GDPR and E-commerce: A Complete Guide

GDPR and e-commerce must go hand in hand as the regulation is created to protect data. And as digital commerce you company process a lot of data regularly. This is why, you need to make sure that your company comply with GDPR especially when you work with European customers.

GDPR and e-commerce

How to Comply with GDPR and E-commerce Best Practice

Since you are working digitally using cloud environment your company may function as data process, or data controller and even both. GDPR has specific regulation that need to be fulfilled by each entity which is why you need to use GDPR and e-commerce best practice to help you comply with the regulation.

Data security

There are a few things that your company must provide as a proof that the personal data that processed by the company are safe. Here the things that the company must provide:

  • As required by GDPR and e-commerce must create a document that listed all types of data that stored in the system. You should also state where is the source that you use to take the data from. 
  • You should also document the parties who you disclose the data to. It is also important to have policy that show the duration and term that show how long you will use on the data for as well as the reason.
  • Even though the data is stored digitally, you should also document where is the location used to store the data. To be clear you need to disclose the geographical locations of the servers that you use including if you use third party’s service for the servers. Then you need to record the way the data transferred flow done between the servers. 
  • Since you are working with personal data then you must have document that show the company’s privacy policy. The document should outline all of the process that is done to the data. Remember that the document should be public and easily accessible by everyone.
  • Next thing that you need to disclose is the “terms and conditions” used by your company. Remember that it should include lawful basis that the company use to process the data.

Management and accountability

The company must clearly stated things that you do to make sure that the management process done by your company comply with GDPR and e-commerce regulation:

  • If your company do large scale and regular data monitoring then you need to hire a DPO. This is a must for company that process sensitive data in extensive quantity. You also need to have a DPG if the company is public. 

    But even if your company does not oblige to have a DPO it is still a good practice to do. Since DPO can help to monitor the safety of the data flows that is done by your company.
  • GDPR is very important regulation that affect company in various scales in all industry. Thus, it is important that the decision maker of the company is aware of this obligation. You can help to verify this by giving some data protection training to the management team.
  • It is important to make sure that the security technologies used by your company are the most up-to-date one available. The technologies should also fulfill the industry standard. Some security technologies that you may use are encryption algorithm, antivirus software, firewall software and many other. 
  • Besides the top management, all of the company’s staff actually should also be aware on the protection measures that you do to secure the data. Thus, you need to set up a guide that can be used by the company’s staff to secure the data.
  • If your company use third party as sub-processor that will process any of the data collected by your company, then you need to document all of those sub-processors. You should also mention them inside the company’s “term and conditions”. 
  • If your company use third party with anything that involving the personal data such as processing, storing and collecting then you must have written contract with them that can be used as proof.
  • For company with headquarters outside Europe, then you need to have representative in Europe. This is a must requirement for company who process, collect and stored personal data of European residents. 
  • In case when breaches happened and it involved any of the personal data then you must inform the authorized supervisor as soon as it happens within 72hours timeline. 


The basic requirement needed so you are allowed to process data according GDPR and e-commerce rule to is consent. And of course, you need to acquire the consent in legitimate way. Here are the methods that you can use:

  • The consent must be given freely by the customers and it should be done before you gather any information from them. So, you need to have information which explained the specific detail as required by GDPR. You can put the information in the company’s privacy policy. Furthermore, you also need to give option so the customer can agree with the company’s term and condition.
  • You need to use easy to understand language on the company’s privacy policy with simple term to avoid ambiguous message. This is also very vital especially if the data you collect are from children. 
  • You should provide easy way that can be used by customer to withdraw the consent that they give before. 
  • If the data you collect are from children then you must first do age verification and then obtain consent from their legal guardian before doing any of the data processing. 
  • Privacy policy must be update periodically to reflect the latest company’s policy. When update happen you also oblige to inform any of the existing customer that you already have.

Periodic Updates

Policies changes often thus, you must do periodic update to make sure that the policies remain relevant. This is also important to help keeping the data safe according GDPR and e-commerce rule. 

This is important so you can also keep up with the changes on the regulation. Especially since regulation keep changing to reflect the latest development in technologies and laws. Then you can add policies that help the company to comply with the new regulation too.

Adding policies for unusual situation

There are times when you might need to deal with unusual situation. Even when it happens then you also need to still comply with GDPR rule. Here are the things that you can do to keep your compliance:

  • You need to do impact assessment for sensitive data process that are considered high risk. This is important so you can determine the risk that might happened and apply method that can be used to minimize it.
  • If the data of EU resident are transferred to anywhere outside EU countries then it can only be done with proper data protection level. So, you need to make sure that the country where you transfer the data have sufficient data protection level that comply with GDPR.

User Rights

As company you need to grant and respect the user’s right as stated in GDPR and e-commerce rules. Here are the requirements that you need to fulfil:

  • You need to give information and able to communicate with users using straightforward and clear manner. This means you need to make sure that the privacy policy and the way you communicate with your costumers are easy to understand and accessible for all users.
  • Users have rights to obtain specific information about your company as well as the data processing that you do when you collect data from them. They are also allowed to request that information and you have to give them the information.
  • If users ask you to correct their data especially when the information is incomplete or inaccurate then you need to correct it immediately. Sometimes, you also need to provide supplementary statement before updating the information. 
  • You also need to delete their data when the user requests it. This request can be done by direct request or when they withdraw their consent to process the data. You should also delete the data if it is no longer needed for your business or when you do not have any lawful basis that can be used to justify the data processing.
  • Besides deleting their data, the users can also request you to restrict the process done on their data. 
  • You need to notify the users if any correction were made and when disposing, or restricting the process of their data.
  • You need to allow users to forward or obtain their data.
  • You need to give users their rights to object
  • You need to respect the user’s right to not be affected by automatic processing and decision making.


As you can see there are quite a lot of things that you need to do to comply with GDPR and e-commerce best practice is the way to go. So, it is better to apply those things right away to be able to comply with the rule.

Description: Learn how to ensure compliance with GDPR regulations when running an e-commerce business. This guide covers topics such as data protection, security, and vendor management.

%d bloggers like this: