GDPR Compliance Checklist for E-commerce

Pull shipping country and billing country splits from Shopify, Amazon EU marketplaces, and any 3PL exports. If you have any EU/UK orders, GDPR / UK GDPR applies — there is no de minimis. Note whether you ship to EU directly (controller) or only via Amazon EU FCs (joint considerations).

Update the ROPA spreadsheet covering each processing activity: marketing emails (Klaviyo), reviews (Yotpo / Okendo), CX tickets (Gorgias), payments (Shopify Payments / Stripe), shipping (ShipStation, carriers), analytics (GA4, Triple Whale). For each, capture purpose, lawful basis, data categories, retention, and sub-processors.

Order fulfillment runs on contract; marketing email and SMS run on consent; fraud checks and CX run on legitimate interests (with LIA documented). Do not pretend everything is consent — relying on consent for fulfillment data breaks under GDPR if the customer withdraws.

List every vendor that touches EU/UK personal data: Shopify, Klaviyo, Postscript, Gorgias, Recharge, Yotpo, your 3PL, your accountant. Confirm a signed DPA exists for each and that the public sub-processor list matches what you actually use.

Verify the CMP (OneTrust, Cookiebot, Termly, Iubenda) blocks Meta Pixel, TikTok Pixel, GA4, and Klaviyo onsite tracking until the EU/UK visitor opts in. Pre-ticked boxes and implied-consent banners fail under GDPR and the ePrivacy Directive — explicit affirmative action is required.

Submit a test EU IP signup through every form (footer, popup, checkout marketing checkbox) and confirm Klaviyo or your ESP routes through confirmed opt-in. Checkout marketing consent must be unticked by default for EU customers.

Postscript / Attentive / SMSBump signups must capture explicit consent separate from email and never pre-check the SMS box. UK PECR rules add to GDPR here; non-compliance has driven recent ICO enforcement.

Pull 10 random EU subscriber profiles from Klaviyo and confirm the consent timestamp, source, and IP are stored. Without this audit trail you cannot prove consent if a supervisory authority asks.

Submit a test access request through the privacy@ alias and the privacy policy link. Confirm Gorgias or Zendesk routes it to a privacy macro with a 30-day SLA timer. The GDPR response window is one calendar month, extendable by two for complex cases.

If the test request did not reach the privacy queue within an hour, the SLA clock is at risk for real requests. Open a ticket with the CX lead to fix the macro / routing rule and re-test.

A complete export pulls Shopify customer record, Klaviyo profile and event history, Gorgias ticket history, Recharge subscription record, and any review submissions. Shopify's built-in export is not sufficient on its own — a partial export is a Article 15 violation.

Run a test deletion and confirm the customer is removed from Shopify, Klaviyo, Postscript, Gorgias, Yotpo reviews, and the data warehouse. Retain only what is required for tax / accounting (typically 6-10 years) and document the legal-obligation basis for that residual data.

Confirm requests against a recent order email or order number before exporting or deleting. Avoid demanding government ID by default — GDPR requires proportionate verification, not maximal.

Storefront, admin, and any custom app endpoints must serve only TLS 1.2+. Verify Shopify, Klaviyo, and Gorgias all encrypt at rest in their security pages — these are vendor-managed but you should record the attestation.

Pull the user list for each platform and confirm every staff and contractor account has MFA enforced. Shared logins are a common gotcha for small teams and a frequent ICO finding.

Vendors hosting EU data in the US (Klaviyo, Gorgias, Triple Whale, most of the SaaS stack) need either EU-US Data Privacy Framework certification or signed Standard Contractual Clauses plus the UK International Data Transfer Addendum. Check each DPA — Schrems II compliance is not optional.

For any vendor processing sensitive categories or large volumes (analytics, attribution, support), document a TIA covering destination country surveillance laws and supplementary measures. Triple Whale, Northbeam, and Hyros all warrant a TIA on file.

Set Klaviyo sunset rules for unengaged subscribers (commonly 12 months no open / click). Archive Shopify customer records past your retention horizon for non-tax data. Keeping every record forever is the default and the wrong answer.

GA4 user-data retention is settable to 14 months max — confirm it is not on the default. Abandoned-cart records in Klaviyo or Recart should not persist indefinitely with email and address attached.

If you ship Shopify orders to a warehouse (BigQuery, Snowflake, Daasity), hash or pseudonymize email and IP before storage where the analysis does not require raw PII. Keep a key-mapping table separately under stricter access control.

Review CX tickets, Shopify staff alerts, and any vendor security notices for unauthorized access, lost devices, or misdirected exports. The 72-hour clock under Article 33 starts at awareness, not at confirmation.

File with the lead authority (ICO for UK, Irish DPC or the relevant member-state authority for EU) covering nature of breach, categories and approximate number of data subjects, likely consequences, and mitigation. A delayed or partial notification is itself a finding.

Required when the breach is likely to result in high risk to rights and freedoms (Article 34). Plain language; what happened, what data, what we are doing, what they can do. Run it past legal before send.

Walk founder, ops lead, and CX lead through a Klaviyo-credentials-leaked scenario. Confirm everyone knows who calls the supervisory authority, who drafts the customer email, and where the breach register lives.

Founder or DPO countersigns the review, captures open gaps with owners and target dates, and files the package alongside the ROPA. This is the document a supervisory authority will ask for first.