The General Data Protection Regulation (GDPR) is now in effect, which means that there are some things online retailers should avoid doing to make sure they are compliant and don’t incur high fines. Here are five things that you should stop doing if you want to avoid getting an unpleasant letter from the supervisory authorities.

GDPR Data Privacy 360

1. Asking users to provide data you don’t need

Why not use contact forms to find out your customers’ e-mail address, name, profession, wedding day, and even their cat's birthday? What a good idea, except that it completely contradicts the principle of data economy introduced by the GDPR, according to which you can only ask customers to provide the data that you actually need to provide the service they’ve purchased.

2. Failing to keep your documentation up-to-date

One of the most important innovations introduced by the GDPR is the principle known as accountability, which means every company must be able to prove that it complies with data protection regulations. The record of processing activities is at the heart of this accountability. To create such a record, you basically need to document all activities in which personal data is stored and processed as accurately as possible.

If you’ve never liked creating tables, you will find precious help in the form of templates on the internet or in our newest product, the Trusted Shops Data Privacy 360, thanks to which you can create your record of processing activities with just a few clicks.

3. Ignoring information requests

No online retailer would be happy to receive an e-mail from a customer asking for information on all the personal data being stored about them. However, according to article 15 of the GDPR, online retailers are obliged to respond to such requests within one month and provide information on the personal data available in their systems and the purpose of the processing.

Look at it this way: information requests are time-consuming for you as an online retailer, but your answer will show your customers that you are trustworthy and that you take data protection seriously. Plus, such requests are unlikely to occur in practice anyway.

4. Cobbling the privacy policy together

If you were thinking of just copying the privacy policy from a competitor's website, you might want to change your approach, because that will no longer do in the GDPR era. Customers may not read your privacy policy, but it is the first thing lawyers will check. That’s why we recommend that you pay the utmost attention here.

In the privacy policy, too, consumers must be provided with comprehensive information about what happens to their personal data, not only on your website and servers, but also on those of third-party service providers.

5. Hide data breaches

“Oops, customer data has become public… but probably nobody noticed, so everything’s fine, right?”

No, it’s not. According to the GDPR, you must inform the appropriate supervisory authority about data breaches within 72 hours. Therefore, create a reaction plan now, including information as to who must be contacted and which measures must be taken in case of emergency.

Focus on your sales with Data Privacy 360

By not doing these five things, you will take the first important step towards compliance with the GDPR, which will enable you to focus on your business. Indeed, with the Trusted Shops Data Privacy 360, you’ll always be on the safe side. You will always be up-to-date in case the EU introduces new legal changes. Better yet, we’ll accept complete liability for the privacy policy and the predefined processing activities included in the record. You can find out more about Data Privacy 360 here.

If you have any questions or remarks, contact us at

For a free GDPR checklist, click here or on the banner below.

download free GDPR checklist

Leave a comment