GDPR Data Subject Requests: Checklist for E-commerce

If you are running an online store on Shopify, Etsy, or WooCommerce, the General Data Protection Regulation (GDPR) isn’t just a legal footnote—it’s a daily operational reality.

For the average solopreneur, the phrase "Data Subject Request" (DSR) sounds like something only a corporate legal department should handle. However, under the GDPR, any customer in the EU has the right to ask you what data you have on them, why you have it, and to demand its deletion.

Ignoring these requests isn't an option. Fines are disproportionate, but perhaps more importantly, handling a DSR poorly destroys customer trust. This guide provides a streamlined, stress-free checklist to help busy sellers manage DSRs without losing hours of productivity.

What Exactly is a Data Subject Request?

A Data Subject Request is when a customer (the "data subject") exercises their rights under the GDPR. While there are several types of requests, e-commerce sellers usually encounter these three:

1. Right of Access (SAR): "Show me what information you have about me." 2. Right to Erasure (The "Right to be Forgotten"): "Delete my account and all personal data." 3. Right to Rectification: "Fix my incorrect shipping address or email in your records."

As a solopreneur, you have 30 days to respond. The clock starts the moment the email hits your inbox.

Step 1: Verify the Requester’s Identity

Before you export a single byte of data, you must ensure the person asking for the data is who they say they are. Sending sensitive customer information to a malicious third party is a massive data breach in itself.

- Check the email address: Does it match the order history? - Ask for verification if unsure: If the request comes from a generic or unknown email, ask for an order number or the last four digits of the payment method used. - Don't over-collect: Don't ask for a copy of their passport unless absolutely necessary for high-risk data. For a standard Shopify GDPR request, matching an email and a recent order number is usually sufficient.

Step 2: Locate the Data Across Your "Stack"

This is where solopreneurs often get overwhelmed. Your customer's data isn't just in your store backend; it’s scattered across your ecosystem. You need to check:

- Your Platform: (Shopify, WooCommerce, or Etsy). - Email Marketing: Mailchimp, Klaviyo, or Flodesk. - Customer Support: Re:amaze, Zendesk, or your Gmail/Outlook inbox. - Shipping & Fulfillment: ShipStation, Pirate Ship, or local courier apps. - Analytics: Heatmaps or specialized tracking tools.

Pro-tip: If you use a solopreneur legal kit, keep a "Data Map" document that lists every app that touches customer data. This makes this step take minutes instead of hours.

Step 3: Filter What You Must Keep (The "Legal Basis" Rule)

When a customer asks for deletion, you cannot always delete everything. Most e-commerce sellers are required by tax and accounting laws to keep transaction records for 5–10 years.

- Delete: Marketing profiles, abandoned cart data, birthday info, and support tickets. - Keep: Invoices, tax records, and proof of postage (for a limited time to defend against chargebacks). - Action: Inform the customer that you have deleted their marketing data but must retain their order history for tax compliance purposes.

Step 4: Execute the Request

Once you’ve identified the data, use the built-in tools provided by your platform.

- Shopify users: Go to the Customer Profile > More Actions > Erase Personal Data. This also triggers a notification to any apps you have installed. - WooCommerce GDPR tools: Use the "Export Personal Data" or "Erase Personal Data" tools under the Tools menu in your WordPress dashboard. - Etsy Privacy Policy: Since Etsy is a marketplace, they handle much of the heavy lifting, but you are still responsible for deleting any data you downloaded to your own computer (like a printed shipping label or a custom design file).

Step 5: Document Your Response

The GDPR is as much about proving compliance as it is about being compliant. Create a simple "DSR Log" (a basic spreadsheet works) to track:

- Date of request. - Type of request (Access, Erasure, etc.). - Date of completion. - Any exceptions made (e.g., "Retained Order #1234 for tax purposes").

Keep this log indefinitely. If a regulator ever knocks, this log is your shield.

Common Pitfalls to Avoid

- Forgetfulness in the Inbox: Most DSRs come in via email. If you don't have a dedicated "Privacy" or "Support" email, these requests can get buried in "New Order" notifications. Search your inbox weekly for keywords like "GDPR," "delete," "unsubscribe," or "personal data." - Neglecting the ePrivacy Directive: Remember that the ePrivacy Directive for e-commerce (the "Cookie Law") works alongside the GDPR. If a customer asks to be deleted, ensure you aren't still tracking them through non-essential cookies. - Charging a Fee: Under the GDPR, you generally cannot charge a fee for a DSR. You must provide the data for free.

The "Busy Seller" Cheat Sheet

If you’re tight on time, follow this 5-minute protocol: 1. Acknowledge: Send a template reply: "We've received your request and are processing it. We will update you within 30 days." 2. Platform Wipe: Hit the "Erase Data" button in your store backend. 3. Email Wipe: Delete the contact from your email marketing list. 4. Confirm: Email the customer once the platform confirms completion. 5. Log: Note it in your spreadsheet.

Summary

Handling GDPR requests doesn’t have to be a nightmare. By having a clear process and a solopreneur legal kit at your disposal, you can treat these requests as just another part of your customer service routine.

Privacy isn’t just a hurdle; it’s a way to show your customers that you respect them. A professional, prompt response to a data request can actually turn a departing customer into a brand advocate who respects your transparency.

Disclaimer: This guide is for informational purposes and does not constitute legal advice. For specific legal concerns, please consult with a qualified privacy professional.