Data Protection and GDPR for Shopify Store Owners

Data Protection and GDPR for Shopify Store Owners

Data protection is not only a legal necessity, but also crucial in business maintenance. With ecommerce expected to hit $4.5 trillion sales by 2021, compliance is becoming increasingly important.

Written by Jason

5 min read

As the leading ecommerce platform, Shopify’s software solutions offer a range of powerful services like domain creation, hosting, template designs, app development, inventory management, user profiles, order fulfilment, integrated payment systems, shipping, customer engagement tools, marketing and even tax compliance – all to simplify the process of creating and running an online store.

But with the evolution of such a powerful platform comes an unavoidable and significant responsibility: data protection and compliance.

Data protection is not only a legal necessity, but also a crucial component in your overall business maintenance. With ecommerce expected to hit $4.5 trillion sales by 2021, the topic of data protection and compliance is becoming increasingly important.

Data is your company’s most valuable asset

Relevant data creates strong strategies, generates insight on marketing performance, identifies major opportunities and helps you spot and manage trends. Customer satisfaction is the most important driver of ecommerce success, so the data you collect on behaviour and experience is indispensable.

Using a tracking tool like Google Analytics gathers dimensions and metrics that allow you to understand:

  • Audience types
  • Locations
  • Acquisition channels
  • Behaviour and interaction
  • Conversions

Don’t stress! You’re not breaching anything you don’t know about by engaging with this sort of data. Since you’re not collecting anyone’s personal information, you can use it freely to make strategic and tactical business decisions.

But if you’re running an ecommerce store then you’re gathering highly sensitive information too, and this must be handled with great care!

Understanding personal data protection regulations

The first important thing is to understand exactly what exactly ‘personal data’ means:

  • Name
  • Email address
  • Mobile phone number
  • Bank account details
  • Residential or Postal Address
  • Credit card number
  • Driver/passport number
  • Genetic or biometric data

Your company can face grave consequences – both financially and reputationally – if it is non-compliant with the laws and regulations that protect personal data. These include the Data Protection Act (1998), Privacy and Electronic Communications Regulations (2003), or General Data Protection Regulation (2018).

The Data Protection Act was put in place over twenty years ago to ensure that government, organisations and businesses keep personal data accurate, safe and secure. The primary concern is to protect individuals against misuse or abuse of information about them. If you’re running a successful company, you probably know all about it already and are surely doing it right. But it’s always best to do routine checks and maintain your knowledge so that you can ensure full and ongoing compliance!

Last year’s introduction of the GDPR, however, brought panic to business owners across the country. Enforcing these regulations brought a magnitude of change in the way company owners may collect, handle and manage the personal data of an EU citizen. Many business owners are still not sure what exactly this news entails, or understand how it will impact the way they are currently running their business.

Five things you must know about GDPR:

1. Ethical principles

The wave of change may seem overwhelming, but the truth is, it’s for a good cause. Some of the most important principles of the GDPR, set out to protect the personal data of all individuals, include:

  • Data collection, management and use should be lawful, fair and transparent.
  • Data collection must be limited to specified, explicit and legitimate purposes.
  • Data stored must be kept accurate and up to date.
  • Storage limitations must be set so that the identification of data subjects for no longer than is necessary.
  • Personal data should be processed in a manner that ensures confidentiality and integrity.


Your users must give clear consent before you can send them any form of marketing material directly. In other words, they must personally choose to opt-in to your marketing content; relying solely on an opt-out option is no longer a feasible solution.

Well, that doesn’t sound like much has changed? This sort of consent has already formed a part of good marketing practice! The only difference is now you may have to relook at the way you’re asking users to opt-in. An optimal opportunity to enhance your strategy! If this is a situation you still need to rectify, some robust user behaviour analysis and a dose of creativity will solve your problem.

Remember, you’re also responsible for explaining exactly what you’re using their personal information for, before even asking for an opt-in. Use this interactive content spot wisely!


Users now have the right to request that their personal information is erased from your database completely. This goes beyond the opt-out option. If someone no longer wants to exist in your data, it’s your responsibility to make them disappear.

It sounds like a simple request, but considering the number of platforms you may have retrieved their data from, this can quickly turn into a tall order! Here, the implementation of marketing automation platforms will save you a lot of time and man-power.

Pseudonyms and encryption

Marketers need to start thinking about pseudonymisation because indirect identification of personal data is now taken into great consideration. Pseudonymisation is a procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers or pseudonyms. This means a combination of certain data fields can’t lead to someone’s identity being revealed.

The GDPR has also highlighted encryption as one of the most appropriate organisational and technical measures to ensure data protection. End-to-end encryption is better than server-side encryption because through end-to-end-encryption, cloud service providers can never access the contents of user files, and so re-identification is not possible.

If you want to understand more about end-to-end encryption and how it complies with GDPR, make sure to read Tresorit’s eBook on compliance - Managing your data: a concise guide to getting ready for the GDPR. This guide also has a few actionable tips on what you and your company should do to prepare your data management processes for the GDPR – if you haven’t already been doing so.


Even though the GDPR is an EU regulation, its rules apply to any organisation that is storing or processing data about an EU citizen, irrespective of their geographic location.

Data-flows between EU nations and third-country are also now more heavily regulated, unless an adequacy decision about a specific country has been made by the Information Commissioner’s Office. This means that if a country’s data protection act is in line with GDPR regulations, they may be granted permission for data-flow.

So far only a few countries have been approved, namely Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Should Brexit arrive, it is expected that the Commission will adopt an adequacy decision in relation to the UK, as long as the Government commits to keeping up with changes to the GDPR.

The impact of GDPR on small businesses

Unfortunately the roll out of GDPR brought quite a burden onto the SME sector. According to the Federation of Small Businesses (FSB), the implementation cost of these regulations reached around £6 billion!

More so, the regulations have increased the annual costs that SMEs incur when dealing with personal data, placed tighter restrictions on their ability to efficiently utilise personal data and constrained their scope for innovation through data.

Because of this, the FSB has initiated a ‘partnership approach’ with the Information Commissioner’s Office aimed at alleviating some of the pressure that smaller companies face from this change. By creating an open regulatory environment where one can seek guidance and support, businesses can experience a smoother and more cost-efficient transition towards GDPR compliance.

If you are running a store on Shopify – or on any other ecommerce platform - then you’re constantly retaining, storing and handling a bulk of personal data. It’s critical that you know exactly what GDPR means to your business.

The key takeaway

At the end of it all, data protection and compliance is set out to prevent cybercrime, and to stop massive corporations from neglecting their civic duties in pursuit of bigger profits. As business owners it’s our responsibility to make sure that end-users have control over their personal data, and to ensure that they feel safe when interacting with your brand across different online platforms. You, as a consumer, would surely want the same thing when it comes to your own personal data.

If you’re complying with data regulations, you’re building trust between brand and consumer, which is fundamentally ensuring the success of your online business. So if you haven’t already started implementing compliance procedures, now’s a good time to start! Chat to us if you need to know more about Shopify, and we’ll explain how we create compliant ecommerce environments that support your online success.

Who we are

We are one of the world’s most trusted and experienced Shopify Plus Partners. A full-service, fully in-house digital agency of over 50 talented people, we’ve helped hundreds of ambitious brands exceed their goals.

About Eastside Co

What we do

Eastside Co leads the way in UX-focused Shopify web design, results-driven marketing strategies, and best-in-class Shopify applications and software. We help online businesses escape the ordinary and achieve ecommerce success.

Discover Services
Over 500 Shopify builds.

Let's work together to build your store.

Get In Touch