13. July 2018 Blog

GDPR Checklist For E-commerce Websites

GDPR and e-commerce: What to be aware?

All websites that are collecting data of their customers need to comply with rules of GDPR. Protecting personal information about your clients is extremely important, but also challenging. It may require modification of many processes that costs money and time. We put together all essential information you need to know about the data protection regulation.

What is GDPR? 

Almost every aspect of our lives revolves around data. In business as well as in private life. Companies gain millions of customers' personal information each day. GDPR - General Data Protection Regulation - is here to look after their privacy.  

Therefore, GDPR is a set of rules, designed to identify proper usage of clients' data and ensure transparency. Businesses have to protect personal information and respect the privacy of all their customers within EU member states. Yet, in specific cases, GDPR can as well regulate data usage of companies outside of the EU. We will come back to this point a bit later.

GDPR came into effect in 2018, replacing the older Data Protection Directive (DPD) from 1995. It is consistent in all European union countries, which creates one standard for everyone. That way, execution becomes much easier. 

Why Was GDPR Introduced? 

We don't live in a perfect world. Data breaches or even frauds happen. GDPR is designed to reflect just this. It helps to protect privacy in the internet era, through implementing data protection policies

There is also another reason - customer trust. The European Commission found out that before GDPR legislation, only 15 % of citizens felt in control of personal data they provided online. 

RSA Data Privacy & Security Report also proved that customer trust highly depends on data protection. They conducted surveys on around 7 500 respondents from France, Italy, Germany, UK and the US. For 80 % of consumers, the biggest concern was a violation of banking and financial data. Around 76 % of people were worried about their passwords and identity information. 

What is even more alarming, 80 % of respondents in the mentioned survey claim that instead of a hacker, they would blame the company for the data breach. These numbers may be a reason why 41 % of consumers provide false information while signing up for online services. 

Consequently, GDPR is here also to eliminate this massive amount of distrust in a sphere of data protection. Following the strict rules may radically help your business revenue, since 50 % of all respondents prefer to shop at websites which proved that they take the data handling seriously. 

It is therefore also important to choose safe platforms and softwares to lower the risk of breach. CloudTalk, for example, is in compliance with ISO 27001 security certification. It means that we undergo  third-party independent audits on a regular basis. Your clients' information is always safe with us, sealed in modern data centers with 24/7 monitoring.

To Whom Does GDPR Apply? 

Any information that can identify a living person falls under GDPR rules. It means that the regulation basically protects each and everyone of us. 

From a business point of view, data protection applies to any company according to specific criteria: 

  • It's operating within EU area
  • It has more than 250 employees
  • It has fewer than 250 employees, but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal information

As we mentioned, there are also companies from outside of the EU zone that fall under GDPR rules. Countries of their residence may have their own regulations, yet these businesses are required to follow GDPR under following circumstances:

  • They supplies goods or services to EU states
  • They processes data about EU residents 

This basically means that almost every major company in the world falls under the GDPR rules. According to a Propeller Insights survey, 53 % of business executives identified technology service as a sector, most influenced by GDPR. Around 45 % of respondents claim it's online retails, 44 % stood on the side of software companies, 37 % voted for financial services and 34 % for SaaS services.

What Data is Covered By GDPR? 

As we mentioned previously, GDPR covers all data that can directly or indirectly reveal a person's identity. Based on this, there's a lot of sensitive private information you should protect, such as: 

  • Basic identity data: Name, home address, email address, ID number or other legal document information
  • Web data: Location, IP address or cookie data
  • Private information: Health records, racial or ethnical identification, religious beliefs, political opinions or sexual orientation
  • Photographs

When You Are Allowed to Process Data?

By article 6 or GDPR law, there are several scenarios when you can legally reveal a subject's personal information. These are: 

  • Subject gave you a clear consent to do so.
  • You have a legitimate interest in processing somebody's data.
  • Subject's data is a necessary part of executing or preparing a contract to which the subject is a party.
  • Data processing is a necessary part of performing tasks in the public interest or official function. 
  • Processing the subject's data is needed to save somebody's life.

What Are Consequences of GDPR Violation?

We'll be honest right away. You don't want to face the consequences of GDPR violation. It may have a serious impact on your business, since the fines are pretty intense. 

Depending on the kind of violation, you can pay:

  • 20 million euro or 4 % of your annual revenue - whichever is higher 
  • 10 million euro or 2 % of your annual revenue - once again, whichever is higher applies

The amount you have to pay depends on the severity of the data breach and your actions towards it. 

Higher fines apply if procedures for handling data weren't executed accordingly, a company made unauthorized data transfer or ignored a request for customer data access.

In contrast, lower fines are issued if a company failed to report a data breach, failed to notify customers about the breach (see point 10 in the section below) or failed to administer the correct data protection protocols. 

How to Comply with GDPR?

Here is a checklist of important GDPR regulations that you need to keep an eye on. We will talk about each of them in detail.

  • Personal data collection
  • Right to access data and data portability
  • Right to erasure and right to be forgotten
  • Customer consent with data processing for marketing purposes
  • Processing requests
  • Personal data protection notification
  • Third-party services
  • Increased fines for non-compliance or breach of GDPR
  • Parental consent
  • Data breach notification
  • A person responsible for GDPR
  • GDPR might look scary, but there’s no need to worry.

#1 Personal Data Collection

GDPR is all about personal data protection, so it strictly regulates what and how data can be collected and processed, by whom and for what purposes. Take care about how you handle names, addresses, phone numbers, e-mails, social media accounts and IP addresses. 

You must also bear in mind that if you are using third-party apps or platforms, they as well have to comply with GDPR. Make sure to follow up with them and avoid potential misunderstandings and issues. 

#2 Right To Access Data and Data Portability

GDPR regulation gives individuals the right to access their personal data, collected by your company. Therefore, you are required to provide clients with a copy of their personal information upon request in a format that is common, easily readable and portable, so that customers can use it with another provider. 

Don’t forget that you might be using third-party apps or services to store data, so it is necessary to request the data from such third parties.

If you are using CloudTalk, all customer-related information is always at your disposal and easily accessible at any time

#3 Right to Erasure and Right to Be Forgotten

Under GDPR, individuals have the right to erase their data. Customers also can erase the information once it is no longer necessary for any purposes.

Secondly, there is a right to be forgotten. Under this, clients can easily revoke or withdraw their expressly given consent with data processing.

Make sure that you provide clients with clear information on the possibility of data erasure and the right to be forgotten on your website.

CloudTalk can help you delete data that we store in the name of your company. All contacts can be easily discarded and call recordings are automatically anonymized or permanently deleted

However, remember that if you are storing anonymized call recordings, for example for training purposes, some of them might still contain personal data which are subject to consent.

You must also require erasure from other third parties whose services you use, so that you can meet your client’s request in a transparent manner.

Naturally, the customers do not have a carte blanche right for their data to be deleted. Orders or call recordings which are an integral part of an order are considered to be business transactions, governed by other regulations.

In the end, definitely focus on clients who have created accounts on your website, but who have no transaction history.

#4 Customer Consent with Data Processing for Marketing Purposes

You are required to inform your clients that they have a choice in giving you their data for marketing purposes. This means that you cannot use pre-ticked boxes and clients can easily revoke their consent at any time.

The box used for giving consent by third parties is also important, as you have to clearly list all the parties by whom data can be accessed and for what purposes.

So, you need to give the client detailed information about the particular cases of data processing and they must take action to express consent. This duty will clearly influence marketing departments and selected strategies, mainly in terms of personalized ads.

Here’s a few questions to think about:

  • Do you require customer’s consent to process their personal data by you or by third parties?
  • Do you provide clients with sufficient information about how you use their data to make sure that the consent is informed?
  • Is the client's consent specific or do you use pre-ticked boxes? 
  • Is customer’s consent recorded and stored?

#5 Processing Requests

As GDPR empowers individuals to access and check their personal data, you will probably have to update disclosures on how you process customer data.

If you are a customer service provider, we recommend you to explore potential improvements that would ensure compliance with GDPR in this area. 

CloudTalk is happy to help. Remember the previous statistic about customers shopping in brands who care about their privacy? Show your clients that you take the regulation seriously and that you respect them. They will appreciate your approach and will be much more likely to buy from you

#6 Personal Data Protection Notification

GDPR includes specific information that you need to provide your clients with. This includes, in general, notifications and policies related to personal data protection. Does your Personal Data Protection Policy include all information required by the GDPR?

#7 Third-party Services

Anyone who uses third-party service is obliged to ask the client’s consent with storing and processing their personal data. Third-party services like Facebook and Google Adwords app or mail platforms, such as Mailchimp or Sendgrid, e-commerce platforms  (i.e. Shopify, Magento, Shoptet), payment gateways and tools allow you to provide high-quality customer services. This also includes CloudTalk.

Of course, it is entirely up to you what apps or services you use in business. However, you should always make sure that these services comply with GDPR requirements

If you use CloudTalk and have any questions, do not hesitate to get in touch, our specialists will be happy to help you.

#8 Increased Fines for Non-compliance or Breach of GDPR

We already determined that mistakes in the field of GDPR are very costly, so you want to make sure that data is stored safely. GDPR has probably the largest influence on e-commerce operators who highly rely on third-party software. It is essential that data are encrypted and that clear rules are identified on who can access data and for what purposes. 

The situation is easier for e-shops that use cloud services. Cloud services operate on a large scale and any adjustments or changes are handled globally, automatically and at the same time for all users. CloudTalk is aware of the need to fully comply with the new regulations, as well as other cloud solutions on the market (Shopify, Intercom, Mailchimp, etc.).

Companies running on their own servers or using custom-made software will have to find experts that will perform an analysis and audit, test the solution and implement necessary changes. Yet it is probably clear that such solutions are rather costly.

#9 Parental consent

GDPR includes specific requirements, related to parental consent for processing personal data of users under the age of 16. In certain countries, this age limit might be even lower.

Ask yourself:

  • Are there any steps you need to take in this sphere?
  • Do you really need their data?
  • Do you have to change the way you get parental consent?

#10 Data breach notification

If you experience a leak of personal data, you are required to immediately communicate the breach to all affected data subjects and notify regulatory authorities.

You must send the notification within 72 hours after you become aware of the breach.

You should be ready for such circumstances and have a suitable back-up defined beforehand.

#11 A person Responsible for GDPR

A Data Protection Officer (DPO) is a person who oversees how your company collects and processes personal data. His duties include assessment of GDPR’s impact on your business. Data Protocol Officer also must imply changes in order for your company to comply with GDPR.

Based on the size and focus of your business, you should carefully consider whether you need to appoint a DPO.

#12 GDPR Might Look Scary, But There’s No Need to Worry

It’s not in the EU’s interest to sink or ban e-shops. Regulatory authorities understand that storing certain data is essential for business transactions.

This is how you avoid fines and problems:

  •     Conduct a complex analysis
  •     Implement best practices
  •     Collect only the data that you really need
  •     AND MAINLY: Be transparent and take GDPR seriously

Check third-party services that you use. Make necessary changes in your e-shop. Then, you can even benefit from the rules imposed by GDPR.

Clients will become more and more aware of the data protection regulations and once again, their loyalty will also depend on the companies’ approach to GDPR. 

So don’t abandon the European market. Quite the opposite, keep selling your products, but do it in a transparent manner. Clients will appreciate it and stay loyal.


If you are interested in the topic of GDPR or you still have some unanswered questions, stay tuned and follow our blog.