E-commerce store owners have their hands full: between SEO, social networks and webdesign, they didn’t need another activity.
But RGPD compliance has now been added to the list.
It’s been almost 2 years since the RGPD was implemented, and there are certainly still lessons to be learned and steps to be taken to strengthen your RGPD compliance.
This article looks at what the RGPD says, what RGPD compliance means for you, what it takes to be compliant and how you can use it to your advantage.
What is the RGPD?
RGPD stands for General Data Protection Regulation.
Adopted in April 2016, the RGPD creates rules for how the data of all European residents must be managed.
The RGPD came into force in May 2018 and impacts the processing of all data, from medical histories to financial records to internet activity.
In doing so, the RGPD has reshaped what it means to do e-commerce in Europe, influencing how you engage with your customers, the tools you use and how you use them.
The GDPR is not a technical document.
In fact, e-commerce is only addressed in it once.
And that’s in a footnote.
Rather, the RGPD should be seen as a declaration of fundamental rights:“The processing of personal data must be designed to serve humanity“.
But there’s still a lot for eshop owners to know. 
Why is the RGPD important?
The implementation of the GDPR stems from the increasing amount of data that is collected, transferred, managed and used today.
The EU already had its Data Protection Directive in place, but it was enacted in 1995 and is, today, outdated and not fully applicable to the digital age.
Therefore, the RGPD was implemented as a replacement to continue to properly protect the data of EU citizens.
Under the RGPD, organizations are required to comply with responsible data collection and use in order to protect users’ rights and privacy.
By placing this responsibility on organizations, the RGPD effectively gives EU citizens more rights to understand how and why their personal information is collected and processed.
It also gives them the right to decide how they want that information to be used.
If you were running an e-commerce business when the RGPD came into force, you’ve probably done your bit to comply.
But if you’re just starting out as an e-commerce entrepreneur, you may still be grappling with the RGPD.
The need for e-commerce RGPD compliance
We’re not going to get your hopes up: complying with RGPD is a lot of work.
But it’s also extremely important and certainly not something you can simply ignore.
According to the European Commission, in the first year since the RGPD was implemented, there have been around 145,000 cases of requests and complaints and almost 90,000 notifications of data breaches.
Failure to comply with the RGPD can result in fairly hefty fines and penalties – up to 4% of a company’s annual sales!
Case in point: at the end of 2019, a Polish retailer was hit with the biggest RGPD fine ever – €640,000(source).
In the following sections, we’ll look at how RGPD affects you and how to comply.
You can also watch this FAQ video made in collaboration with CNIL :
Who is the RGPD law aimed at?
Regardless of your location, the RGPD applies to all businesses that offer products or services to consumers in Europe.
So, if your e-commerce store is available in Europe, you probably need to comply with the RGPD.
Remember: RGPD compliance doesn’t just apply to European businesses selling products to European customers.
It covers any interaction with customers in Europe, period.
Of course, RGPD doesn’t just apply to store owners.
RGPD compliance also applies to your favorite tools.
Google, Facebook and Shopify, to name but a few, must also comply with the RGPD.
What does RGPD compliance mean?
Before we tackle the issue of RGPD compliance, we must first understand what compliance actually entails.
So here’s a simple way to understand RGPD compliance.
Navigate your website and imagine yourself as a user of your own e-commerce site.
Every time you’re asked for data – whether it’s your name, email address, phone number, etc.
– ask yourself these four questions:
- Do I know what data they collect and what it’s used for?
- Do they need this information for the actions I carry out on their website?
- Can I request that my data be modified or deleted at any time?
- Am I aware of my rights as a user?
If the answer to any of these questions is no, then you’re probably not quite RGPD compliant yet.
If the answer to one or more of the questions is yes, congratulations, you’re on the right track!
Either way, the following few sections will help you improve your knowledge and resulting efforts to bring you and your business into RGPD compliance.
What’s the RGPD like for small businesses?
The RGPD affects businesses of all sizes.
From an independent entrepreneur to a company with 10,000 employees, if a business processes data on Europeans, then the RGPD applies.
Most e-commerce stores are much closer to one employee than 10,000, so it’s important to understand how the RGPD distinguishes between large and small businesses.
E-commerce store owners should be aware that the RGPD does not treat them in the same way as large businesses.
For example, some of the RGPD’s record-keeping requirements only apply to businesses with more than 250 employees.
When you read advice such as“It’s essential to plan your approach to RGPD compliance now and get buy-in from key people in your organization“, you can relax. If you own an online store, the “key people” and the “organization” are probably you.
If so, the RGPD method is a little simpler.
But there are still plenty of RGPD requirements that apply to everyone, no matter what.
What do eshop owners need to do to comply with the RGPD?
The RGPD is 88 pages long and over 50,000 words long, with boring writing.
If you don’t want to read the RGPD, you’re forgiven.
But the rules set out apply to all stores selling to consumers in Europe, and Europe accounts for around 25% of the world’s GDP.
Even if you don’t bother to read the RGPD, there are some things to keep in mind about RGPD compliance. 
What are the RGPD requirements?
Every governing body or text sets out principles and commandments that serve as the basis for the regulations it proposes.
The GDPR is certainly no exception to this rule.
It has seven principles that guide its implementation, regulation and sanction.
The next section will be a little more technical, as we examine the seven principles of the RGPD.
The seven principles of the RGPD
1. Legality, fairness and transparency
This stipulates that the data you collect from your users must comply with the requirements of the RGPD.
Fairness and transparency concern the use of data and the visibility of that use.
In other words, what you claim to collect their data for must match your actions.
Users must also have visibility of these actions.
2. Purpose limitation
Data processing must be“specified, explicit and legitimate“, which means that the use of collected data beyond its specified purpose is considered an infringement. To put it simply, if the user agrees to give you their e-mail address to receive newsletters, this information must not be used in any other way, including for“statistical purposes“.
3. Data minimization
Under the data minimization principle, the data collected must be kept to a minimum, and only that which is necessary.
More precisely, it must be“relevant to the purposes for which it is processed“.
If you ask for more data than is really necessary to achieve the intended purpose, you will probably be considered to be in breach of the law.
4. Accuracy
The term“accuracy” here means having only up-to-date information and making the effort to keep it up to date. This means reviewing and cleaning up your data regularly. Data deemed“inaccurate” should be deleted immediately.
5. Storage limitation
This fifth principle of the RGPD is quite long and full of jargon, so to simplify: delete all data you no longer need, unless you have real and legal reasons to store it.
If you decide to store data, you need to determine how long it will be kept and for what purpose (the RGPD does not explicitly specify how long personal data should be kept).
6. Integrity and confidentiality (security)
The“Integrity and confidentiality” section aims to protect the data collected. Under this principle, you must have appropriate and adequate“technical or organizational” security measures in place to prevent theft and loss of data – whether internal or external.
7. Liability
The final principle of the GDPR is how the EU government ensures that you are compliant with the GDPR.
It states that you must be able to demonstrate the steps taken to comply.
This means you must have clear records of what has been done and when, whether you have hired a data protection specialist, whether you review your data regularly and, in general, whether and how you are complying with the RGPD.
RGPD and e-commerce best practices
The seven principles of the RGPD can be a real goldmine.
They may seem like a lot of uninspiring technical and legal jargon that makes you want to do anything but comply.
But don’t worry, the following section will explain things in simple terms to help you become an RGPD-compliant e-merchant. 
How to make an e-commerce site RGPD compliant?
Consent is king. The RGPD allows Europeans to control exactly how their data is used.
Therefore, being RGPD compliant means you can’t assume what your users want.
For example, the RGPD states,“Silence, ticked boxes or inactivity shall not constitute consent.”
This means, for example, that you should avoid pre-filled checkboxes that violate the RGPD. Collect only the data you need. The heart of RGPD compliance is protecting people’s data.
You can limit your exposure by not collecting data you don’t need.
If there’s no commercial interest in knowing, for example, which company your customer works for, then the RGPD encourages you not to ask.
And if you are going to use this data, be very clear about how you are going to use it.
For example, you’ll sometimes see payment pages that ask for a customer’s phone number.
E-commerce owners need to ask themselves,“What am I going to use this person’s phone number for?” There are certainly legitimate reasons for asking for a phone number.
These may include SMS campaigns or protection against fraudulent orders.
This is perfectly normal as far as the RGPD is concerned.
Just make sure you explain these things in the terms and conditions and privacy policy. Make sure everything is very clear. RGPD compliance regulators love transparency.
You could put an“unsubscribe” link on your website next to“subscribe“.
You could link directly to your terms and conditions and privacy policy in your footer.
Putting it all out there is one of the easiest ways to protect yourself from concerns about RGPD compliance. Don’t do anything sneaky. For companies with fewer than 250 employees, a big part of the RGPD comes down to not being sneaky.
If you’re honest and transparent and apply best practices, you won’t face the massive fines that come with the RGPD.
RGPD compliance checklist
In short, here’s a checklist for being RGPD-compliant in e-commerce.
- Make sure you get clear consent.
This means no checking boxes or making assumptions. - Collect only what you need.
The rule is: if you don’t need it, don’t ask for it. - Be open about your RGPD compliance.
Opt-outs, terms and conditions and privacy statements should be clear and visible.
If you have certified trust marks, show them. - Be transparent and honest.
If you’re honest about your methods, regulators can turn a blind eye to minor violations and even help you remedy them.
Note that this RGPD checklist serves only as a guide.
Each organization will have its own specific RGPD requirements to fulfill and its own policy to state.
Conclusion on the RGPD and e-commerce
In a nutshell, what does all this mean for the RGPD and your e-commerce store?
The RGPD affects businesses that interact with consumers in Europe – or could interact with Europeans – regardless of where those businesses are located.
RGPD compliance is a little simpler for small businesses.
This means that RGPD compliance is different for your e-commerce than it is for a larger business.
You can help your store achieve RGPD compliance by making sure your terms and conditions are clear, removing pre-ticked boxes and generally respecting the privacy of your customers and potential customers.
Your e-commerce business can benefit from the RGPD.
Data protection is a very important issue in Europe, so if you take steps to comply with the RGPD directive, you can inform all your customers. Need help with your e-commerce project?
Contact me to discuss! As a Prestashop developer and e-commerce expert, I’d be delighted to help you.
