GDPR E-commerce

Overview

GDPR (General Data Protection Regulation) requires e-commerce stores serving EU/UK customers to obtain informed consent for data processing, provide data portability (Article 20), support the right to erasure (Article 17), and maintain a lawful basis for every category of personal data processing. Non-compliance carries fines up to €20M or 4% of global annual turnover. All major platforms have GDPR tools built in; the main gaps are cookie consent management and handling Subject Access Requests (SARs).

When to Use This Skill

• When your store serves customers in the EU, EEA, or UK (UK GDPR)
• When adding analytics, marketing, or personalization tools that process personal data
• When a customer submits a Subject Access Request (SAR) or deletion request
• When reviewing third-party integrations for GDPR compliance
• When preparing for a data protection audit or DPA (Data Processing Agreement) review

Core Instructions

Step 1: Map your data processing activities

Before configuring any tool, document every category of personal data and its lawful basis. This Register of Processing Activities (RoPA) is required under Article 30 for large processors and recommended for all: