boxes are pre ticked and make sure you are very clear about what your customers are signing up to.

In order to give your customers a continued sense of trust in your brand, you might like to consider sending an EDM to your database to remind your customers that they are currently subscribed to your newsletter and point them in the direction of your updated Privacy & Cookie Policy in case they’d like to read more.

Can you give that to me as a checklist?

Sure. Here’s what we’d do if we were you:

  1. Review your website sign up points from start to finish. List out every pop up, every sign up box and every opt in which captures a customers email address.
  2. This one is probably the most important. Make absolutely sure that no check boxes are pre-selected. From now on, your EU customers must tick all boxes themselves to agree to sign up or to acknowledge your Ts and Cs.
  3. Check that you have an easy “unsubscribe” link at the bottom of your EDMs so your EU customers can opt out at any time.
  4. Review the wording on your Abandoned Cart emails and make sure your EU customers are informed on how you captured their email if they did not provide it and how they can remove themselves from the list.
  5. Set up a CMS Page on your site with an updated Privacy and Data Policy. Make it clear to your EU customers where their data is captured on your website and what you use it for.
  6. Consider sending an EDM to your EU customer base with links to your updated Privacy and Data Policy and steps for them to follow if they want to update their preferences.


Let us help! Contact us today.

Email us > [email protected] or via our website.

Tags for this article

Share this article