GDPR Implementation Guide: Data Privacy for eCommerce & ERP Systems

Since GDPR enforcement began in 2018, regulators have issued over EUR 5.3 billion in fines. The largest single fine --- EUR 1.2 billion against Meta in 2023 --- demonstrated that no company is too big to be penalized. But the regulation hits hardest at the mid-market level, where companies process significant volumes of personal data without the legal teams and compliance budgets of global enterprises.

For eCommerce businesses and ERP-dependent companies, GDPR touches every system that stores customer data: your online store, your CRM, your order management, your email marketing, and your analytics. This guide provides a practical, article-by-article implementation plan.

Key Takeaways

• Data mapping is the non-negotiable first step --- you cannot protect data you have not inventoried
• Consent management requires granular, purpose-specific opt-ins, not a single blanket checkbox
• DSAR automation is essential --- the 30-day response deadline leaves no room for manual processes at scale
• Your ERP system is likely your largest repository of personal data and must be configured for compliance from day one

---

Understanding GDPR's Scope for Digital Businesses

GDPR applies to any organization that processes personal data of EU residents, regardless of where that organization is based. For an eCommerce company shipping worldwide or a SaaS platform with European users, the extraterritorial reach makes GDPR inescapable.

What Counts as Personal Data

Personal data under GDPR is broader than most companies expect:

| Data Category | Examples | Commonly Found In | |--------------|---------|------------------| | Identity data | Name, email, phone, address | CRM, order system, ERP contacts | | Financial data | Credit card details, bank accounts, invoices | Payment processor, accounting module | | Behavioral data | Browsing history, purchase patterns, click data | Analytics, marketing automation | | Technical data | IP addresses, device IDs, cookies | Web server logs, CDN, analytics | | Communication data | Email content, chat transcripts, support tickets | Helpdesk, email marketing, CRM notes | | Location data | GPS coordinates, delivery addresses, IP geolocation | Mobile apps, shipping module, analytics | | Employment data | Salary, performance reviews, attendance | HR module, payroll system |

The critical realization for most businesses is that their ERP system --- Odoo, SAP, or otherwise --- contains every one of these data categories across its modules.

---

Step 1: Data Mapping & Processing Inventory

Article 30 of GDPR requires a Record of Processing Activities (ROPA). This is not optional documentation --- it is a legal requirement and the foundation of everything else.

How to Map Your Data

For each system that processes personal data, document:

1. What personal data is collected (specific fields, not vague categories)
2. Why it is collected (the legal basis --- consent, contract, legitimate interest, legal obligation)
3. Where it is stored (database, server location, cloud region)
4. Who has access (roles, third parties, sub-processors)
5. How long it is retained (with justification for the retention period)
6. How it is protected (encryption, access controls, anonymization)

GDPR Article to Implementation Checklist

| GDPR Article | Requirement | Implementation Action | |-------------|------------|----------------------| | Art. 5 | Data minimization | Audit all forms --- remove fields you do not need | | Art. 6 | Lawful basis | Document legal basis for each processing activity | | Art. 7 | Consent conditions | Implement granular, withdrawable consent mechanisms | | Art. 12-14 | Transparency | Publish clear, layered privacy notices | | Art. 15-20 | Data subject rights | Build DSAR handling workflow with 30-day SLA | | Art. 17 | Right to erasure | Implement data deletion with cascade across systems | | Art. 20 | Data portability | Enable JSON/CSV export of personal data | | Art. 25 | Privacy by design | Default settings must be privacy-protective | | Art. 28 | Processor agreements | Execute DPAs with all vendors processing personal data | | Art. 30 | Records of processing | Maintain ROPA with regular updates | | Art. 32 | Security measures | Encryption, access control, pseudonymization | | Art. 33-34 | Breach notification | 72-hour notification process to supervisory authority | | Art. 35 | Impact assessment | Conduct DPIAs for high-risk processing | | Art. 37-39 | Data Protection Officer | Appoint DPO if required by processing scale |

---

Step 2: Consent Management

Consent under GDPR must be freely given, specific, informed, and unambiguous. The days of pre-ticked checkboxes and blanket consent are over.

Consent Architecture for eCommerce

Your eCommerce platform needs multiple, independent consent mechanisms:

Marketing consent. Separate opt-in for email marketing, SMS marketing, and personalized advertising. Each channel needs its own checkbox. No pre-selection.

Analytics consent. Cookie consent banner that allows granular selection: necessary cookies (no consent needed), analytics cookies, marketing cookies, preference cookies. Implement a proper Consent Management Platform (CMP) that blocks scripts until consent is granted.

Transactional communication. No consent needed for order confirmations, shipping updates, and account security alerts --- these fall under "contractual necessity" (Article 6(1)(b)). But do not sneak marketing content into transactional emails.

Third-party sharing. If you share data with partners (affiliate networks, review platforms, analytics providers), each sharing relationship needs its own disclosure and, where applicable, consent.

Implementation in ERP Systems

In Odoo and similar ERP systems, implement consent tracking as follows:

• Add consent fields to the contact model: marketing_consent, analytics_consent, consent_date, consent_source
• Record the exact version of the privacy notice the user agreed to
• Implement a consent withdrawal mechanism that propagates across all modules
• Log all consent changes in an immutable audit trail with timestamps

Cookie Compliance

GDPR's cookie requirements, reinforced by the ePrivacy Directive, demand:

1. No non-essential cookies set before explicit consent
2. Equal prominence for "Accept" and "Reject" buttons (no dark patterns)
3. Granular cookie category selection
4. Easy consent withdrawal
5. Cookie consent records retained for audit purposes

---

Step 3: Data Subject Access Requests (DSARs)

Articles 15-22 give EU residents powerful rights over their data. You must respond within 30 days, and the clock starts when the request is received, not when you verify identity.

DSAR Types and Response Requirements

| Right | Article | Response Deadline | What You Must Provide | |-------|---------|------------------|----------------------| | Access | Art. 15 | 30 days | Copy of all personal data + processing details | | Rectification | Art. 16 | 30 days (or "without undue delay") | Correct inaccurate data | | Erasure | Art. 17 | 30 days (or "without undue delay") | Delete data unless legal obligation to retain | | Restriction | Art. 18 | 30 days | Stop processing but retain data | | Portability | Art. 20 | 30 days | Machine-readable export (JSON/CSV) | | Objection | Art. 21 | 30 days | Stop processing for specific purpose |

Building a DSAR Workflow

At scale, manual DSAR handling is unsustainable. Build an automated workflow:

1. Intake. Dedicated email address and web form for DSARs. Auto-acknowledge receipt.
2. Identity verification. Verify the requester's identity without collecting excessive additional data.
3. Data discovery. Automated search across all systems: ERP, CRM, email marketing, analytics, helpdesk, backups.
4. Response compilation. Aggregate data into a structured format. For access requests, include processing purposes, categories, recipients, retention periods, and the source of the data.
5. Review. Legal/privacy team reviews before sending. Redact third-party personal data.
6. Fulfillment. Send response within 30 days. Log the request, response, and timeline.
7. Erasure execution. For deletion requests, cascade the erasure across all systems including backups (with documented exceptions for legal retention requirements).

ERP-Specific DSAR Challenges

ERP systems present unique DSAR challenges because personal data is deeply integrated across modules:

• A customer's name appears in contacts, invoices, delivery orders, support tickets, and accounting entries
• Financial records may have legal retention requirements (typically 7-10 years) that override the right to erasure
• Pseudonymization is often preferable to deletion for financial records: replace the name with an anonymous identifier while retaining the transaction data for accounting purposes

---

Step 4: Data Minimization & Retention

Article 5(1)(c) requires that personal data be "adequate, relevant, and limited to what is necessary." Article 5(1)(e) requires that data be kept "no longer than necessary."

Practical Data Minimization

Audit every data collection point:

• Registration forms. Do you really need date of birth, gender, or phone number at signup? If not, remove them.
• Checkout flows. Collect only what is needed to fulfill the order. Offer guest checkout to avoid creating unnecessary accounts.
• Analytics. Use privacy-preserving analytics (Plausible, Fathom) or configure GA4 for reduced data collection. IP anonymization, shortened cookie duration, disabled user-ID tracking.
• ERP fields. Review custom fields added to contacts, orders, and other modules. Remove any that do not serve a documented business purpose.

Retention Policy by Data Type

| Data Type | Suggested Retention | Legal Basis | |-----------|-------------------|-------------| | Customer account data | Duration of relationship + 30 days | Contract | | Order/transaction data | 7-10 years (tax/accounting laws) | Legal obligation | | Marketing consent records | Duration of consent + 3 years | Legitimate interest (proof) | | Support tickets | 2 years after resolution | Legitimate interest | | Website analytics | 14-26 months | Consent | | Employee HR data | Duration of employment + statutory period | Legal obligation | | Failed payment attempts | 90 days | Legitimate interest | | Application/CV data | 6 months (unless consent for longer) | Consent |

Automating Retention in Your ERP

Configure your ERP system to enforce retention policies automatically:

• Scheduled jobs that identify records past retention date
• Anonymization scripts that replace personal data with generic values while preserving aggregate data for reporting
• Backup rotation policies that ensure deleted data does not persist indefinitely in backups
• Documented exceptions for legal holds and ongoing disputes

---

Step 5: Processor Agreements & Vendor Management

Article 28 requires a written Data Processing Agreement (DPA) with every vendor that processes personal data on your behalf. This is not a nice-to-have --- it is a legal requirement.

Essential DPA Clauses

Every DPA must include:

• Subject matter and duration of processing
• Nature and purpose of processing
• Types of personal data processed
• Categories of data subjects
• Obligations and rights of the controller
• Sub-processor approval process
• Data breach notification obligations (without undue delay)
• Data deletion or return upon termination
• Audit rights for the controller
• Cross-border transfer mechanisms (SCCs or adequacy decisions)

Vendor Compliance Assessment

Create a vendor risk assessment that evaluates:

1. Does the vendor have a published DPA? (Most major SaaS providers do)
2. What certifications does the vendor hold? (SOC2, ISO 27001)
3. Where does the vendor store data? (See our guide on data residency)
4. Does the vendor use sub-processors, and how are they managed?
5. What is the vendor's breach notification timeline?

For a broader view of how GDPR fits within the overall compliance landscape, see our enterprise compliance handbook.

---

Frequently Asked Questions

Does GDPR apply to B2B companies that only have business contacts?

Yes. GDPR applies to all personal data of EU residents, including business email addresses and direct phone numbers. Business contact data like a named person's work email ([email protected]) is personal data. Generic company emails ([email protected]) are not. Most B2B companies process personal data through CRM systems, email marketing, and website analytics.

What is the difference between a data controller and a data processor?

The data controller determines the purposes and means of processing personal data --- this is typically your company for your own customer data. The data processor processes data on behalf of the controller --- this includes your SaaS vendors, cloud providers, and payment processors. Controllers have broader GDPR obligations, but processors must also comply with Article 28 requirements and maintain their own records of processing.

Can we rely on "legitimate interest" instead of consent for marketing?

In theory, yes, but in practice it is risky for direct marketing. The ICO (UK) and CNIL (France) have taken strict positions that email marketing generally requires consent under both GDPR and the ePrivacy Directive. Legitimate interest can work for B2B marketing in some jurisdictions, but you must document a Legitimate Interest Assessment (LIA) and provide a clear opt-out mechanism. When in doubt, get consent.

How do we handle GDPR for data stored in backups?

Backups present a genuine challenge. The ICO has acknowledged that deleting specific records from backups may be technically impractical. The accepted approach is to maintain a "suppression list" of deleted data subjects and apply deletions when backups are restored. Document this approach in your privacy policy and DSAR responses. Ensure backup retention periods are as short as practicable.

What penalties can a small eCommerce business actually face?

While headline fines are in the millions, supervisory authorities do consider company size and turnover when setting penalties. Small businesses are more likely to receive warnings, orders to comply, or fines proportionate to their revenue. However, the reputational damage and cost of remediation can be devastating even without a fine. The safest approach is proactive compliance.

---

What Is Next

GDPR compliance is not a one-time project but an ongoing program that must evolve as your business grows, your data processing activities change, and regulatory guidance develops. The good news is that GDPR compliance creates a strong foundation for every other compliance framework.

ECOSIRE builds GDPR-compliant eCommerce and ERP systems from the ground up. Our Odoo ERP implementations include consent management, DSAR automation, audit trails, and retention policy enforcement. For AI-powered data discovery and privacy automation, explore our OpenClaw AI platform. Contact us to schedule a GDPR readiness assessment.

---

Published by ECOSIRE — helping businesses scale with AI-powered solutions across Odoo ERP, Shopify eCommerce, and OpenClaw AI.