New Shopify Store and GDPR (General Data Protection Regulation) Compliance
Updated: Mar 25
While Shopify has become an amazing eCommerce store builder that offers every type of theme imaginable, as well as there is an App for every desire – GDPR is not by default something you have complied with and remains to be the Storeowner’s responsibility to ensure compliance.
This applies to all EU (European Union) markets where GDPR is a requirement, so if your store ships to those countries, you are required to be compliant, even if your business is based outside of the EU.
GDPR Violation Consequences
If you are in violation of GDPR rules, there are 2 types of fines they can impose on your business. The first and more common fine is a 2% of revenue or €10 million fine – whichever is greater. The second is 4% of revenue/ €20 million with the same stipulation.
Key Compliance Rules
For new stores that have recently got online, might need to spend some time to be aware of what must be done. Here are the key takeaways of how your eCommerce store must respond to GDPR:
- You must ask permission from each visitor to your site if you are to collect any data from their visit, including analytic data when it comes to a visitor from the EU.
- You must provide a method for which users can request their data, and must allow for its removal if requested by the user.
- Any 3rd party that may see/work-with/receive this data must also be GDPR compliant.
- You must map your data framework so it can be reviewed and be acted upon if requested.
How is this handled in Shopify
GDPR is not handled by the platform by default, the declaration, prompting of a user, and the process/procedure to manage the audited data and data removal is all up to the business to implement. Therefore, every business must seek compliance if they are to be visited by any EU person.
Guidelines to follow GDPR are linked here: https://ico.org.uk/for-organisations/guide-to-data-protection/
Every App used in your Shopify store must be GDPR compliant if it collects data from a user coming onto the site – this review must be made to ensure compliance. While Shopify already collects data and is GDPR compliant, all additional tracking/metrics tools require scrutiny in this regard.
As a business, you must assign a Data Protection Officer (DPO) that leads the effort on managing and auditing your store for GDPR.
Shopify’s GDPR Merchants How-to’s: https://help.shopify.com/en/manual/your-account/privacy/GDPR/GDPR-merchants
As a platform, Shopify has to have its own GDPR Disclosures: https://help.shopify.com/en#collecting-personal-data
When it comes to logistics with Shopify Shipping, given that you had to take the user’s information to get their goods to them, this is how that data process is required to be handled: https://www.veeqo.com/blog/what-is-shopify-shipping
There is no “App” that can just do your GDPR for you, every business is different; each using different tools to merchandise their goods/service makes it impossible to automate. This is a business process requiring the structure to ensure that when setting up, or making changes, GDPR must be reviewed and be identified to be secure. There are tens of thousands of violation reports being processed by the EU and your business can be vulnerable if it does not comply.
Shopify is well structured, and allows you to easily do the audits and enables you to process/map your data collection so that you can perform GDPR compliance procedures. Just know that this affects all eCommerce stores, wherever they are so you are not alone in the quest to protect the data of your clients.