We live in an era of big data. Never has more data been generated or collected daily. It took a while, but governments and authorities have now recognized the security implications. That’s led to regulation and legislation. All aimed to protect all our personal information. 

One of the most prominent examples of such legislation is the EU’s GDPR. If your business interacts with consumers, you must understand the GDPR. That’s because all organizations that do business in Europe have to adhere to it. The following will give you a primer on what is a critical piece of legislation.  

What is GDPR?  

GDPR stands for General Data Protection Regulation. It’s thought by many to be the most robust data security and privacy law in the world. The legislation sets standards for privacy and security as regards data and personal information. 

The GDPR got drafted and passed by the EU. It’s remit, though, is far broader. All organizations that target or collect the data of EU citizens must meet GDPR standards. That’s regardless of where they themselves are based. 

Take, for instance, a business selling small business VoIP software. If they collect data on EU-based website visitors, they must meet the standards set by the GDPR. It doesn’t matter if they’re based in the USA, Australia, or anywhere else besides.

How Did GDPR Come About? 

Organizations soon grasped the importance and value of personal data. Firms in all niches recognized that the information could give vital insights and opportunities. The public and the governments representing them were slower on the uptake.  

That led to a dire need for legislation to protect private data. and ensure companies used data responsibly. The GDPR was the EU’s response to that need. It replaced a 1995 directive called the European Data Protection Directive. That piece of legislation had noble aims. It failed, though, to predict the exponential growth and potential of the internet.

The GDPR entered into force for the first time in 2016.  It was on May 25th, 2018, though, that the regulation came wholly into effect. From that point on, all organizations became required to be compliant.  

What Do You Need to Do to Be GDPR Compliant?

GDPR is a complex matter. Adding ‘don’t leave sensitive info around’ to your office move checklist won’t cut it. The actual GDPR document is 88 pages long. The following are just five of the main takeaways to be aware of so that you can stay GDPR compliant. 

1.When you’re allowed to process data. 

The GDPR sets out six justifications for processing data. That means collecting, storing, or sharing private information. Those justifications are as follows:

  • If the processing is essential for a contract to which the data subject is a party.
  • If you must process data to meet your own legal obligations.
  • If processing data would save somebody’s life.
  • If utilizing data is necessary for a task in the public interest.
  • If you have a legitimate interest in using somebody’s data.
  • If the subject of any data gives you explicit, unambiguous consent to process it. 
2. Seeking consent.  

For many companies, it is by seeking consent that they can justify the collection or use of personal data. Under the GDPR, permission must be ‘freely given’ and ‘unambiguous’. Requests for consent, therefore, must be in ‘clear and plain language’. 

That’s why you get requests for consent to use your data when you buy anything from contact centre software to groceries online.  

3. Data protection. 

Article 25 of the GDPR states that firms must ‘by design and by default’ consider data protection in all they do. That means every new product, service, or activity must account for data protection. Not as an afterthought, but as a matter of course.  

4. Data security.

All businesses must handle data securely. That means implementing ‘appropriate technical and organizational measures’. Those may be anything from encrypting all financial transactions to drafting and adhering to a data privacy policy. 

5. Accountability.  

All organizations under the scope of the GDPR must always demonstrate their compliance. If you can’t produce evidence of compliance, your business isn’t compliant. These are some common suggestions for maintaining accountability:

  • Keep detailed records of all data collection, how it gets used, and why.
  • Train all staff in your technical and organizational measures for data security.
  • Include data privacy and security clauses in all contracts with third-parties. 

What Happens if Your Ecommerce Site Isn’t Compliant? 

If you process the personal information of EU citizens or residents, you’re subject to the GDPR. That means if you collect data on their use of your site, accept online payments, or anything in between. The penalties for violating the standards set by the legislation are deliberately punitive. 

There are two tiers of financial penalties to which you could be subject. The maximum any firm can get fined is set at €20 million or 4% of global revenue, depending on which is higher. Data subjects can also seek damages from you directly if you're in breach of the regulation. 


The GDPR is a critical piece of legislation for the modern world. If you have an online presence, you’ll encounter sensitive information and private data. That makes you subject to the regulation. You should now have an idea of what that entails. To ensure compliance, however, it’s advisable for you to read the GDPR documentation in full.   

BigCommerce helps growing businesses, enterprise brands, and everything in-between sell more online.

Start your free trial
High-volume or established business? Request a demo

Start growing your ecommerce business even faster.

Start Your Free Trial

High-volume or established business? Request a demo