How to Make Your Ecommerce Website GDPR Compliant: A Complete Checklist

Since May 25th, 2018, the General Data Protection Regulation (GDPR) has imposed requirements on ecommerce companies that work in the EU or provide their products or services to EU residents. If you’re subject to GDPR requirements, don’t miss our complete GDPR ecommerce checklist for your website. 

What is the GDPR? 

The GDPR combines rules and requirements for collecting, storing, and processing EU residents’ personal data. These requirements were introduced to prevent invasive data tracking and data manipulations. The GDPR aims to provide EU residents full control over their personal data and ensure its security. 

Within the context of the GDPR, there are several roles companies and their customers/clients may have. Let’s take a look at them.

• Data controller – A company or organization that identifies reasons for collecting personal information and determines how that information should be processed. 
• Data processor – A third party that processes data provided by a data controller. Data processors don’t own the data provided to them and process it under the data controller’s rules. 
• Data subject – Any individual who provides information such as a name, ID number, or address to a data controller. 

Now, let’s take a look at the GDPR checklist we’ve prepared for ecommerce website owners.

GDPR compliance checklist for an ecommerce company

We’ve divided the GDPR requirements for ecommerce websites into several categories for your convenience. Each category covers a particular aspect of the regulations and reveals the requirements you need to satisfy.

Each point on our ecommerce GDPR compliance checklist refers to one or more roles a person or entity plays within the context of the GDPR: data controller, data processor, or both.

Let’s review each category and each point of the GDPR compliance checklist and see what entities are subject to each checklist item.

1. Data security

Here, we’ll review requirements the GDPR imposes on companies to ensure the safety of users’ personal data.

1.1 Your company must maintain a list of all types of information you store, the sources of that information, whom you disclose it to, and terms and duration of its use.

To be fully GDPR compliant, you should thoroughly document all data you collect. Each piece of your users’ personal information should be accompanied by details about it, including its type, the source from which you received it, the third parties with whom you’ve shared it, your reason for collecting this particular piece of information, and the date when you will no longer need it. 

Affected entities: data processor, data controller

1.2 Your company must keep records of locations where you store data subjects’ personal information and the ways data flows between those locations.

You should document any locations where your users’ personal data is located, such as MySQL or PostgreSQL databases. Moreover, if you store data in physical storage, you need to document the address of the storage location. You should also describe in detail the process of moving information from one place to another.

Affected entities: data processor, data controller

1.3 Your company must have a publicly accessible privacy policy that outlines all processes connected with personal data.

Your organization’s website should let users access your privacy policy, which should describe how you handle users’ data. This policy should explain your reasons for collecting data, the way you process data, who you share data with, and what measures you take to keep data safe. 

Affected entities: data processor, data controller

1.4 Your company’s terms and conditions must mention a lawful basis for data processing.

To process users’ personal data, you must have a lawful reason. There are several legitimate grounds for processing users’ data. The most obvious is when a data subject agrees to data processing in exchange for a service or for some other reason. Data processing is also permitted if it’s mandatory to execute a contract between the data subject and data controller or to comply with laws and regulations.

Companies can process data if needed to protect the interests of the data subject, the data controller, or society, except when doing so contradicts the data subject’s rights.

Affected entity: data controller

2. Accountability and management

This category of GDPR requirements reveals what you need to consider to ensure your organization management process is GDPR compliant. 

2.1 Your company may need to have an assigned Data Protection Officer.

A Data Protection Officer (DPO) is an expert who makes sure that an organization follows laws and regulations related to data protection. 

Hiring a DPO is a must if your company is a public authority, performs regular monitoring on a large scale, or processes an extensive quantity of data in sensitive categories.

Even though your company might not be obliged to hire a DPO, it’s a good practice to have someone who will monitor the data protection flows in your company. 

Affected entities: data processor, data controller

2.2 Decision-makers in your company must be aware of GDPR obligations.

Your task is to verify that key people in your company are aware of the main principles of data protection. If key people don’t have enough knowledge of these principles, it’s your responsibility to compensate for that. For instance, you can hire a specialist to run a series of training sessions on data protection.

Affected entities: data processor, data controller

2.3 Your company must use the latest security technologies.

Make sure that all security systems you’re using to protect your users’ and your company’s data are up to date. For example, check that you’re using the latest versions of antivirus software and reliable encryption to protect your users’ data. Moreover, to protect your company’s private network from unauthorized access, you should use firewall software.

Affected entities: data processor, data controller

2.4 Your staff should be aware of data protection measures.

Your company needs to develop guidelines for team members on email security, setting strong passwords, two-factor authentication, device encryption, and the use of virtual private networks (VPNs). Conduct training on GDPR principles each time newcomers join your team and after regulations are updated. Pay special attention to those who have direct access to users’ personal data. 

Affected entity: data processor

2.5 You must keep a record of all sub-processors involved in processing your users’ data and mention these sub-processors in your terms and conditions.

In case any sub-processors are involved in your users’ data processing, you should inform your users about that and enumerate all sub-processors in your company’s terms and conditions. 

Affected entity: data processor

2.6 If your company is based outside the EU, you must assign a representative within the EU.

If your company works outside the EU but still collects and processes the personal information of EU residents, you need to appoint someone to represent your company’s interests in the EU and interact with local authorities on your behalf. 

Affected entities: data processor, data controller

2.7 You must report data breaches involving personal data to the relevant authorities within 72 hours.

Your organization should have guidelines on appropriate actions to take in case of any security breaches. If you become aware of a data breach, you need to report it to data protection authorities within 72 hours. Your report should contain details on the type and amount of data lost, a description of likely consequences, and countermeasures you have taken. Additionally, you need to inform users whose personal data has been lost about the breach. 

Affected entities: data processor, data controller

2.8 You must sign contracts with any third parties involved in data processing.

Your company needs to sign a contract with any data processor that has access to your users’ information. This contract should outline all aspects of your cooperation with the data processor, including reasons for processing data, the duration of processing, data types, and a data subject category. The contract should also point out your rights and obligations as well as the rights and obligations of the data processor. 

Affected entity: data controller

3. Customers’ consent

Customers’ consent to data processing is one of the basic requirements of the GDPR. Let’s see what you should do to acquire legitimate consent to data processing from customers.

3.1 Customers’ consent must be freely given, specific, and informed.

While gathering customers’ information on your website, make sure you provide customers with an easily accessible link to your privacy policy and an option to agree to the terms and conditions. Note that customers should confirm their agreement on their own, and pre-ticked boxes are forbidden. 

Affected entity: data controller

3.2 Your privacy policy must be clear and understandable.

Use simple and understandable language in your privacy policy to deliver an unambiguous message on the terms of processing personal data. This is especially vital if your target audience comprises children. 

Affected entity: data controller

3.3 Your customers must be able to easily withdraw their consent to information processing.

Similarly to the way users can agree to their personal data being processed by your company, they should have an option to revoke their consent.

Affected entity: Data Controller

3.4 If you process personal data of children, you must verify their age and obtain consent for processing from a legal guardian.

You need to get a legal guardian’s permission to process data of a child under 16 years of age. If you’re requesting this permission via your website, you need to have a process in place to make sure permission is actually given by a legal guardian and not by the child.

Affected entity: data controller

3.5 When you update your privacy policy, you must inform existing customers.

If you implement any changes to your terms and conditions, you need to notify your users about those changes. For example, you can send your users emails with detailed information on what has been changed. 

Affected entity: data controller

4. Regular updates

Policies are often changed and updated to provide the most relevant guidelines on how to keep users’ information safe. That’s why to be GDPR compliant, you need to make sure:

4.1 Your company must regularly reviews data security policies for updates.

Your company should follow the best and most up-to-date practices and keep track of changes made to EU laws and regulations. Moreover, if you transfer data to countries outside the EU, you need to keep track of changes made when handling data in those countries. Remember that ignorance of laws and regulations is no excuse. 

Affected entity: data controller

5. Non-standard situation policy

Let’s also review unusual cases you might face and see what GDPR requirements you’ll need to satisfy if you do. 

5.1 You need to run a data protection impact assessment for high-risk processing of sensitive data.

A data protection impact assessment (DPIA) aims to determine and minimize risks related to personal data privacy. Organizations that perform large-scale data processing, profiling, and other activities associated with high risks to the rights and freedoms of data subjects are obliged to perform this type of assessment according to the GDPR. 

Affected entity: data controller

5.2 You may transfer data outside of the EU only to countries with a proper level of data protection.

If you transfer your users’ personal data to countries outside the EU, you must make sure that those countries provide a sufficient level of data security. 

Affected entities: data processor, data controller

6. User rights

The GDPR also outlines users’ rights that companies need to respect and grant. Let’s review all of them to be aware of the requirements they impose on ecommerce websites. 

6.1 You must provide users with information and communications in a clear and straightforward manner.

Articulate your privacy policy and communicate with customers in a concise and easily accessible way to ensure everyone understands each aspect of your privacy policy and communications. This is especially vital when you explain your company’s privacy policy to a child. 

Information can be provided in writing, in an electronic format, or even orally to a client whose identity is proven. 

Affected entity: data controller

6.2 You must allow users to obtain specific information. 

Your users are empowered to request specific details about your organization and your data processing cycle when you’re collecting their data. 

Information users may request includes your company’s identity and contact details, the identity and contact information of your DPO, and the address of the location where you perform data processing. Also, users might want to know legal reasons for processing their data and what’s in it for you. Moreover, users that care for the safety of their private data may request a list of data recipients and countries or international organizations to which you transfer data. Note that if you transfer data outside your country, you need to give users access to documentation that proves the legality and adequacy of this decision.

Affected entity: data controller

6.3 You must allow users to access information on how you process their data.

In addition to specific details, users should be able to get basic information about data processing within your company at any time. 

General details on your data processing cycle include the aims, conditions, and duration of data processing, categories of data you process, and a list of data recipients. You also need to let users know if they have a right to complain about the processing of their data. One more critical aspect pertains to the use of automated decision-making: users need to know the logic behind and understand the possible outcomes of automated decision-making. 

Affected entity: data controller

6.4 You must correct users’ data upon request.

Users can request to correct their personal data. Thus, if a user’s personal information is inaccurate or incomplete, you must correct it. In some cases, a supplementary statement can be required to update information. 

Affected entity: data controller

6.5 You must delete users’ data upon request.

You should delete a user’s personal data if you no longer require it. However, there are a few other cases when data should also be deleted. For instance, you should delete data when a data subject withdraws permission to process data or when it appears that you have no lawful basis to process data. There may also be a case when a data subject is a citizen of a country that has a law that demands personal data disposal.

Affected entity: data controller

6.6 You must respect users’ rights to restrict data processing.

Users can request that a data controller restrict the processing of their data in several cases. Data processing restrictions should be applied when a user claims that personal data is inaccurate or that you have no lawful basis to process it but the user doesn’t want you to delete the data. In such cases, processing of the user’s data should be paused until the data is corrected or until you provide the user with legitimate grounds for data processing. 

When a data controller no longer needs user data, it should be deleted. However, in case a data subject asks to keep data for the defense of the subject’s rights, data controllers can restrict data processing instead. 

Affected entity: data controller

6.7 You must notify users regarding the correction and disposal of data or the restriction of data processing.

Your company should communicate any correction or disposal of your users’ personal data or restriction of processing directly to users and any third-party recipients. 

Affected entity: data controller

6.8 You must allow users to obtain and forward their data.

Those who have agreed to personal data processing can request that you provide them their personal data in an electronic format. Moreover, users have the right to request that you forward their data to another entity. 

Affected entity: data controller

6.9 You must provide users with the right to object.

Users can object to the legitimacy of personal data processing if they didn’t give their consent. For instance, users may object if you process their data in the public interest.

In such a case, as a data controller, you should stop processing the personal data of objecting users unless you provide those users with a valid basis for processing that will allow you to process the information further.

Affected entity: data controller

6.10 You must respect users’ rights not to be affected by a decision made by automated processing.

Users shouldn’t be subject to decisions based entirely on automated data processing and profiling. Automated decision-making is the process by which a computer makes decisions automatically without human intervention. If your company’s decisions may heavily influence your users, such decisions should be made with human participation. 

Affected entity: data controller

Now that you have a full GDPR ecommerce checklist with requirements your organization should satisfy to achieve compliance, let’s look at what may happen if you fail to meet them.

Consequences of non-compliance

If a company fails to comply with GDPR requirements, supervisory authorities may impose administrative fines they consider effective, proportionate, and dissuasive. Depending on the harshness of the GDPR violation, authorities can choose between two types of fines:

Less severe 

If a company violates basic obligations of the data controller or data processor, it will be obliged to pay a fine of up to 10 million euros or 2% of the company’s annual global turnover, whichever is higher.

More severe 

Violations of the following regulations may result in even bigger fines:

• Basic principles of data processing and users’ consent 
• Users’ rights
• Regulations on the transfer of personal data to a recipient in a third country or an international organization 
• Principles of specific processing situations 
• An order or limitation on processing established by the supervisory authority
  
  

These violations may lead to administrative fines of up to 20 million euros or 4% of the firm’s annual global turnover, whichever is higher. 

Recap

Achieving and maintaining GDPR compliance certainly isn’t the easiest task for ecommerce companies. But if you share this burden with a skilled team of GDPR compliance auditors, compliance becomes much easier to attain.