GDPR stands for General Data Protection Regulation, a piece of law approved by the EU Parliament in 2016 that repeals the 1995 Directive 95/46/EC.As its name hints, GDPR is about individuals’ rights when it comes to their personal information and privacy.

While this may sound like an obscure legality you don’t have time to read about, make no mistake…

If you own or operate an e-commerce company, GDPR can have a huge impact on your business.

As an e-commerce expert and Klaviyo Silver Business Partner working with US, EU, UK, and global e-commerce businesses, I know the implications of this development for my clients and e-commerce companies. It’s a topic that’s top of mind for me…and those affected by this legislation.

Whether you’ve heard of GDPR before or it’s an entirely new concept, keep on reading. In this article, we’re covering 7 must-know facts about GDPR and what this law means for your online presence.

Don’t simply read this article for yourself…share it with your internal team, your colleagues, and any business partners responsible for your e-commerce customer data.


1. GDPR goes into effect on May 25, 2018.

GDPR is an important piece of legislation…and, if you’re unfamiliar with it, you don’t have much time to learn about it.

While GDPR gained acceptance in April 2016, it goes into effect on May 25, 2018.


2. GDPR has a broad umbrella for what’s considered personal data.

E-commerce software provider Klaviyo, (full disclosure I’m a Silver Business Partner) explains that GDPR uses a “far-reaching definition” of personal data that is “any information that can be used to directly or indirectly identify a person.”

This encompasses everything from a person’s name to random code for A/B testing.

Given that collecting this information is important for healthy online sales, the point is clear…

As an e-commerce business, GDPR definitely deserves your attention.


3. GDPR will impact e-commerce businesses globally.

Just because GDPR is an EU regulation doesn’t mean it won’t impact e-commerce businesses globally.

Whether you own a brick-and-mortar store with an online shop in Maine or you operate a large e-commerce-only store based in Australia, it is critical to understand the implications of GDPR for your e-commerce company.

Here’s what has to say:

“The GDPR…will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.” elsewhere states that this is “irrespective of whether payment is required.”

But before you start panicking, explains that this new regulation doesn’t mean blocking EU IP addresses. gives three scenarios that indicate you may need to get compliant soon…  

  • Your marketing has a language that’s generally used in an EU member state. For example, you have a French version of your e-commerce website, or your website offers translations in an EU language.  
  • Prices appear in EU currencies. You can’t list the Swedish Krona on a product page and expect to escape GDPR.
  • Your business mentions EU individuals. Beware if your website copy states, “Our e-commerce store serves customers in Germany, Italy, and the United States.”

If your customer base is primarily in the UK, don’t look to Brexit for safety. It’s no ticket out of complying with the restrictions in GDPR. explains,

“The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.”

In other words, there’s no guarantee that the UK won’t pass its own version of GDPR.

That’s why, if you have any UK e-commerce dealings, you’ll want to dig into GDPR requirements.


4. You may need to hire a data protection officer.

Back in December 2017, Shopify was nudging readers to consider a data protection officer…and with good reason.

Under GDPR, some organizations will need to hire a data protection officer (DPO) to remain compliant. And here’s a simple way to understand the new rules.

DPOs are required for organizations that fall into three categories. As an e-commerce business owner, you likely don’t need to worry about two of the three.

For instance, under GDPR, you need a DPO if you’re a “public authority or body” (which you aren’t). You’ll also need a DPO if your “core activities…consist of processing on a large scale” data such as political opinions, criminal convictions, and other sensitive personal information listed in Article 9 and Article 10 of GDPR. Again, it’s not likely this is a function of your online store.

However, there is one category that e-commerce companies like my clients need to consider.

According to GDPR, your e-commerce business needs to hire a DPO if your…

“core activities…consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.”

Here’s how you can interpret this stipulation.

Global law firm DLA Piper explains that a core activity would be something that’s “essential to run the core business of a company.”

Applying this to e-commerce…

If you use advanced marketing data collection (and it’s essential to gather a lot of information on your customers), you may need legal advice on appointing a DPO.


5. Your e-commerce customers can request their information.

According to the GDPR legislation, an e-commerce customer can ask you to give an account of his or her personal information.

For instance, customers can expect an answer for why you’re using their information, who is getting this personal data, and more!

On top of this, explains that you must “provide a copy of the personal data, free of charge, in an electronic format.”


6. Using well-respected e-commerce software can help.

Learning about the implications of GDPR on your e-commerce operations can be overwhelming.

While it’s important to conduct research, one way to adapt is to use well-respected e-commerce software.

Klaviyo explains the benefit of using SaaS products, such as Shopify, Optimizely, and WisePops. They state, “In all likelihood, you probably don’t have to make drastic changes unless you run all custom software.”

Using well-respected e-commerce software allows you to partner with companies who’ve already done the research for you…and have built in compliance for their platforms. (For instance, take a look here at Optimizely’s preparations for GDPR.)


7. Violating GDPR incurs steep penalties.

According to, GDPR violations can have a steep price tag.

The organization says that violations can be fined “up to 4% of annual global turnover or €20 Million (whichever is greater).”

And don’t forget, that penalty isn’t off your bottom line…it’s off your gross revenue.

Whether you want to retain your EU customer base or venture into European markets, navigating GDPR and e-commerce requirements is critical for your online business to stay viable.

When it comes to understanding GDPR I can help.

  • Updating your forms, popups, and practices to be GDPR compliant.
  • Cleaning your lists of any EU citizens who haven’t provided explicit permission or are inactive and their data should not be stored any longer.
  • Help you follow GDPR requirements in a timely manner.
  • Run a campaign to gather customer consent and include prompts in your marketing materials.

In addition, I have the expertise to take your business to the next level with behavioral email marketing.

Tap into my insights on both GDPR and scaling your ecommerce business when you schedule a FREE strategy session with me.

Kinga Dow

Published April 27, 2018

Read More of Our Posts