Blog

What GDPR Means for UK Ecommerce Businesses & How to Prepare for 2018

Reading Time: 7 mins

The General Data Protection Regulation, or GDPR, is coming into force in 2018. Ecommerce businesses and online stores will need to be prepared to adopt it before then.

In fact, any businesses taking online payments or handle consumer data need to be ready for GDPR adoption by the 25th of May 2018, when it officially comes into force.

The GDPR will be a huge change for ecommerce businesses, as by nature, any company taking orders online will be receiving a vast amount of data on a wide number of people. This means ecommerce businesses will need to be ready to implement some fairly big changes in order to comply.

What is GDPR?

The EU General Data Protection Regulation, or GDPR, is coming into action on 25 May 2018. GDPR will quickly become the new benchmark for UK business data handling and privacy laws, and across the EU.

The GDPR replaces the Data Protection Act that is currently in place, and has a much wider scope.

The aim of the GDPR is to extend the rights of individuals to their own data, and businesses handling such personal data must ensure it is secure. It gives individuals more control over their data, and outlines the regulations organisations must adhere to in order to protect it.

You can read more of the key themes over on our other blog post:  GDPR 2018 Summary: What it Means for Online Businesses in the EU

How to Prepare Your Ecommerce Business for the GDPR

Review your existing processes

Any companies that collect and use customer data must be confident that the security of any data providers is secure.

By outsourcing certain elements that handle customer data, such as payments, marketing, or IT, no longer absolves a company from the responsibility of data security. Each piece of the supply chain includes processing and storing customer data, and this must be secure. This also includes third-party cloud services.

Companies will need to share information regarding internal processes to ensure everyone in the chain is compliant with the new GDPR legislation that is coming into force.

Allow access to data

Data subjects will need to be able to access their personal data quickly and simply. You may also have to explain what other organisations have handled the data, and why this was needed for the process.

Organisations will need to make sure they offer any data for download where possible, and without any unnecessary delays.

You will need to be able to provide full visibility across your business, as you will need to be able to detect problems in order to fix them.

Implement privacy-by-design

As an ecommerce store that takes payments online, you will be collecting sensitive information. This includes card details, email addresses, and physical addresses.

When taking a payment, there needs to be a clear statement about what happens to customer data. This includes where it is going, and who will be responsible for storing and processing it.

What organisations will need to do from 2018 is be very explicit about what will actually happen to this data, including where it goes, and who is actually responsible for what happens to it. This includes the storage and processing of data.

Transparency over data

All organisations in this chain will need to ensure they protect personal data, and the data subject will need to give explicit consent to hand over this data.

Data subjects can also withdraw data at any time, which means ecommerce stores should think about any auto-renewals or subscription payments, and how that will work going forwards.

Deactivate any default opt-ins

As stated before, customers will need to give explicit consent. This means any pre-checked consent boxes do not count as a valid indication of consent.

Keep consistent and detailed records

Ecommerce stores will need to keep detailed records of as many consents as possible.

This includes what it was that was consented to, and what the method was that a data subject used for consent.

Data Breach Notifications

When a data breach occurs, organisations should inform any data subjects involved within a 72-hour window.

This should include an explanation of any delays that may occur.

Breaches which are deemed as a high risk to the rights and freedoms of the individuals affected will be subject to this rule.

Your ecommerce business will need to ensure you have procedures in place for this, and have tested it with mock breaches in preparation.

What happens if I don’t comply?

If you are found to be in breach of the new GDPR guidelines, you may be fined up to 4% of your turnover, or 20 million euros. Whichever is bigger.

Of course, this is enough to shut down companies, and so it’s essential you are ready for 25 May 2018 when it comes into action.

If a data breach does occur, you must be prepared to report it within the 72-hour window, and be able to demonstrate your security and data privacy procedures very quickly.

On top of this, data subjects will have the rights to bring up individual lawsuits and claim compensation where a data breach occurs.


The GDPR may involve a lot of work for organisations, and may be a time-consuming affair. However, this will need to be done if you are based in the EU, or trade with companies in the EU. The fact the UK is planning to exist the EU is also negligible, as the UK Government has stated that they will go ahead with the GDPR.

But at the end of the day, the GDPR exists in order to make ecommerce better. It creates better security across the EU, and gives more respect to EU citizens and their data.

This is a good guide on how ecommerce businesses need to collect, manage and store data, and how they will respond to any incidents. This should give customers more potential faith in buying online, and create a better online shopping experience for everyone.