Jamie Lords

What GDPR means for eCommerce

Why should you care about GDPR?

Everywhere you look in eCommerce you will see someone discussing EU GDPR or the European Union General Data Protection Regulation. There is a variety of information from technical articles to speculation on social media. We all want to know how it will affect us. What changes, if any, will I need to make? What does it really mean?

In this article, we will take a quick look at EU GDPR. What it is, how can we prepare, and how it might impact an online business.

Who does GDPR impact?

The EU GDPR not only applies to organizations in Europe but any organization that will process and hold personal data for individuals in the European Union as well as EU citizens living abroad. In other words, if you plan to have customers from Europe, you will need to pay attention.

What happens if you do not comply?

The GDPR will be enforced beginning May 25, 2018. Non-compliance penalties are significant.

  • Fines can be assessed up to 4% of annual global revenue or 20 Million Euro, whichever is greater.
  • Individuals will have a right to seek compensation for damages, including: loss of control over personal data or limitation of rights, discrimination, financial loss, damage to reputation, or loss of confidentiality of personal data protected by professional secrecy.
  • Individuals can choose to seek action against either the data controller or the processor, or both, and possibly anyone in the supply chain.

What are your options?

If you own or operate an eCommerce business, your options are insufficient. There are really only two options.

  1. Embrace it! (Good Idea!) A friend once told me “if you don’t know what direction you are going, you are already lost.” I think this is especially true with EU GDPR. There is a great deal to learn and still more that needs to be clarified. But achieving EU GDPR readiness begins with a decision to comply. Assess your situation and identify areas where you are not compliant. You can then establish a strategy for minimizing your liability.

  2. Don’t sell to Europe or their citizens (Bad Idea!) If you don’t wish to comply with the EU GDPR, we highly recommend that you don’t plan to do business with anyone from Europe. Please remember, those European individuals can live abroad. Limiting your eCommerce business to U.S. borders does not ensure your compliance. The risk of non-compliance is significant, and can be described as “by pain of Penalty.” Non-compliance is an option, but it is not recommended.

5 Key areas of the regulation:

EU GDPR readiness involves becoming familiar with five key areas of the regulation - consent, individual rights, policies, and accountability.

1. Legitimate Interest

Article 6 of the GDPR regulation states that a data collector may only process data lawfully if, among other things, it has legitimate interest or consent. Determining if you have a legitimate interest requires “careful assessment” of the expectations and context of the data you are collecting.

It is tempting to use a broad interpretation of legitimate interest to overcome the need for consent. We discourage using an open-ended view of legitimate interest as a way to justify collecting data. GDPR provides some examples such as processing personal data to prevent fraud, internal administrative purposes relating to employees and clients, ensuring network security, and to report possible criminal act or threats to public security.

There is still a gray area around legitimate interest and the definition will become more evident over time. The short-term recommendation is to get in the habit of asking, “can the same objective be achieved without processing personal data?” If the answer is yes, then the best practice is to move away from legitimate interest as the basis for processing data; you should obtain consent.

There is no longer any passive consent. You need to state what you are going to use the data for. Here are two examples of how to request consent.

Used for order processing only
Used for order processing and marketing

3. Individual Rights

Under GDPR the individual has the right to be forgotten. For example, if they consented to the use of the data for marketing purposes, they have the right to ask you to “forget them”. New rights have been introduced around subject access, objecting to processing, data portability, and objecting to profiling, amongst others.

4. Policies

Article 13 of the regulation gives 12 key areas that you need to inform your consumer of in clear language, not legalize. Develop a standard privacy policy that informs your customers how you manage their data.

It is required to have a designated contact person as well as contact information for your organization in the privacy policy.

5. Accountability

Educate your employees and provide the tools to help drive accountability throughout your company, not only for this regulation, but for all personal data you receive. Data protection is the responsibility of the entire organization. Anyone that comes in contact with data needs to be aware of the implications and non-compliance penalties.


Zonos, the leader in cross-border eCommerce technology, will continue to lead out and guide merchants through the challenge of selling their products to the world. We will continue to provide FAQs and document examples displaying internal privacy policies and processes that you can adopt. We will share internal training documents for you to use with your team. Zonos takes data privacy seriously and is committed to EU GDPR readiness. More details will be coming on a regular basis.