Shopify has become one of the most popular platforms for ecommerce retailers because it provides almost all of the features they need out of the box. Almost all… but not quite. In order to use Shopify in a way that is compliant with the EU’s GDPR, you will need to have specific processes and tools in place. This is important because non-compliance with the GDPR means you are risking huge fines. Under the GDPR, there are two levels of fines. Lower-level violations can lead to a fine of €10 million or two percent of your worldwide annual revenue, whichever is higher. That's revenue, as in income before expenses. A more serious violation can result in a fine of €20 million, or four percent of your annual revenue — again, whichever is higher. In this article, we’ll show you how to use Shopify in a way that is GDPR compliant, so you can both improve the trust of your customers and avoid getting fined.
Shopify GDPR: The Basics
Most ecommerce retailers are now aware of the basic outline of the GDPR, at least as it relates to seeking consent to collect data on customers. If you are new to the world of ecommerce, though, it’s worth taking a look at one of the many guides that explain the requirements of the legislation, even if you don’t read the whole text. Here are the key takeaways:
- If your ecommerce store is available in Europe, you need to comply with the GDPR, even if you are not based there.
- You then need to explicitly seek permission from every user from Europe to collect any kind of personal information.
- Users also have a right to request all of the information you hold on them, and can also request for this to be deleted. This means that you need a process in place for dealing with these requests.
- Finally, the GDPR also has impacts on the way that small businesses store and process data.
When taken together, these requirements can seem pretty onerous. However, it’s important to recognize that the GDPR isn’t designed to stop you operating in Europe (though it certainly has had financial effects for stores operating there). Instead, it’s designed to ensure trust between customers and retailers by clarifying the rights of each.
Shopify and the GDPR
Let’s take a look at how the GDPR affects Shopify in particular. The first thing to note in this regard is that Shopify cannot handle GDPR compliance for you. There’s a good reason for that. Despite being consistently ranked among the best ecommerce platforms, the GDPR is a complicated piece of legislation, and every retailer on Shopify collects, processes, and uses data in a different way. That said, Shopify does provide two major advantages for ecommerce retailers looking to become GDPR compliant:
- One of the stipulations of the GDPR is that you need to check that any third party company you share data with is also compliant. Shopify fulfills these requirements.
- Shopify has been built so that it can be made GDPR compliant, at least as far as the data you collect through the platform are concerned.
The first step in ensuring GDPR compliance on Shopify is to check which regulations apply to you. There are plenty of detailed guides out there that can help you. Two of the best are the ICO's guide to data protection and the Irish Data Protection Commissioner’s GDPR guide. These guides explain the general requirements of the GDPR, and how it relates to every aspect of your business. Beyond your Shopify account, you will need to ensure that your social media strategy and your email marketing services are also compliant with the GDPR.
Making Your Shopify Store GDPR Compliant
When it comes to your Shopify account, however, you will need to put in place a number of systems and tools, though. Here they are:
- First, make sure you complete a thorough audit of all the data you are collecting on citizens of the EU. This includes any analytics and tracking systems you use on your store, but also all of the third-party apps and themes you have deployed.
- Second, Article 30 of the GDPR requires you to maintain a current map of your data practices. This means that you should be aware of how you are processing the data you collect, and how these are being used.
- If your business’s core activities include large scale online tracking, the GDPR requires that you also appoint a Data Protection Officer (DPO). There is detailed guidance on how to do that, provided by the ICO, here.
- Article 28 of the GDPR requires that when you engage a data processor (like Shopify) to process your customers’ data, you impose strict contractual requirements on how they may use and process that data. Shopify has automatically incorporated a Data Processing Agreement (https://www.shopify.com/legal/dpa) into its terms of service, which is designed to address the requirements of Article 28.
- Finally, be aware that the concept of “consent” in the GDPR is a complex one. Under the GDPR, you need to explicitly define a legal basis for doing so, and ensure that every user has access to this information. You can find Shopify’s own guide to collecting personal data here.
These processes and tools may only cover a small portion of those you need to be aware of, depending on how you use Shopify. If you are using web analytics as part of your store, then GDPR compliance is more complex. Similarly, if you are using some of the more advanced features of Shopify, such as Shopify shipping, you will also need to ensure that these are covered in your GDPR compliance framework. And finally, be aware that the GDPR also stipulates how you deal with a data hack.
The Bottom Line
While the GDPR has only been around in theory since 2016, and only enforced since 2018, cybercriminals haven’t yet been dissuaded by the regulations. In fact, they are busier than ever, with nearly 59,000 data breach reports announced to European data protection authorities in just the first eight months after GDPR took effect. For new ecommerce retailers, GDPR compliance can seem very daunting. However, if you’ve decided to use Shopify as your ecommerce platform, you have made a wise decision. The platform will allow you to put in place the processes you need to be compliant while not getting in the way of growing your retail business. Just remember that compliance – whether with the GDPR or any other privacy framework – is a process, and not an event. In other words, you will need to revisit the way that you work on a regular basis to ensure that you are still compliant, and especially so when you add new functionality to your Shopify store.