GDPR Practical Checklist for eCommerce

Picture of Tomasz Karwatka
Tomasz Karwatka

Supervisory Board Member at Divante. Leading industry voice who believes eCommerce can improve our world. Co-founder of Vue Storefront and Open Loyalty, angel investor, and founder of Tech To The Rescue. CoFounder at Catch The Tornado eCommerce Startup Studio

Care to share?

Go through the GDPR Checklist for eCommerce and check to what extend your eCommerce meets the requirements GDPR.

About the GDPR

The new General Data Protection Regulation (GDPR) determines how your eCommerce business operates from 25th May 2018. There are big changes on the way. Your business will need to manage, administer and protect personal data whether you work in B2B or B2C marketing.

Learn more about GDPR.

What happens if you fail to comply

Supervisory authorities will have the ability to fine organisations €20 million or 4% of their annual global turnover whichever is greater. But it would take a serious violation of the Regulations for a fine to come close to that figure, and the ICO reassures us that fines will be a last resort.

30 days of business suspension – this is the other scenario that may occur upon failure to comply. Supervisory authorities can perform a detailed audit of your data protection procedures and ban you from processing personal data for up to 30 days, which in practice will result in the suspension of your business.

Make eCommerce ready for changes with microservices architecture >

Get ready for GDPR

If you still have not done a risk analysis then you don’t know exactly to what extent your site meets the requirements GDPR. Simply go through the list and check the requirements with which you comply to make the first step. The more checkmarks, more prepared you are. Fewer checkmarks? Find out which areas you need to focus on and take action. Of course, you can always use specialized services like ours, to implement all the required changes effortlessly.

Check our 3 GDPR tips for the start.

Database access

This area describes the recording of each attempt to read personal data, regardless of how it will be done, e.g. a direct reading of data by the database or by the Administration Panel.

Collected data

To protect the user’s interests, we must limit the collection of data to what we actually need.

*sensitive personal data means personal data consisting of information as racial or ethnic origin of the data subject, political opinions, religious beliefs, physical or mental health or condition, sexual life, proceedings for any offense committed or alleged to have been committed.

Consent from users

The GDPR requires full transparency when it comes to collecting user consent and enforces the principle of one request for consent – one checkbox.


Data profiling and external software

The GDPR requires the user to be informed to whom his data is being transferred, so special attention should be paid to how personal data is transferred using external software. In addition, the user must agree that the data regarding his behavior can be profiled / analyzed.


The possibility of being forgotten

The GDPR requires that its data be forgotten / deleted from the system at the user’s request. The scope of data removal is 100%. At the user’s request, it is necessary to provide him with the complete set of data that we have about him, along with the history of how the data was processed, to whom it was shared, etc.

* Keep in mind there’re priority rights about storing fiscal documents over time for tax and customer service purposes

Integration and transfer of data

The GDPR requires the user to be informed to whom his data is being transferred, so special attention should be paid to how personal data is transferred using external software. The user must agree to the transfer of their personal data.


Data administrator procedures

Working out procedures at the organizational level that meet the requirements of the GDPR. Examples below:


Share this report

If you find this report helpful, why don’t you share it

with your friends on social media:



If you are not sure, just get in touch with us.


Our business consultant will find out which areas you

need to focus on and show what action we can take to

implement all the required changes effortlessly.



Published January 5, 2018