GDPR Compliance for Merchants | FlavorCloud

Reading Time: 5 minutes

There’s a lot to successfully selling internationally with many things to manage, including branding, marketing, fulfillment, and customer service. Data privacy is a vital aspect too. It continues to increase in importance for consumers and has become an essential element of customer satisfaction and retention.

According to McKinsey, 87% of surveyed consumers said they would not do business with a company if they had concerns about its security practices. And the same study revealed that 71% would stop doing business with a company if it gave away sensitive data without permission.

Many of you have asked us to demystify GDPR and FlavorCloud is here to help. So, we created this guide with you in mind to make the regulation easier to navigate. We’re here to support you.

What is GDPR?

The General Data Protection Regulation, also known as GDPR, was created to give individuals across Europe greater control of their personal data. GDPR went into effect May 25, 2018. It makes businesses responsible for securing sensitive information.

The rules included in GDPR specify what companies can and cannot do with consumer personal data. Plus, the regulation requires clear justifications for collecting customer information and the use of technological measures to protect sensitive data.

Who Must Comply with GDPR?

At first glance, it might appear that being in the United States (US) means GDPR doesn’t apply to you. Unfortunately, it isn’t that simple. Since GDPR applies to European consumers’ personal data, the regulation applies to any business processing personal information for individuals located in Europe. So, GDPR applies to companies selling or marketing to, as well as employing individuals with rights in the European Union (EU) and the UK regardless of where the merchant is geographically located.

What Data is Protected by GDPR?

Personal data in the US usually consists of an individual’s name accompanied by some form of identifying information, like a social security, credit card, or bank account number. But under the GDPR, personal information means any piece of information that can be used to identify an individual. This type of information includes things like:

  • A consumer’s name
  • ID number
  • Location data
  • Online identifier
  • Religion
  • Ethnicity
  • Marital status
  • IP addresses
  • Cookie strings
  • Social media posts
  • Online contacts
  • Mobile device IDs

So, if you’re collecting any of this sort of information from consumers, potential customers, or employees with rights in Europe, you need to protect it accordingly.

Key Requirements of GDPR

The overarching objective of GDPR is to protect personal and sensitive information for all individuals with rights in Europe. And compliance with GDPR involves adhering to the following set of rules:

  • Legally gathering personal data which means obtaining freely-given, informed consent when requesting data.
  • Providing a clear privacy policy to ensure consumers understand how their information will be used.
  • Making it easy for consumers to withdraw consent of data collection.
  • Customers have the right to request that the merchant delete any previously collected data.
  • Merchants are required to implement technical and organizational measures to store personal data safely and securely.
  • Data breaches must be reported to the appropriate authority within 72 hours.
  • Merchants are responsible for processing personal data correctly and maintaining records demonstrating compliance with GDPR.

Follow these rules when gathering or storing information or information protected by this regulation. Otherwise, you risk incurring unwanted penalties or fines.

Non-compliance Penalties and Fines

You may have read that non-compliance with GDPR can cost businesses up to €20 million or 4% of their total revenue, but EU authorities impose fines on a discretionary basis. They often prefer to take actions that encourage businesses to enhance GDPR compliance.

These actions include issuing a warning, imposing a ban on data processing, ordering the correction or deletion of data, and suspending data transfers to non-EU countries. But failure to comply with data collection rules for children, processing or sharing data without obtaining consent, and retaining data longer than needed may result in greater penalties.

Bear in mind that there doesn’t have to be a data breach for a business to be considered non-compliant with GDPR. Any non-compliant action or lack of action can result in a penalty. For this reason, merchants need to be aware of the GDPR requirements listed above. And be sure to pay careful attention to “special category data” as covered in Article 9 of GDPR. This type of data includes any Personal Data relating to:

  • Race
  • Ethnic origin
  • Political affiliation
  • Religion
  • Trade union membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sexual orientation

So, how do you adhere to GDPR and avoid penalties?

Compliance Checklist

This regulation may seem a bit overwhelming, but it’s important to first understand the requirements and risks associated with GDPR. Now we’re going to walk through a checklist of actions to ensure your business is compliant with the regulation requirements. Fortunately, if you outsource a lot of your data retention to a third-party service, they are most likely already compliant, and this will save you a lot of effort. In that case, all you’ll need to do is confirm your service provider is complying with GDPR.

  1. Complete a data audit – Determine what types of personal or sensitive data you collect. Then review how you use or share it inside and outside your organization.
  2. Secure your data – GDPR requires the use of encryption and other technological safeguards when storing personal or sensitive data. So, make sure to limit access to data by using passwords and store data only where authorized people are able to attain it. Plus, take steps to anonymize data so it can’t be used to identify a specific individual. This can be done by adding data field-level encryption in addition to database encryption.
  3. Complete a risk assessment – This step aims to identify weaknesses in data security in terms of access, storage, and processing. It’s best to complete such an assessment and then document steps taken to address any weaknesses. Retain this documentation or a formal Data Protection Impact Assessments (DPIA) completed by a third party. This demonstrates your effort to comply with GDPR when dealing with authorities in the event of a data breach or other GDPR related issue.
  4. Create or update a privacy policy – Ensure your privacy policy clearly states and specifies why you collect data and for what purpose. Then be sure to review and update it whenever changes to data privacy regulations apply to your business.
  5. Review contracts – If you have contracts in place with entities with EU rights, make sure proper verbiage is included on your contracts, so they are compliant with the regulation.
  6. Implement a consent process – It is necessary to have a consent process in place whenever receiving personal or sensitive data on your website or during the checkout process. This includes sharing your privacy policy, gaining consent from individuals providing information, recording these consents, and managing them.
  7. Assign responsibility – It is advisable to assign the responsibility of Data Protection Officer (DPO) to someone in your organization, regardless of business size. This person monitors, updates, and ensures compliance when accepting, storing, and processing personal or sensitive data.
  8. Prepare to honor individuals’ rights – The regulation requires fulfillment of what is referred to as “data subjects rights” within 30 days of a request. This might include requests to withdraw consent and/or to have their data deleted from your records completely. Simplify this by putting a request form in place either on your website or ecommerce store. This ensures a better customer experience and facilitates the merchant’s process.
  9. Create a report plan – GDPR requires notification of data protection authorities within 72 hours of recognizing the occurrence of a data breach. There are several causes of such an event, including human error, technological failings, or cybercrime. Regardless of the reason, the release of confidential information must be reported in the designated timeframe. Simplify this by preparing a plan to facilitate this process if the need arises.
  10. Audit service providers to ensure compliance – Many merchants forget to do this, which can lead to serious problems. Review contracts with all third-party service providers such as communications systems, payroll, cloud storage tools, or anything stored in the cloud. Ensure these providers are all compliant with GDPR since merchants are ultimately held responsible for the secure storage and handling of this data.


Remember, you need to comply with GDPR even if you have only one person you are marketing to, selling to, or employing who has rights under the EU and UK. If you are selling or marketing globally, chances are if you don’t already have dealings with someone with these rights, you soon will. So, if you haven’t already started taking these steps, work through our compliance checklist to ensure you are compliant with GDPR.

Still have questions? Contact FlavorCloud. We’re here to help!