The GDPR: Ongoing Compliance

Written by Kevin Bates on May 17, 2018 Blog, News, Sell Online.

Over the past week we’ve answered some key questions about GDPR compliance. You’ve read about the changes coming to eCommerce (and the internet in general), the importance of putting someone in charge, and how to craft a privacy policy. You learned the basics of responding to Right of Access and Right to Erasure requests, and the importance of keeping your data — and your customers’ data — secure.

There’s also a larger issue at play: privacy isn’t a one time effort. It’s part of the ongoing maintenance for your business.

The GDPR is only the latest law designed to shift the balance of power back to consumers — it builds on older laws like the UK’s DPA. And it won’t be the last; store owners can expect updates to the GDPR, and similar laws will be enacted in other countries. Keeping abreast of these laws and which ones apply to you is an ongoing responsibility.

Whoever is charged with keeping an eye on privacy matters for you will need to make sure your store’s privacy policy stays fresh, especially as you add, update, or remove plugins and third-party services. Plugins will also update their privacy declarations, as they evolve to use personal data in new ways. Stores will need to keep on top of requests and security and data retention on an ongoing basis. Data security is as much a part of day-to-day work as tracking inventory and sales.

You’re part of a larger WooCommerce community

As one of hundreds of thousands of WooCommerce store owners, you’re part of a larger community. GDPR requirements might be intimidating, but they’re not insurmountable! If you have feedback on how we can make compliance a little bit easier, we’d love to hear from you in the comments, or in the #GDPR channel on WooCommerce Slack.

Good luck, happy selling, and drop us a line on privacy at woocommerce dot com if you have anything to share about your WooCommerce experiences in this brave new personal-data oriented world.

Take a look at our tools and resources on GDPR

16 Responses

  1. Loot Deals
    May 18, 2018 at 11:09 am #

    May I know the concept of woocommerce?

  2. David Stark
    May 18, 2018 at 6:52 pm #

    Thanks for these helpful, clear and informative articles on GDPR. Much appreciated!

  3. Ali A/Aziiz aadan Yuusuf
    May 19, 2018 at 4:19 am #

    I want to get the password

  4. kyra Pieterse
    May 19, 2018 at 11:11 am #

    GDPR giving us a headache. Thanks for the information.

  5. Stefano
    May 19, 2018 at 11:34 am #

    Hi, i have 2 question….
    the GDPR say the user can deny the cookie?
    If thay do, how can we sell without cookie?

    2nd question, the GDPR say that user have right to ask erasure, but… if the customer do order, we need to keep the data of order and invoice for 10 years? How we can do? We must delete parts of data or we must waiting 10 years to delete it?

    • Ovi
      May 22, 2018 at 7:26 am #

      Hello Stefano ,about cookies you need the customer aproval to use them if they deny you refuse to sell.
      About the second question , if the law asks you to keep invoice data for 10 years , then the users request do not apply.Any time the users req. something ,but on your side law asks for his data you have no obligation , maybe just to inform the customer you cannot fulfill his req bc of the law.

  6. AMiR
    May 19, 2018 at 1:00 pm #

    Good article

  7. Adrian Wackernah
    May 23, 2018 at 8:41 am #

    I gave the RC2 a quick test and checked a order for deleting personal data. Personal data was removed after. But related orders were still there with personal data. And are we able to use that new tool anywere in world? How about law related terms like tax laws? I do need that info because I have to give my clients a note about and how they may use that new tool.

    What about subscriptions?

    I found at this note about tax compliance:

    GDPR does not trump other laws. E.G. if you have to keep personal data to justify vat charges then this is needs to be kept for tax compliance. The rule in GB and Ireland is 7 years. Other countries may vary.

    Shoudn’t there be a setting for how old a order has to be in case for which personal data should be removed? If a shop owner deletes such personal data from a order accidentally to early, it can’t be restored with a click!

    • Allen Snook
      May 24, 2018 at 1:21 am #

      Hi Adrian!

      I like this idea – i.e. allow store owners to check the “erasure” box but also set a minimum age below which data is nonetheless retained (e.g. for tax purposes)

      Would you mind opening an issue at ?

      Thank you!

  8. GDPR Blog
    May 23, 2018 at 11:50 am #

    Great article! Bookmarked

  9. Giancarlo
    May 26, 2018 at 10:33 am #

    Hi Allen,

    thank you so much! I appreciated a lot. Now, with your posts I feel ongoing GDPR compliance.

  10. Apostila Concurso
    May 27, 2018 at 4:39 pm #

    very good
    clarified very well about gdpr

  11. Kristin
    May 29, 2018 at 1:58 pm #

    I upgraded Woocommerce and tried to anonymize older order (in test environment), work just fine except one huge issue: IP adresses are considered to be personal data and orders still contain ip-adresses…

  12. Alise
    June 7, 2018 at 6:36 pm #

    Thanks to numerous articles on the Internet about GDPR and how to comply, my company prepared for it quickly and effectively. We found checklists and done all items from them, to not pay huge fines in future. Here is one of the best checklists I found and it fully corresponds to GDPR requirements. Hope it will help someone)

  13. Rob - Clarip
    June 11, 2018 at 8:18 pm #

    Just calling out attention on this line: “privacy isn’t a one time effort. It’s part of the ongoing maintenance for your business.” That’s well said and absolutely correct. We typically refer to it as the GDPR journey for that reason.