GDPR Security Requirements for Online Stores: Technical Compliance Guide

Does GDPR Apply to Your Store

GDPR applies to your online store if you meet either of two criteria. First, if your business is established in the European Economic Area (EEA), which includes all EU member states plus Iceland, Liechtenstein, and Norway. Second, if you offer goods or services to individuals in the EEA, regardless of where your business is based. The second criterion catches most online stores because if a customer in France, Germany, or any other EEA country can place an order on your store, you are offering services to EEA residents. You do not need to actively target the EU market, simply having an accessible website that processes EU customer orders triggers the obligation.

Some stores attempt to avoid GDPR by adding a disclaimer that they do not accept orders from the EU, or by blocking EU IP addresses. IP blocking is unreliable because VPNs circumvent it, and a disclaimer does not actually prevent EU residents from ordering. If you accept credit card payments in euros or ship to EU addresses, GDPR unambiguously applies. The practical approach is to implement GDPR compliance for all customers, not just EU ones, because GDPR's requirements align closely with security best practices you should follow anyway, and because similar privacy laws (CCPA, UK GDPR, Brazil's LGPD, Australia's Privacy Act) impose overlapping requirements that a GDPR-compliant program satisfies.

Technical Security Measures Required by GDPR

Article 32 of GDPR requires you to implement security measures "appropriate to the risk," considering the state of technology, implementation costs, the nature of the processing, and the risks to individuals. The regulation specifically mentions four technical measures as examples.

Pseudonymization and encryption of personal data are the first measures GDPR names explicitly. Encryption means converting customer data into an unreadable format that requires a key to decrypt. For ecommerce, this means SSL/TLS encryption for all data in transit (already standard for any store processing payments) and AES-256 encryption for data at rest in your database and backups. Pseudonymization means processing personal data so it cannot be attributed to a specific person without additional information stored separately. In practice, this means using customer IDs rather than names in analytics and logs, separating identifying information from behavioral data where possible, and anonymizing data used for analytics and reporting when individual identification is not necessary.

Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems is the second requirement. Confidentiality means only authorized people can access customer data (implemented through access controls and authentication). Integrity means data cannot be modified without authorization (implemented through file integrity monitoring and database access controls). Availability means your systems and data are accessible when needed (implemented through reliable hosting, DDoS protection, and redundancy). Resilience means your systems can withstand and recover from attacks and failures (implemented through backup strategy and incident response planning).

Ability to restore access to personal data in a timely manner after a physical or technical incident is the third requirement. This is your backup and disaster recovery capability. You must be able to restore your store and its customer data from backups within a timeframe appropriate to your business, typically hours rather than days. Test your restoration process regularly to verify this capability.

Regular testing and evaluation of the effectiveness of your security measures is the fourth requirement. This means conducting regular vulnerability scans, periodic security audits, reviewing access controls and security configurations, and updating your security measures as threats evolve. Document your testing activities and results, because GDPR's accountability principle requires you to demonstrate compliance, not just achieve it.

Data Subject Rights Implementation

GDPR grants individuals specific rights over their personal data, and your store must have processes and, ideally, automated tools to fulfill these rights within 30 days of receiving a request.

Right of access (Article 15) means any customer can request a copy of all personal data you hold about them. You must provide the data in a commonly used, machine-readable format (CSV, JSON, or PDF are all acceptable). For ecommerce, this includes their account profile data, order history, shipping addresses, communication records, and any analytics data linked to their identity. Build a process to export this data efficiently. Most ecommerce platforms have a customer data export function. WooCommerce includes a personal data export tool under Tools, Export Personal Data. Shopify provides customer data export through the admin API.

Right to erasure (Article 17), commonly called the right to be forgotten, means customers can request deletion of their personal data. You must comply unless you have a legal obligation to retain the data (for example, tax records that must be kept for a legally mandated period, or order records needed for warranty claims). When you receive an erasure request, delete the customer's account and personal data from your ecommerce platform, remove them from your email marketing lists, delete their data from your analytics platforms (or anonymize it so it is no longer personally identifiable), and request deletion from any third-party processors who have received their data. WooCommerce includes a personal data erasure tool under Tools, Erase Personal Data. Document what data you retained and the legal basis for retention (typically "legal obligation" for tax records).

Right to data portability (Article 20) means customers can request their data in a structured, machine-readable format to transfer it to another service. In practice, this is similar to the right of access, but the emphasis is on providing the data in a format that another system can import. CSV and JSON are the standard formats. Your customer data export should include all data the customer provided directly (profile information, order details, addresses) in a structured format.

Right to rectification (Article 16) means customers can request correction of inaccurate data. For ecommerce, this typically means updating an incorrect address, fixing a misspelled name, or correcting an email address. Most stores handle this through account self-service (customers edit their own profile), but you must also accept and process rectification requests received through other channels like email or your contact form.

Consent Management and Cookie Compliance

GDPR requires that consent for data processing be freely given, specific, informed, and unambiguous. For ecommerce, the primary consent requirements relate to marketing communications and tracking cookies.

Marketing consent must be an affirmative opt-in action, not a pre-checked checkbox. When customers create an account or place an order, a separate, unchecked checkbox should ask whether they want to receive marketing emails. Do not bundle marketing consent with terms and conditions acceptance. Record the date, time, method, and specific text of the consent for each subscriber, because you bear the burden of proving consent was given. Your email marketing platform should store consent records automatically.

Cookie consent requires you to obtain consent before setting non-essential cookies, which includes analytics cookies (Google Analytics), advertising cookies (Facebook Pixel, Google Ads remarketing), and any other tracking cookies. Essential cookies required for the store to function (session cookies, cart cookies, authentication cookies) do not require consent. Implement a cookie consent banner that loads before any non-essential cookies are set, provides clear information about which cookies you use and why, allows granular consent (the customer can accept analytics but reject advertising cookies), and does not use dark patterns like making the "Accept All" button more prominent than the reject option. Popular cookie consent solutions for ecommerce include CookieYes ($10+/month), Complianz (free WordPress plugin with premium features), and Cookiebot ($12+/month). These tools automatically detect cookies on your site, block them until consent is given, and maintain a consent log for compliance documentation.

Breach Notification Requirements

GDPR Article 33 requires you to notify your supervisory authority (the data protection authority in the EU country where you have your main establishment, or where the breach affects residents) within 72 hours of becoming aware of a personal data breach. This is one of the most demanding timelines in any privacy regulation, and meeting it requires preparation.

Not every security incident is a notifiable breach. A breach requiring notification must involve personal data (customer names, emails, addresses, or payment information) and must be likely to result in a risk to individuals' rights and freedoms. A DDoS attack that causes downtime but does not expose personal data is not a notifiable breach. A malware infection that may have exposed customer email addresses and order history likely is.

Your breach notification to the supervisory authority must include: the nature of the breach (what data was affected, approximately how many individuals are affected), the name and contact details of your data protection contact, the likely consequences of the breach, and the measures you have taken or propose to take to address the breach and mitigate its effects. If the breach is likely to result in a "high risk" to individuals (for example, exposure of payment data or data that could be used for identity theft), you must also notify affected individuals directly, without undue delay.

Prepare for breach notification in advance by identifying your supervisory authority and their notification procedures, creating notification templates that you can fill in quickly during an incident, documenting a clear decision chain for who determines whether a breach is notifiable, and integrating breach assessment into your incident response plan. The 72-hour clock starts when you become "aware" of the breach, so having detection and assessment processes in place is critical for meeting the deadline.

Data Processing Agreements With Third Parties

Under GDPR Article 28, you must have a Data Processing Agreement (DPA) with every third party that processes personal data on your behalf. For a typical online store, this includes your hosting provider, your payment processor, your email marketing service, your analytics provider, your customer service tools, your shipping and fulfillment partners, and any other SaaS tool that receives customer data.

Most major technology companies provide standard DPAs that you can review and accept through their platforms. Google's DPA covers Analytics and Ads. Stripe, PayPal, and other processors include data protection terms in their agreements. Mailchimp, Klaviyo, and other email platforms provide downloadable DPAs. Review each DPA to verify it covers: what data is being processed and for what purpose, the duration of processing, the processor's security obligations, the processor's obligation to assist with data subject requests, the processor's obligation to notify you of breaches, restrictions on sub-processing (whether the processor can share data with their own third parties), and data deletion obligations when the processing relationship ends.

Maintain an inventory of all third-party processors, their DPA status, what data they receive, and when you last reviewed the agreement. Audit this inventory annually and when you add or remove third-party services. Remove access for any service you no longer use, and verify that they have deleted the data they previously processed on your behalf.