Space48 Logo
February 26, 2018

What Magento users need to know about GDPR in ecommerce

It’s time to stop putting off your GDPR plans and start seriously thinking about ensuring your business is compliant in time for the looming 25th May deadline. Not sure where to start? Let us help you take the right approach to getting started with GDPR compliance for ecommerce. 

Why is GDPR important?

The General Data Protection Regulation (GDPR) was first conceived in 2012, before being adopted by the European Parliament in 2016. This triggered a 2-year countdown for organisations to comply with the new regulations for how businesses can capture, store and use personal data.

For retailers and marketers, this significantly affects their existing ecommerce processes, related to using consumer data for research, retargeting and sending out marketing content.

Why is GDPR important? The EU has implemented the new regulations to give individuals more rights, control and transparency over how their personal details are obtained and used by companies.

How does it affect ecommerce business and retailers? In many ways! As brands look align themselves with the new regulations in time for the GDPR compliance deadline, on 25 May 2018, they’ll need to assess their existing processes and future-proof ongoing data capture and consent messaging.

Note: Anyone still thinking GDPR only applies to companies based in the EU, forget that thought! The reason the impact of GDPR is so wide-reaching is that any organisation collecting and process personal data from individuals in the EU must be compliant with the new GDPR rules.

What are new rights of the individual when GDPR is triggered?

The new regulations are designed to give individuals better control over the way companies capture and process their personal data, ensuring the needs and security of the user are effectively met, whilst clarifying the intentions of the brand.

GDPR makes a clear differentiation between “personal data” and “sensitive personal data”. Personal data is categorised as any information identifying the individual, such as name, location and other online data identifiers. Sensitive personal data is more granular and specific, such as social, physiological and cultural identifiers – even mental health information.

Collection and use of this type of sensitive personal data are not condoned under GDPR, apart from in very special circumstances.

Find out more by heading to the ICO’s GDPR “key definitions” page.

Here are the key criteria for data collection and processing consent to be aware of:

  • The explicit consent of individuals
  • The elimination of blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions
  • The ability for individuals to easily withdraw consent

The following list outlines the rights of individuals under new GDPR rules:

1) Right to be informed
2) Right of access
3) Right to rectification
4) Right to erasure
5) Right to restrict processing
6) Right to data portability
7) Right to object
8) Rights in relation to automated decision making and profiling.

For in-depth details on this, head over to the ICO’s page on GDPR individual rights.

Key considerations for assessing existing data capture, retention and processing

When preparing for GDPR compliance, the first thing you need to do assess your existing data and the sources from which the data was captured. Once you’ve pinpointed these sources, you’ll need to evaluate the processes for capturing personal data via these different routes and channels.

Data capture GDPR in ecommerce

Here are some questions to ask yourself when evaluating your current processes for data collection and processing:

  • How was the data captured?
  • What measures are currently in place to ensure the data is stored and used correctly?
  • What control do individuals have over how their data is used and what messages they receive from your brand and/or third parties?
  • How clear are your terms for data usage and what opportunities are given to user to control or opt-out of marketing content and brand communications?

The answers to these questions will make your job easier and clearer when planning your approach to GDPR compliance.

What new processes should I implement to ensure my brand is compliant?

Having asked yourself these questions about how your retail business currently deals with user data, your evaluation should be held up to the mirror of GDPR’s new stipulations for the usage of customer data and the new rights of the individual.

Where a current process doesn’t reflect that of the new GDPR rules, you need to mark this a place to make a change. And once these have all been outlined, you need to work out how they can be resolved and then decide what is the most efficient approach to making them compliant.

Here are some key considerations for GDPR compliance in ecommerce:

  • Ensure your existing users are made aware of how their personal data is currently being used by your brand and any third-parties.
  • On any future communications, be transparent in your messaging and make clear your intentions for usage of personal data.
  • Whenever and wherever you capture user/customer data, give individuals clear information on why you are asking for their personal information and how it will be used.
  • Any forms should give obvious opt-out options and no pre-selected boxes for terms or marketing opt-in.
  • From the outset, when capturing data or sending marketing content/company information to users, give individuals control over what they receive in the future.
  • Ensure consumers only receive messages they’ve subscribed for/opted into and give them control and options to change their preferences and tailor the type of marketing content and information they receive.

Relevance is key when looking to improve your marketing content for the future.

The ICO’s 12-step plan for preparing for GDPR compliance is a good place to start, as it outlines some of the key areas to categorise for ensuring you’ve covered all bases when preparing for GDPR compliance. Check it out: 12 steps to preparing for GDPR

ICO's 12-step-plan to preparing for GDPR compliance

Delve into the ICO’s in-depth GDPR regulations once you feel you’re ready to start making changes to your processes and communications.

How do I ensure marketing consent on sign-up forms is GDPR compliant?

It’s crucial that retailers get clear consent from individuals to use their data for marketing purposes, such as email campaigns, phonecall follow-ups and direct marketing. GDPR outlines the following information that must be clearly displayed to users: 

  • How personal information will be used and what it will be used for in the future
  • Who will be marketing to them, both the company and any third-party organisations that may be involved in processing the data.
  • How and when users can opt-out of marketing and communications from your brand

GDPR stipulates that this should not be bundled together or mixed in with other terms and conditions. Blanket consent will not be condoned.

It’s all about clarity. Individuals’ data should be used for the reasons stated and if the purpose of the marketing changes, the consumer should be informed of this and allowed to confirm consent or opt-out accordingly. This many require re-permission emails being sent out to individuals from your database. See this example from Litmus below:

GDPR email repermission campaign

GDPR best practice brand examples for data capture and marketing consent

If you want to see what this should look like, we’ve added a couple of brand examples of GDPR best practice, highlighting the ways they are compliant and also ways in which they could be improved. Take a look below.

Example 1 – Sainsbury’s:

GDPR ecommerce best practice from Sainsburys

This registration form from Sainsbury’s demonstrates good practice because:

  • It clearly differentiates the terms and conditions from the contact permission consent details
  • There are bold warnings about what individuals are about to consent to
  • The information states what consent will include, in terms of marketing and via which channels the individual should expect to receive communications
  • Consent requires consent via tick-boxes in order to register 

Note: One way the improve this would be to separate the communications channels to give individuals greater control over their preferred channels!

Example 2 – Waitrose:

GDPR ecommerce best practice example from Waitrose

This consent form from Waitrose demonstrates GDPR compliance in the following ways:

  • There is a clear explanation of the intent of the brand for the use of consumer details
  • There is an assurance that data will be treated with respect, with Waitrose’s “Contact Promise”
  • It makes clear that Waitrose and associated companies (John Lewis & John Lewis Financial Services) can contact the individuals with marketing communications, whilst enabling users to opt-out of any or all three.

Again there are ways this could be improved, as users are required to click on each tick box where they don’t want to receive marketing messages!

Recommendations for Magento GDPR compliance

At the time of writing, GDPR compliance in ecommerce is still very much in cautious mode. Many retail brands, ecommerce platforms and CRMs are playing a slow game and not wanting to jump the gun. This has meant that a large number of merchants and marketers are still feeling uncertain and waiting for others to take the lead.

Therefore, we recommend that retailers take a largely platform-agnostic approach to GDPR in ecommerce initially, focusing on evaluating their own particular methods and processes for data capture and retention. Prepare for the deadline by putting in place best practices according to the regulations set out in the ICO’s Guide to the General Data Protection Regulation (GDPR). Get your legal team to check through your plan and focus predominantly on transparency for your customers.

Watch this space in terms of Magento-specific guidance, as we expect the Magento to outline key GDPR guidance and recommendations in the near future, to help merchants get it right. But try and get ahead and do your evaluation and process assessment!

Approach GDPR as an opportunity to improve processes and customer experience

Although GDPR will have a big impact on retail and marketing, it’s not all doom and gloom! In fact, the new data regulations should be approached as an opportunity for brands to up their game, shun existing bad practices and improve customer experience.

The transparency encouraged by GDPR should help to build customer trust and consumer confidence. Clearer processes around data capture and data usage can create better customer experience. It will lead to more clarity, for businesses and consumers, over what the purpose and intention of marketing and brand messages is and what value there is for the customer.

It should also help to cleanse databases, give individuals better control over the content they receive, whilst retail brands and ecommerce business can work harder to drive more tailored and relevant customer journeys.

Learn more about this approach to GDPR in our blog: GDPR in ecommerce: opportunity or pain in the £$$?


We hope this has given you’re a clearer view of what’s required of your business when preparing for GDPR compliance in ecommerce. Although it’s a big task for retailers and Magento users, it should be a little less daunting now! Remember, the key to compliance is transparency and more control for consumers.

Need help coordinating your GDPR compliance project? Our free Checklist for GDPR Compliance in Ecommerce will come in handy. Download the checklist now and get fully prepped!


If you’d like to chat with our ecommerce experts and Magento specialists, get in touch with our team or book a free consultation with our ecommerce strategists. Space 48 is a leading UK ecommerce consultancy and Magento website developer, based in Manchester. We’ve helped countless retailers create award-winning websites and effective omnichannel strategies. See how we can help you improve your performance!