Everything you need to know to make your Marketplace GDPR compliant

Blogs/GDPR 6 minutes, 46 seconds


Data is the new oil.

This phrase has been floating on the web for quite a while now. If we go by the phrase, certainly a resource as valuable as this has to be well protected and here’s where GDPR comes into action.

Let’s begin with a quick disclaimer. This blog post is not legal advice and is for informational and/or educational purposes only. By the end of this post, you will get to know what GDPR is, whether it applies to your organization or not, the penalties involved and what steps you must take to comply with it.


GDPR is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union. The General Data Protection Regulation determines the ways that personal data about EU citizens can be handled, within the EU and outside the EU in other countries.

EUGDPR.org says GDPR is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”


The main aim of this law is to give the control of the data back to the citizens and residents of the European Union. Set to be enforced from 25th May, GDPR brings in game-changing rules in the field of data privacy regulation.



Data collected and processed both before and after May 25th will have to comply with the new regulation. Even though the General Data Protection Regulation is an EU law, it applies to companies that process personal data from EU. This means that even if you’re a US or Asian company, you can still be subjected to the GDPR as long as you handle the personal data of anyone from the EU. To make this clearer, have a look at the following examples:

  • Walter White is an online entrepreneur based in the European Union. So he needs to comply with the GDPR across his business, even though he is collecting data from someone in the US.
  • Jesse Pinkman is another entrepreneur/marketer based in the US but collecting data from someone in the EU. He too has to comply with the GDPR.



  1. The Data Subject: The customer, user, employee or anyone for that matter providing personal data.
  2. The Data Controller: The companies/ organizations offering services or goods that will state how and why personal data is used and is responsible for the safe storage and use of the data collected from the Data Subjects.
  3. The Data Processor: Organisations that store, digitize, and catalog all the data on behalf of the Data Controllers. Example, all third-party suppliers such as ERP systems, email marketing services like MailChimp.



There are different levels or tiers of fine- Tough penalties for those organizations who don’t comply with GDPR- fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater. That’s a lot – hope now you realize why it is important for you! Stay on.


  • Communicate
    Use simple language. Tell users who you are when you request the data. Say why you are processing their data, how long it will be stored and who receives it.


Google mailed its users to notify about the changes in its Privacy Policy.


  • Take their consent
    Get their clear consent to process the data. When collecting from children for social media, check age limit for parental consent.
  • Give them access
    Let people access their data and take it with them.|
  • Alert them
    Let them know if data breaches occur
  • Give them the right to erase
    Erase their personal data if they ask to do so.
  • Give them the right to data portability
    People have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).
  • Notify third parties regarding rectification, erasure or restriction
    Notify any third parties with whom you have shared the relevant data that the data subject has exercised those rights.
  • Do not track
    GDPR also stipulates people have a right to ‘block’ or suppress processing of personal data.
  • Data transfer outside EU
    Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.
  • Consult your lawyer and Data Protection Officer
    Audit your site with the help of your lawyer and your appointed Data protection officer.



    • Terms and Conditions page– If you didn’t have a T&C page, you definitely need it now and also a checkout checkbox that users must click (it should not be “checked” by default). Amend your T&C page in regard to the new GDPR terminology and the gathering of customer data from the checkout page.
    • Privacy Policy– The page that requires the most attention right now is your Privacy Policy page. The user must be informed here of how the data is processed- How it’s collected, stored and used? Just like the T&C page, here too users need to check a checkbox to “agree” to the privacy policy.

      Pro tip: Go through the Privacy policy pages of reliable e-commerce websites and observe how they are approaching the new GDPR rules.

      An overview of the points that you can’t miss while revising your Privacy policy page:

      1. Who you are (your address, etc)
      2. What data you collect (Name, email, phone, address, IP addresses, etc)
      3. For what reason you collect the data (invoicing, tracking, email communication, etc)
      4. For how long you retain it (e.g. you keep invoices for 5 years for accounting purposes)
      5. Which third parties receive it (Google, CRM, MailChimp, etc)
      6. How to delete data (either automatically or by emailing the Data Protection Officer)
      7. How to get in touch with you for data-related issue.

    • Customer Registration– Try to collect only those information from the user that you strictly require. Be extra cautious since you are collecting personal data here. Moreover, add a Privacy Policy check box to the registration form.
    • Vendor Registration– We at WCMp allow you to create a customizable Vendor registration form. Here too you should try to collect only the most necessary information from the vendor. Add a Privacy Policy checkbox similar to what we’ve done in the customer registration page.

    • Plugins– There are certain plugins like the Cart Abandonment plugins that collect the user’s email addresses without their consent, which is against the GDPR rules. In case of such plugins, make sure to add them to the list of “third parties” that get access to user data in your Privacy Policy, check or ask the plugin developers how they are going to implement GDPR compliance.
    • Product Reviews and Comments– Product reviews are important for all online stores. If you allow non logged in users to leave a review on your site, then you need to add the privacy policy checkbox to the product review form. Alternatively, you can change the settings to allow only verified users to leave a review. Follow a similar approach for Comments section.
    • Send a re-permission email to your existing list– If you’ve previously obtained consent from your contacts in a manner that complies with the GDPR, there’s no need to ask for their permission again. But if you’d like a fresh bill of consent to demonstrate that you’re in compliance with the new laws, you can send a re-permission email to your list.


      It is EU today, tomorrow it will be other geographies. So even if you are not from EU or if you don’t deal with European customers for the time being, taking the necessary precautions can still be beneficial, to prepare for GDPR type legislation in future.

      How are you dealing with GDPR and what are the challenges you are facing? Let us know in the comment section below.



Leave a Reply

COVID-19 Outbreak: WCMp team is supporting business affected by coronavirus

Read the Message Buy at Slashed Price