March 7, 2021

A Quick GDPR Checklist for Small Ecommerce Businesses

Dr Peter Mowforth

The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 and will impact every ecommerce business in terms of how you capture, store and use customer data. GDPR compliance is not a ‘nice to have’, it’s a ‘must have’. Although the new rules may feel restrictive for ecommerce traders, the key message is transparency, consent and relevance for those you engage with online. While this post doesn’t cover everything, it at least provides a short summary of the key items you need to check for with your business.

  • You should assign a single person in your team to be the Data Protection Officer (DPO) for your business. The DPO should create a document to record all the checks they have done.
  • The DPO should create a project timeline and ensure that everyone involved in the business understands what they need to do to ensure compliance.
  • Ensure (by asking them) that your Email Service Provider is GDPR ready. If you are using third party systems for bulk email newsletter delivery, ensure that they too are compliant.
  • Review your current ecommerce platform to ensure compliance. Key to this is using secure and encrypted channels for anything that might involve customer data.
  • Carry out a GAP analysis at each and every point where data is collected and stored to ensure that every system is doing what it is supposed to do.
  • The DPO should evaluate everything to do with your customer data (collection, processing and storage) to ensure compliance.
  • The DPO needs to be familiar with the rights of all individuals under GDPR and ensure that all staff are briefed on these rights in terms of the
  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right in relation to automated decision making and profiling
  • Ensure compliance surrounding the GDPR’s new consent criteria, which stipulates that you:
  • Get explicit consent from all individuals that you deal with
  • Eliminate blanket consent, consent by default, and consent as a condition of sale, service or general terms and conditions.
  • Enable individuals to easily withdraw consent
  • Undertake a repermissioning campaign to message individuals in order to confirm consent for data processing and marketing content. Consider the following:
  • Using segments to divide up your repermissioning sends
  • Starting to repermission users by sending to small 'chunks' of your database at a time
  • Use A/B testing and iterating your approach as you go
  • Looking to increase and enhance your segmentation during repermissioning campaigns
  • Reassess your terms and conditions on your website and contracts.

For a more comprehensive and detailed checklist, please refer to the UK’s Information Commissioner’s Office website.

Latest Posts from the Ecommerce Excellence blog

Want to be informed of upcoming webinars & events?