13. July 2018 Blog

What does GDPR mean for e-commerce businesses?

GDPR and e-commerce: What to be aware?

In the previous blog post, we looked at what efforts CloudTalk has made to become GDPR compliant. As a business enabling thousands of calls per month, we take personal data protection very seriously and do our best to help you comply with GDPR when using our solution. If you are an e-commerce operator, it’s important that you cover several areas to make your business ready for the new rules.

What to do to comply with GDPR?

  1. Personal data collection
  2. Right to access data and data portability
  3. Right to erasure and right to be forgotten
  4. Customer consent with data processing for marketing purposes
  5. Processing requests
  6. Personal data protection notification
  7. Third-party services
  8. Increased fines for non-compliance or breach of GDPR
  9. Parental consent
  10. Data breach notification
  11. A person responsible for GDPR
  12. GDPR might look scary, but there’s no need to worry.


1. Personal data collection

General Data Protection Regulation (GDPR) is all about personal data protection, so it strictly regulates what and how data can be collected and processed, by whom and for what purposes. Examples of personal data include name, address, phone number, e-mail, social media account and IP address. 
GDPR protects fundamental rights of individuals within the EU in relation to the processing of their personal data.

You must bear in mind that if you are using third-party apps or platforms, they must also comply with GDPR. Make sure to follow up with them and avoid potential misunderstandings and issues. 

We recommend you to collect only the data you really need and only when the collection can be justified. 

2. Right to access data and data portability

The new regulation gives individuals the right to access their personal data being collected by your company. Therefore, you are required to be able to provide clients with a copy of their personal data upon request in a format that is common, easily readable and portable so that they can use their data with another provider. 

Don’t forget that you might be using third-party apps or services to store data, so it is necessary to request the data from such third parties.

If you are using CloudTalk, all customer-related information is always at your disposal and easily accessible at any time. 

3. Right to erasure and right to be forgotten

Under GDPR, individuals have the right to erasure of their data from your database and the right to be forgotten.

Are you ready to remove customer data or restrict their processing as a response to such request?

Customers have the right to erasure once it is no longer necessary to process the data for the purposes for which they were originally collected.

Another news is the right to be forgotten. Under this right, clients can easily revoke, or withdraw, their expressly given consent with data processing.
Make sure that you provide clients with clear information on the possibility of data erasure and the right to be forgotten on your website.

CloudTalk can help you delete data that we store in the name of your company. All contacts can be easily deleted an call recordings are automatically anonymized and can be permanently deleted, if needed. However, bear in mind that if you are storing anonymized call recordings for example for training purposes, some of them might still contain personal data which are subject to consent.

You must require this opportunity also from other third parties whose services you use, so that you can meet your client’s request in a transparent manner.

Naturally, the customer does not enjoy a carte blanche right for their data to be deleted. Orders or call recordings which are an integral part of an order are considered to be business transactions governed by other regulations.
Definitely focus on clients who have created accounts on your website but who have no transaction history.

4. Customer consent with data processing for marketing purposes

According to the new regulation, you are required to inform your clients on the possibility to decide whether they give you their data for marketing purposes.
This means that you can no longer use pre-ticked boxes and clients can easily revoke their consent at any time.
The box used for giving consent to the use of data by third parties is also important, as you have to clearly list all the parties by whom data can be accessed and for what purposes.
So the client needs to be given detailed information about the particular cases of data processing and use and they must take action to express consent. 
This duty will clearly influence marketing departments and selected strategies mainly in terms of personalized ads.

Here’s a few questions to think about:

  • Do you require customer’s consent to process their personal data by you or by third parties?
  • Do you provide clients with sufficient information about how you use their data to make sure that the consent is informed?
  • Is client’s consent specific or do you use pre-ticked boxes? 
  • Is customer’s consent recorded and stored somewhere?

5. Processing requests

As GDPR empowers individuals to access and check their personal data, you will probably have to update disclosures on how you process customer data.
If you are a customer service provider, we recommend you to explore potential improvements that would ensure compliance with GDPR in this area. CloudTalk will be happy to help. Show your clients that you take the regulation which protects their fundamental rights seriously and that you respect them. Clients will appreciate your approach and will be much more likely to buy from you.

If you want to benefit from GDPR, make sure you implement all requirements imposed by the regulation. Clients always like transparency and will opt for companies which follow the new standards.

6. Personal data protection notification

GDPR includes specific information that you need to provide to your clients. This includes, in general, notifications and policies related to personal data protection. Does your Personal Data Protection Policy include all information required by the GDPR?

7. Third-party services

Anyone who uses any third-party service is obliged to ask the client’s express consent with storing and processing of their personal data. Third-party services include  Facebook, Google Adwords app or mail services  (Mailchimp, Sendgrid, atď.), e-commerce platforms  (i.e. Shopify, Magento, Shoptet) payment gateways and tools allowing to operate high-quality customer services – and this category includes CloudTalk.
We have covered all the things that CloudTalk does to be GDPR compliant in the previous blog post entitled CloudTalk and GDPR, how to prepare? Of course, it is entirely up to you what apps or services you use in your business. However, you should make sure that these services comply with GDPR requirements so that your needs are covered. 

Don’t be scared to use third-party services, solid businesses are ready for GDPR.

If you use CloudTalk and have any questions, do not hesitate to get in touch, our specialists will be happy to talk to you.

8. Increased fines for non-compliance or breach of GDPR

Hefty non-compliance fines could be up to 20 million euros or four percent of your annual revenue. This makes mistakes very costly, so you want to make sure that data are stored safely. GDPR has probably the largest influence on e-commerce operators who largely rely on third-party software. It is essential that data are encrypted and that clear rules are identified on who can access data and for what purposes. 

The situation is easier for e-shops that use cloud services. Cloud services operate on a large scale and any adjustments or changes are handled globally, automatically and at the same time all users. CloudTalk is aware of the need to fully comply with the new regulation and there are also other cloud solutions on the market (Shopify, Intercom, Mailchimp).

Companies running on their own servers or using custom-made software will have to find experts that will perform an analysis and audit, test the solution, suggest and/or implement necessary changes. It is clear that such solutions are rather costly.

9. Parental consent

GDPR includes specific requirements related to parental consent for processing personal data of users under the age of 16 (in certain countries, this age limit might be even lower).
Are there any steps you need to make to stop processing data of those users or, if you do need their data, do you have to change the way how you get parental consent?

10. Data breach notification

If you experience leak of personal data, you are required to immediately communicate the breach to all affected data subjects and notify regulatory authorities.
You are required to send the notification within 72 hours after you become aware of the breach.
You should be ready for such circumstances and have a suitable back-up defined and in place before anything happens.

11. A person responsible for GDPR

A Data Protection Officer is a person overseeing how your company collects and processes personal data. His duties include assessment of GDPR’s impact on your business and changes necessary to be implemented to make your company comply with GDPR.
You should carefully consider, based on the size and focus of your business, whether you need to appoint a DPO.

12. GDPR might look scary, but there’s no need to worry.

It’s not in the EU’s interest to sink or ban e-shops. Regulatory authorities understand that storing certain data is essential for business transactions.

This is how you avoid fines and problems:

  • Conduct a complex analysis
  • Implement best practices
  • Collect only the data that you really need
  • AND MAINLY: Be transparent and take GDPR seriously

If you check third-party services that you use, make a few necessary changes in your e-shop and if you are honest, you can even benefit from the new rules imposed by GDPR.
Clients will become more and more aware of the new regulation and their loyalty to brands will also depend on the companies’ approach to GDPR. So don’t abandon the European market, quite the opposite, keep selling your products, but do it in a transparent manner. Clients will appreciate it and stay loyal.

Use GDPR to your advantage, perceive it as a challenge and a tool to create positive brand awareness

If you are interested in the topic of GDPR or if you still have some unanswered questions, stay tuned and follow our blog. 

More articles from the GDPR series:

  1. GDPR: What you should know about the new Data Protection Act 
  2. CloudTalk and GDPR, how to prepare?
  3. GDPR and e-commerce (you’ve just read it)