GDPR for eCommerce

What do I need to do for GDPR on my ecommerce site ?

As a business owner you are a data controller.  Your web developer, hoster and saas marketing tools ( mailchimp, salesforce etc. ) are data processors.  The data controller is ultimately responsible for the protection of personal data they store.  However if it is found that your data processor has been negligent then they may also be responsible.


opencart gdpr addon  woocommerce gdpr addon

Purchase these plugins on our site or . These are designed to handle all GDPR requests automatically.

No addon or plugin makes you GDPR compliant. Addons claiming to make your site 100% compliant are incorrect. GDPR covers your whole organisation and this will include your website.

All your data processors and sub processors must be GDPR compliant.

GDPR covers all and only personal data held in your organisation and with your 3rd party data processors.  

GDPR does not trump other laws. E.G. if you have to keep personal data to justify vat charges then this is needs to be kept for tax compliance. The rule in GB and Ireland is 7 years. Other countries may vary.

So what do I have to do ?

Appoint a staff member to look after Data Protection.  Get data protection training and a certification. Typically this is someone at Board Level as they will require indemnity insurance to cover the liability of this role. If you are a non-board member being asked to take up this role, make sure you are provided with personal indemnity insurance.  There are instances where Data Controllers can be held personally responsible for data breaches.

1. Update your privacy policy

  1. Include a GDPR compliance line
  2. Specify what information you collect and store from website visitors. ( e.g.  ip addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses )
  3. Specify how and where you process the personal information. ( accounting, marketing, UX research, sales reporting etc.)
  4. Specify who you has access to this personal data. (E.G. you, mailchimp, google, salesforce etc )
  5. Specify the contact details of the assigned Data Protection Officer in your organisation
  6. Specify how to lodge a data subject access request.
  7. Specify how long you hold personal information.
  8. Note : Using phrases like “we may use your information” is not compliant, because it is not explicit. Permission must be explicit and recorded.

2. Remove all automatic opt-ins on your site. 

All check boxes must be empty in online forms. An empty box cannot imply acceptance. Agreeing to anything via a checkbox has to be explicit and recorded. We would recommend that when a customer agrees to the terms and conditions on a website that a copy of the terms they agreed to are stored with the customers data. This way you have an explicit record of what the customer agreed to.  Our ecommerce GDPR addons cover this.

3. Collect only information you require to run your business. 

“If you do not have the information you do not need to protect it”

Delete personal information you have on servers, excel sheets etc. that you no longer use.  This includes emails with attachments of files of personal information.

Only keep one version of personal information.  You may keep copies only for backup and restore purposes. Up to 4 backups is acceptable. If you keep  more it needs to be justified. The location of the backups needs to be recorded in your data audit.

Collecting extra information in case you may use it in the future is un-lawful.  Information you have about individuals that you have no use for must be deleted.

The personal information you collect must have a legitimate use.

4. All data breaches need to be recorded and actioned with a preventative measure within 72 hours. 

Examples of data breaches.

  1. Personal information being passed or coming into the possession of an unauthorised data processor or subprocessor.
  2. Passing of personal data to into a non GDPR compliant country.
  3. Passing of personal data to a third party without the knowledge of the data subject.
  4. Personal information leaked as a result of a hack on a website.

5. Have a data breach process and plan in place.

“A data breach handled incorrectly can do untold damage to your brand. “

Have an action plan in place and run worst case scenarios to test your plan.

6. Have a process in place for when someone is looking for a copy of their data. ( Subject Data Access Requests ) 

“I have a request for all their personal data you hold on an individual to be exposed to them, what do I do ?”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Do not create more personal data while performing the request
  4. Process the request
  5. Record it in you data audit log
  6. Do not reveal other peoples personal data. I.E. in ecommerce shipping names where the name is not the name of the requester.
  7. Do it within 20 days.

There is GDPR Compliance addon for Opencart that automates this process. It can be purchased here.

7. Right to be forgotten requests how to handle these

“Mr J Blog has asked to be forgotten in my organisation, what do I do ?”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Do not create more personal data while performing the request
  4. Remove and or redact the personal information stored. Remove it from all systems and marketing suites.
  5. Record it in you data audit log
  6. Do it within 20 days.

Note :  you may need to keep the personal information for other legitimate purposes such as accounts, keeping records of who purchased prescribed products etc.  Hence a deletion request does not necessarily mean and instant deletion.

8. Withdrawal of permission to process personal data after an ecommerce transaction

“Mr J Blog has asked that his data is not processed after his products are shipped, what do I do?”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Flag the data in your databases as not to be used in marketing reports or data mining.
  4. Notify the Subject that you have received their request and flagged their data to be excluded from further data processing.
  5. Record it in you data audit log

9. Request for personal data in a portable transferable format.

“Mr J Blog has asked for a copy of his personal data as he needs it for some other service.”

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Send the personal data in a readable csv format
  4. Record it in you data audit log


10. Update your contracts, NDA’s and Privacy policies on your website.

All staff need to have signed NDA’s and data protection awareness training.  A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.

All customer contracts have to be updated with a GDPR clause.

11. Have a Data Breach Plan.

When a data breach occurs you must within 72 hours.

  1. Investigate the breach and locate its source
  2. Put in place actions to prevent it from happening again
  3. Report the scope of the breach to affected all data subject
  4. Notify the Data Commissioner of the breach including
    1. The scope of the breach
    2. Number of affected subjects
    3. The source of the breach
    4. The measures taken to prevent and stop the breach from happening again

Depending on the scale and type of breach the Data Commissioners office may stop you from processing data until they investigate the breach further.

This could prevent you from processing payments, issuing invoices and sales. Even if no fine is imposed, the disruption to your business.

This all seems like a lot of extra work for a business owner ?

It is a good opportunity to do a data cleanup and make sure all your sub contractors are bone-fides, and that you have valid contracts with your customers.

This only applies to big business, they will never check a small business ?  

Wrong !! The data protection commissioner’s  office may not audit you right now, but they can at any time in the future.  If and when you have a data breach you must report this to the data commissioners office. Failure to do so is unlawful. You may get sued for not protecting personal data correctly. If your processes are found to be defective then you are liable for large fines as well as the loss of reputation and loss of business.  ( “Google” “loyalty build” and see the effect of a data breach years after the event.  ).

GDPR and Cookies what do I need ?

You have to give the option to all visitors to accept or reject non essential cookies when entering your website. Essential cookies are required to shop online so as to preserve the shopping basket between pages.

No essential cookies are used for recording user activity and/or passing this onto a third party. This means if I reject the cookie then the cookie code should not activate on the site.  It is illegal to simply a button that the user clicks and continuing to recording the cookie anyway. This is illegal. If the customer opts out,  then when you view the page source there should be no tracking scripts visible.

We use this free cookie controller on our website. This is one of the few GDPR compliant cookie controllers that are free. We include this in our opencart cookie controller that is in our GDPR Toolkit.

What you can no longer do.

1. You cannot send unsolicited emails to anyone. No more purchased lists or merging lists from different companies into other lists.

2. You cannot Auto email from Abandoned shopping carts offering discounts unless the shopper has opted in for email the top of the checkout. See our blog “Has GDPR Killed Abandoned Cart Marketing?

3. You cannot refuse to give customers their personal details on request.

4. You cannot send unsolicited text messages via mobile phone numbers.

5. Collect information in cookies without permission from the web visitor.


In summary

This is a brief outline of GDPR from an ecommerce point of view. It is advisable to have 1 person in your organization who is a Data Protection Certified.

Do a data audit. Record the location of all personal data stored in your company. Keep an updated list/record for inspection and audit. This will become the source of data requests in the future.

Make a data breach plan.

Do a data risk assessment.

Run a Data breach dry run.

Update your policies and contracts to include GDPR compliance

Have a system in place for processing individuals requests for information from your organisation


Opensource Ecommerce GDPR Addons.


opencart gdpr addon  woocommerce gdpr addon


( These plugins are sold via and on our site and, we do not sell on other market places. )

For advice on ecommerce GDPR please contact us on +35315242100 or [email protected]

Finally a word from the Irish Data Protection Commissioner who has Facebook , Google, Facebook etc. within her remit. This outlines their priorities in enforcement in Ireland.


Related Articles :


By | 2019-01-16T10:19:12+00:00 August 31st, 2017|e commerce|