How e-shops can comply with the GDPR and security requirements?

This is the practical guide which will help e-commerce business to follow the rules and protect privacy of its clients.


Before processing any clients data, there is needed to define on which bases under article 6 of GDPR it is should be done. So, in case of e-commerce shops, there are 3 eligible bases, namely:

  • contract with an individual to provide the services;
  • consent of the individual;
  • legitimate interest of the e-commerce company.

The most used shall be the contract. It will cover the necessary data to buy goods (name, phone number, email, address (in case of delivery)).

For all other purposes, not necessary to enter into agreement with an individual, consent or legitimate interest can be chosen depending on the circumstances and any other legal requirements.


2. Get Individual Informed

On the web side, there should be a Privacy Policy/Notice which informs consumers about, at least, the following:

  • legal bases for processing;
  • contact details of the e-shop, namely who is processing the data (legal address, phone number, email);
  • what personal data is processed and for what purposes. For example, to send the goods to the customer is a purpose (which is covered by contract as a legal basis), personal data necessary for this may include full name, address, phone number/email;
  • to whom data may be disclosed and under what circumstances. For example, to deliver the goods to the customer the company must use third-party delivery services to which the shop provides customers data;
  • how long the business will keep the consumer’s data. It is not appropriate to say that the data will be kept until necessary. It must specify a date (e.g. 3, 6 months) or event (e.g. return of the goods);
  • how customers can delete their accounts if they wish;
  • rights which individuals have under the GDPR and how to exercise them (Articles 12-23).

IMPORTANT:

Do not make consumers to “Agree to Privacy Policy”. Privacy Policy is absolutely informative document. It is purpose just to inform individuals how their data is used. It does not form part of the Terms of Use which are a contract between the seller and the consumer.


3. Direct Marketing

In simple words, direct marketing is a communication of information designed to promote, directly or indirectly, on behalf of a service provider, the supply of its goods or services.

The legal basis for this is either consent, or legitimate interest.

In the EU countries there are different rules. You can look how it is governed in Scandinavia, Baltics and Central European countries.

However, there are two main possibilities:

  • to send direct marketing communication to the existing clients, meaning those who already have bought something, not just registered on the website. In this case, in majority jurisdictions (but not everywhere!) the consent is not required. It can be based on the legitimate interest. However, each such communication shall contain “unsubscribe” option. Individuals must have opportunity to opt-out at any given moment.
  • to send direct marketing communication to everyone. In this case, the consent is a must. It is important to remember, that the consent should comply with articles 4 and 7 GDPR and it must be separate form any other purposes. One purpose - one consent.

4. Security Measures


Two-Factor Authentication

When a customer already has an account in the online store, it’s wiser to enable multi-factor authentication instead of asking them to invent yet another complicated password. Often called two-factor or multi-factor authentication (2FA/MFA), this approach boosts security by requiring two independent proofs of identity at sign-in.

Popular ecosystems such as Google, Microsoft, and Apple use the same principle: after entering a password, the user must supply a one-time verification code sent to their phone. This code can be delivered via SMS, email, or—ideally—a dedicated authenticator app. SMS relies on several intermediary carriers, which can delay or block the message entirely, so the code might arrive late or not at all. Dedicated authenticator apps avoid these pitfalls. In short, dual authentication greatly enhances protection because account access now depends on both something the user knows (a password) and something they possess (their phone).


Use of Password

When an online store lets shoppers create their own passwords, the store should spell out clear guidance on length and character selection. Best practice is to permit lengthy pass-phrases, support every character type, and block obviously weak choices. These tips can appear in an info pop-up beside the password field. Because a strong, standards-compliant password is critical, each account should have a unique one.

Recommended rules include:

  • the minimum length of a password should be at least 15 characters;
  • use a secret phrase rather than a password;
  • the same password should not be used in different environments and should not be easily deducible from passwords used in the past;
  • do not require or suggest the use of password hints (e.g. mother’s maiden name, pet’s name).

If the store initially issues a default or temporary password, it must still meet the same criteria. The customer should be forced to replace that password quickly; after the deadline it should stop working. An even safer design is to block login entirely until a new password is set. Finally, don’t send passwords in clear text by email—send a one-time link instead.


External Service Providers

E-shops frequently depend on a wide range of third-party service providers —including payment-processing services, analytics platforms and marketing tools —to enhance their operations. Outsourcing is the contracting out of activities necessary for the day-to-day running of a business (e.g. IT development and management, cash handling, administration, human resources, cash handling, accounting, property management, transport, etc.).

Although these providers furnish services that are essential for an e-shop, they also introduce security and compliance risks. E-stores remain ultimately responsible for ensuring that any third parties processing customer data on their behalf comply with compliant data-protection standards. Failure to ensure the security of an external service provider could lead to breaches that affect e-store customers and could expose the company to oversight or customer damage claims.

To mitigate these risks, it is essential to choose service providers that are compliant with data-protection requirements and to have clear data-processing agreements that outline security expectations, data-protection safeguards and other essential requirements. Companies should also conduct audits of suppliers to assess security practices, incident-response capabilities and data-protection measures. Regular review of third-party contracts, together with rigorous access controls, encryption and monitoring, will help to ensure that external partners adhere to the same level of data security as the e-shop operator. By proactively managing third-party risks, Sellers can strengthen overall security and maintain customer trust.


Specific Security Measures for the E-commerce Platform

The following is a selection of security measures that an e-commerce operator could and should implement to ensure the secure processing of personal data. This is an indicative list and is subject to change over time and depending on the situation. It is important for the e-shop owner to ensure that the appropriate measures are in place for the specific risk identified. Examples of risks for the e-shop owner include leakage of user data due to an external attack or technological failure, employee error, ransomware attacks, outdated software or any other situation that results in personal data being exposed, destroyed or inaccessible. When setting up an e-shop, these risks should be mapped and, if necessary, a further data protection impact assessment should be carried out. It is advisable to review the risks periodically, also in the light of technological developments.


ABC of Data Security

Protecting an online store involves much more than setting strong passwords. Up-to-date, relevant software solutions are equally crucial for reducing an e-shop’s exposure to breaches and meeting other security requirements.

To avoid cyber incidents and data leaks, you should:

  • keep every piece of software continuously updated;
  • implement two-factor authentication for both shoppers and administrative accounts;
  • maintain thorough logging and reliable backups;
  • monitor information systems around the clock;
  • close any unnecessary remote-desktop connections;
  • ensure that internal-use applications are never reachable from the public internet;
  • test information systems on a regular schedule to uncover vulnerabilities;
  • provide ongoing security training to employees and partners.

It is also wise to appoint an independent information-security manager, prepare a crisis plan, and cultivate strong cyber-hygiene practices with adequate resources.

More specifically, the data controller must:

  • block unauthorised individuals from accessing data-processing equipment or media (external hard drives, USB sticks, CDs, DVDs, etc.);
  • stop unauthorised reading, copying, deletion, or storage of data;
  • keep audit trails that reveal after the fact who accessed, saved, modified, or deleted what, when, and to what extent;
  • record, again a posteriori, to whom, when, why, and how personal data were transmitted;
  • restrict staff access so employees only see the data and processing operations required for their duties—excessive rights threaten confidentiality, portability, and integrity;
  • organise day-to-day work so that all data-protection obligations are met;
  • ensure that anyone processing personal data under the controller’s authority receives suitable training and learns about each periodic security update.

You must also secure your email domains so that no one can hijack them and send messages on your behalf. To make e-commerce email spoofing as difficult as possible, deploy SPF, DMARC, DKIM, MTA-STS, DNSSEC, and DANE.


Keeping Passwords Secure

Passwords must never be stored in clear text on the server. Yet the server still needs a way to verify that a login attempt is correct. The solution is to store passwords with hashing and salting (sometimes referred to collectively as “shredding and salting”).

Hashing is a one-way process: the same input (password or document) always produces the same mathematical digest, while reversing the digest to the original input is practically impossible.

Salting adds a unique (typically random) value during hashing effectively an extra ingredient mixed into the password, so that even identical passwords produce different hashes, making cracking far harder if attackers obtain the hashed database. Two identical files always share the same hash, while any change, however small, yields a different hash. For that reason, hashing (with salting) is strongly recommended, and clear-text password storage is unacceptable.

For consumers, a password manager is invaluable. It generates a unique, strong password for each site, reducing the chance that multiple accounts are compromised by a single leak. It also removes the burden of memorising passwords and can auto-fill login fields. Popular managers include LastPass, Bitwarden, 1Password, Dashlane, and KeePass.

When your shop relies on passwords combined with multi-factor authentication, ensure that authentication tokens do not last indefinitely, and cap the number of incorrect password attempts allowed.

Example: Some shoppers simply close the browser tab instead of logging out. The session on the e-commerce server may remain valid for a time, giving an attacker a window to capture and reuse that active session without needing to re-authenticate.


Use of Cookies and Tracking Pixels

Websites rely on two broad categories of cookies: essential cookies and additional cookies.

Essential cookies such as user-authentication cookies, session cookies, and language-preference cookies do not actively measure anything; instead, they enable the fundamental functions of the site.

Additional cookies include analytical or promotional cookies capable of identifying a person, either directly or indirectly. Because of this capability, they require the user’s prior, voluntary consent. That consent must be fully informed: users must be told how long the cookies will remain active and whether third parties can access the data. These details belong in the site’s privacy policy, and users must be able to withdraw consent just as easily as they granted it.

Example: When an online shop can tell the difference between a first-time visitor and a repeat customer, that distinction is almost certainly derived from cookies.


Tracking pixels

Tracking pixels are tiny, invisible graphic elements embedded in a webpage’s or email’s code. When a consumer opens a marketing email from the online store or clicks links within the store, the pixel is fetched from the store’s server. This allows the store owner to know if and when the email was opened and which parts of the e-shop the consumer viewed. Pixels work hand-in-hand with cookies, enabling detailed tracking of the consumer’s activity. Because they access information stored on the user’s device, the ePrivacy Directive applies.

Example: A pixel relays data about user actions, telling the e-shop which individuals opened a particular offer, webpage, or email.

E-shops therefore need the user’s explicit, prior consent before deploying pixels, and they must provide an easy opt-out mechanism for this tracking.


Encryption for Data Transmission and Storage

Within an online store, shoppers are recognized through the information stored in their user accounts. After they register or sign in as returning customers, they typically press the “Login” button, prompting their web browser to send their personal details to the shop’s web server.

Experience has shown that personal information is still, at times, transferred over unencrypted Internet connections. This leaves the door open for interception or manipulation of web traffic, meaning that data such as usernames and passwords can be captured by unauthorized parties and subsequently misused.

Example: A secure website is signaled in the browser’s address bar by the prefix HTTPS. If the address begins with HTTP (without the “S”), the link is not secure and information could leak.

It is also worth remembering that an e-commerce site may hold especially sensitive data linked directly to the customer, for instance, health information or personal details disclosing racial or ethnic origin, political or religious beliefs, or sexual orientation. Consequently, encryption must always be employed when receiving, transmitting, and storing any personal data in an online store. By encrypting data, it is rendered unreadable to third parties a safeguard that is particularly crucial when a shopper enters payment-card information.

For example: The TLS (Transport Layer Security) protocol is an appropriate information-security solution for protected data transfer, ensuring integrity and confidentiality both when a customer’s authentication details travel to the e-shop and when the merchant sends e-mails.

When chatbots are present on a site, the dialogue between customer and bot must likewise be encrypted to preserve data security. If an external provider supplies the chatbot service, the parties must sign a data-processing agreement that explicitly covers security.

Example: Whether delivering an invoice or notifying a customer by e-mail that goods have arrived, encryption, at minimum at the StartTLS level should be applied during transmission.

Should data lack adequate protection, third parties could exploit it to access a shopper’s social-media or e-mail accounts, or to commit financial fraud and extortion.


Logging and backup

It is important for a website to use effective tracking systems and logs to monitor activity on the system, thereby allowing for the detection of unusual activity or queries.

One of the key aspects of the implementation of integrated data protection is generating and managing identifiable traces, or logs, of data processing activities. The data processor, the e-shop, has the obligation to identify and record all personal data breaches. By their very nature, these are breaches of security which result in accidental or unlawful loss, destruction, alteration or unauthorised access to, or disclosure of, personal data processed. Thus, without keeping logs, it is not possible to comply with the principles governing the processing of personal data and to ensure the security of the processing. The GDPR does not prescribe the form in which a log must be kept, but it is important that a record is kept of the entry, modification, viewing, transmission and deletion of data.

It is also important to ensure that data is backed so that it can be restored if something happens to it. This can prevent data loss in the event of a major failure. It is essential that one copy of the backup data is located off the main network (offline).


Deceptive Web Design

Design tactics sometimes branded as “dark” steer shoppers toward decisions that compromise their privacy. Typical characteristics of these dark patterns include

  • complex, confusing wording;
  • layouts that spotlight privacy-intrusive options, such as a pre-ticked cookie-consent box in an online store;
  • persistent nagging or repeated pressure;
  • obstacles that hinder privacy goals, for instance, making it difficult to adjust settings or delete an account;
  • requirements that compel users to hand over more data than is genuinely necessary.

Accordingly, e-shops should avoid deceptive patterns—like demanding extra personal details as a precondition for deleting an account—that impose excessive data-collection requirements.

Privacy-enhancing approaches:

  • employ clear, neutral language;
  • offer timely, appropriate consent options and privacy-protective default settings;
  • minimize the number of clicks needed to change privacy preferences.

By adopting these practices, businesses ensure that personal-data processing upholds transparency, user control, data-minimization, and fully informed consent.


Website Platform

E-store operators rely on a wide range of platforms from modern, cloud-based solutions like Shopify, Magento, and WooCommerce to customised or long-standing legacy systems that have been running for years. Older and/or legacy solutions may have missed major upgrades, leaving them more exposed to cyber threats and at risk of failing to meet GDPR security requirements. While some modern platforms come with built-in security and compliance features, keeping any platform secure demands a proactive stance: prioritise regular updates, diligent patch management, and carefully tuned security configurations to guard against breaches and data leakage.

Legacy systems, in particular, introduce heightened security risks because they may no longer receive vendor support or timely security patches. Companies relying on outdated e-commerce software must evaluate whether these systems can be shielded with supplementary firewalls, encryption, and robust access controls or whether migrating to a more secure platform is the safer course. Whatever platform is in use, the overarching rule should be security by design and by default, guaranteeing that customer data remains protected throughout every phase of the purchase journey.


Audits and Testing

Maintaining a secure, GDPR-compliant e-commerce environment demands regular security audits and rigorous testing. These audits uncover flaws or vulnerabilities in platforms, databases, and third-party interfaces, helping to keep e-commerce information systems operating securely. During such reviews, companies should examine data-access controls, retention policies, and overall security, and they should supplement these efforts with external penetration tests and vulnerability assessments that measure real-world defensive strength.

Alongside technical testing, organisations must audit their data-processing activities to confirm adherence to GDPR requirements. This involves assessing consent-management workflows, scrutinising data-processing contracts with third-party providers, and ensuring that data-protection impact assessments are performed whenever new technologies are introduced. By routinely auditing both security infrastructure and data-management practices, e-shops can lower risk, demonstrate accountability, and offer customers a safe online shopping experience that fully protects their privacy.

Responding to an Incident

A data breach in an online shop can lead to serious consequences, such as financial loss, fines related to the breach, and damage to customer confidence. Under the GDPR, businesses must act swiftly to contain the breach, assess its impact, and, where necessary, notify both the authorities and the affected individuals. Below is a brief outline of what to do if an online personal-data incident occurs in an online shop.


Containing the Breach and Assessing Impact

As soon as a breach is detected, take immediate action to halt, for example, unauthorised access and prevent further damage.

Possible actions include:

  • blocking suspicious IP addresses or disabling compromised user accounts;
  • temporarily suspending the affected systems or databases;
  • resetting passwords and reviewing access logs for unusual activity.

At the same time, assess the breach to determine:

  • what data was compromised (e.g. customer names, payment details, passwords);
  • how many people are affected;
  • how the infringement occurred (e.g. hacking, human error, system vulnerability).

Notification of Data Breaches

When a breach is likely to endanger the rights and freedoms of individuals, the GDPR obliges the organisation to notify the relevant Data Protection Authority within 72 hours of becoming aware of the incident. That notification (i.e., the breach report) must include:

  • a description of the breach and its underlying cause;
  • the categories and number of data subjects and records affected;
  • the measures already taken to mitigate the breach and to prevent it from happening again.

If the breach poses a high risk to individuals, for example, leaked financial data, passwords or other sensitive information affected customers must also be informed immediately and provided with clear guidance on how to safeguard themselves (e.g., resetting passwords and monitoring for fraud).


Analysing, Improving and Strengthening Security Measures

After the breach is first contained, perform a comprehensive investigation to identify its root cause and apply corrective actions. This can include:

  • applying patches that remedy security vulnerabilities (e.g., installing software updates and enforcing stronger access controls);
  • reviewing internal policies and refreshing staff training to prevent future mistakes;
  • strengthening data-encryption practices and upgrading monitoring systems to detect suspicious activity earlier.

Documenting and Learning from Incidents

The GDPR obliges organisations to log every data breach, including those that do not have to be reported. Maintain comprehensive documentation of the incident, the ensuing investigation, the remedial actions, and the preventive steps implemented; these records will prove compliance when supervisory authorities conduct an audit.

Furthermore, a thoroughly prepared incident-response policy equips the company to react swiftly and effectively to future breaches, minimising damage and safeguarding customer confidence.

Source: Guide for e-shops (in Estonian) by Andmekaitse Inspektsioon

Sorry cat

Written By

Anastasiia Klymenko