GDPR - How is it important for small and medium businesses?

The European Union is about to bring the new data privacy law called GDPR and you might have to comply to it. GDPR stands for General Data Protection Regulation and it is a real deal for the businesses in Europe.

Is your online store based in Europe, or has European customers, or if you have the chance of doing business in the European market? Read on to know how GDPR will affect your business and how to make your eCommerce store GDPR compliant.

What is GDPR?

As you may already know, GDPR is the new law to protect the European consumers’ data privacy. GDPR is about to come into full effect by 25th of May 2018. GDPR is not exclusive for eCommerce. In fact, eCommerce is only a part of the 88 page long regulation that holds true for all kinds of businesses. However, if your business has anything to do with Europe, you’d better be GDPR compliant on time.

How to make your eCommerce store GDPR compliant?

The new regulation has been enforced only to protect the consumers’ data privacy and to bring transparency in trading policies. Here are the key steps to make your eCommerce store GDPR compliant.

1. Check what data you are collecting

So, the first step you could take towards making your store comply to GDPR is to check what kinds of data you are collecting in your store. If you think you do not collect any personal data of your customers, think again.

That would bring us to the question, “What counts as personal data?”.

Any detail that can reflect an individual person is personal data. Name, email, phone number, address, zip code, gender, date of birth, etc. All of them count as personal data.

As an eCommerce store, there are primarily two places where you would be asking for your customer’s personal details:

  1. During signup - name, email, phone number, gender, date of birth, etc.
  2. During checkout - name, email, address, zip code, phone number.

In any case, you will have to make sure that you collect only the required data. For example, storing an email id is required to identify a customer uniquely. You need to tell the customers that you are storing their email id in your terms and conditions. And that takes us to the next step.

2. Mention the use of customer’s data in your terms and conditions

If you are collecting an information from your customer, you should let them know why you need the information. That is the basic motive of GDPR. For example, when you are storing the customer’s address for shipping, just tell them that is why you need their address. Where? In the terms and conditions, and in the privacy policy. The customers can read your policies, and they can decide whether to share their information or not.

As I mentioned earlier, eCommerce sellers usually process personal information of customers either in the sign up page or in the checkout page. To add your new terms and conditions to your checkout page in J2Store, you can use the free app “Additional Terms and Conditions”. The terms and conditions can be specified from the backend and they will be displayed with checkboxes for customers to agree.

That’s about the terms and conditions.

3. Custom fields

Since we are talking about getting only what is “needed”, you should be looking into what information you are getting as input from your customer. For example, let us say you sell physical products as well as digital products. You do not need the shipping address for digital products, do you?

But wait, a situation like this could arise:

“What if I don’t ship anything, but I need the address to identify the location of a customer to give discounts based on their zone?”

Now, in both the cases, you can very well ask for the information you need. That is, the name of the province or zip code. That alone is enough to detect the customer’s location. You should mention the usage of these details in your terms and conditions to let the customer know. The other fields like address lines 1 and 2 can be kept optional or hidden. If you want to ship a product, you can mark them as required field.

In J2Store, you can use the custom fields for required fields, optional fields, or even hide the unnecessary fields. Here’s an example where the first name, last name and the country fields are marked required and others are optional.


To create such fields in J2Store, go to J2Store > Setup > Custom Fields. Your custom fields will be displayed.


To add a new custom field, select New and configure the custom field as shown in the screenshot below:


Save the fields and you’ll be good to go.

Once your terms and conditions are updated, and you have made sure that you are collecting only the required details from the customers, your eCommerce store will be GDPR compliant.

Key guidelines for GDPR compliance

The new regulation is made to best protect the privacy of the European consumers when it comes to their personal data. If you are collecting any personal data from your customers, or if your site stores cookies for better performance, you should make it clear in your website.

To sum up, here are the key guidelines you have to follow to be GDPR compliant:

  • Collect only the details that you “need” and with the customer’s consent.
  • Mention in your privacy policy / terms and conditions that you store customer information and the purpose of storing it.
  • Avoid practices like signing up your customers without their consent. For example, pre-selected checkbox or automatic newsletter subscription.
  • Notify your customers about the details you store in your privacy policy / terms and conditions.
  • Provide links to your privacy policy / terms and conditions in your website footer (or maybe in a huge pop-up or a banner). Make it noticeable. Also show them in the checkout page using Additional terms & conditions app in J2Store.
  • Make sure that the tools and services you use in your online store comply to the new regulation as well. J2Store is fully GDPR compliant.
  • Be transparent in your policies.

In a nutshell, don’t involve in sneaky activities. That’s exactly what the GDPR is against.

Do SMEs need to worry about GDPR?

In short, yes. But not as much as the large businesses. GDPR replaces the existing Data Protection Act (DPA). While DPA was the same for all sizes of businesses, GDPR recognizes the difference.

Large businesses like Facebook, Google, etc., need to take care of a lot of stuffs to be fully GDPR compliant, simply because they deal with a lot of data. Whereas small business owners do not have to worry to that extent.

So, if you are running an SME, especially an eCommerce business, then you can be relieved. As long as you are transparent in your policies, there’s nothing to worry about.

What if you are not GDPR compliant?

Non-compliance is really not an option if you want to do business in Europe. Fines will be up to 4% of annual turnover or €20 million, whichever is greater.

Actually, there is no reason not to comply with GDPR because you can actually market it as your selling point to the European customers. They look for GDPR compliant sellers and if you don’t tell them that you have taken all the steps to become one, they’d not know.

Key Takeaway:

  • Be GDPR compliant if your business sits or sells in Europe.
  • Store and process personal data of consumers only with their consent.
  • Do not ask for data that you don’t need.
  • Practise transparent policies. Keep your terms and conditions updated.

Having known all that you need to know about GDPR, the upcoming data protection regulation, the ball is in your court now. If your online store has nothing to do with the European Union, just relax. But, if you are looking forward to start or continue your business in Europe, Have you started the compliance process yet?

Subscribe to get updates from us