Mikhail Ostapenko
Mikhail Ostapenko Lead Product Owner
22. May 2018 in


Are You Ready for GDPR?

This month’s buzzword is hands-down GDPR. Everyone is preparing for the impending May the 25th cutoff date where liability for data protection gets an extra boost.

In e-commerce, data collection, promotion and protection are a big deal. Emails, Newsletters, customer accounts and much more are all impacted by these new regulations. So, the question is, how ready are you?

If you are a Spryker customer, you are most likely more ready than you thought. The Spryker Commerce OS is fully GDPR compliant not including data and workflows over which we have no control.

For that we have compiled a magical list of the 7 main points that you will need to do to be prepared:


1. Collect only what you need

  • Only ask customers for data necessary for processing a request. Avoid collecting as much as you can without reason.
  • Make sure you review your forms such as registration forms, subscription forms, contact forms, log files and 3rd-party integrations. Assess if you can justify each piece of information you collect.

2. Explain why the information collected is necessary

Review data privacy statement, terms & conditions, newsletter subscription conditions, promo campaign conditions.


  • Explain why certain data is needed to be collected in simple language.
  • Avoid very long texts.

3. Get customer consent

  • Replace preselected checkboxes to accept T&C, data privacy, newsletter subscription etc. with empty checkboxes.
  • Offer a double opt-in process for newsletter subscription or other kinds of registration (e.g. account, loyalty program).

4. Allow customers to withdraw consent

  • Use the consent withdrawal feature for newsletter subscription, data privacy statement etc. Spryker provides a “Delete account” feature for T&C and data privacy, without agreeing to terms there is no way to use the website.
  • Add a checkbox to Unsubscribe from newsletters and to delete an email address from the Database.

5. Allow customers to get the copy of personal data in a readable form 

  • Offer a “Copy of all data” feature which includes information from all data sources (Spryker, CRM, log files, 3rd-party applications). Spryker has a “User Account” page that shows the customer information: profile, orders, preferences. The information on this page can be saved as a PDF file and shared upon request.

6. Allow deletion of personal data

  • Use the “Delete Account” feature to anonymize customer information. Some information needs to be kept for other reasons (transactional information, order information for fiscal authorities etc.)
  • Review and establish an Unsubscribe option that will delete the Email address from the respective Database.
  • Add an Unsubscribe link to email communication.

7. Control 3rd Party Integration Permissions and Data Collection

  • Offer an option to review and revoke access for 3rd-party integrations (Social media, payment providers etc.)
  • Review data which is shared with 3rd-parties and make sure it is reflected and represented in data privacy and T&C (e.g. IP address for 3rd party payment provider integration).
  • Check all existing “General Data Processing Agreements” for validity.

Do you want to know more about WHEN you need to implement these steps?
Pop over to the Academy and read our full recommendation and ways to implement these tips.


Read more

Get all new updates straight to your inbox