Skip to Main Content

Sep 30, 2021 | 7 minute read

2021 Update on GDPR and Its Impact on Brands and Consumers

written by Jeffrey Wright

ecommerce GDPR

Editor's Note: This post was originally published April 4th, 2018 and has been updated to reflect the current state of GDPR and other data privacy regulations impacting eCommerce in 2021.

Almost every online activity generates data that can be collected, stored, and shared. Shopping online, interacting with social media, installing mobile apps – all these actions leave a trail of data used to identify people.

That information has value on the dark web, making cybercrime a big business. Storing and securing data was largely unregulated until 2018 when GDPR took effect. Since then, 12 countries and a growing number of US states have jumped on board with their own version of GDPR as either new law or addendum to previous laws.


These “rules” provide a legal line that companies transacting with customers online can use to operate, but is just meeting those government mandated requirements enough? Just because companies are doing more to protect data, STATISTS recently did a study that exponential increase in data breaches since 2005. Below highlights the rapidly growing risk of businesses being hacked and exposing your customer’s personal and this risk is not going away just because of government regulation.

GDPR blog data breach

Annual number of data breaches and exposed records in the United States from 2005 to 2020. Source: STATISTS

Companies with an eCommerce site not only need to make sure they are staying compliant to avoid major fines, which is getting more complex in a borderless online market, they also need to be more transparent and responsive with customers when it comes to gathering, using, and protecting their personal data to create trust and loyalty. Without trust it will be hard to grow your business online.

Impact of GDPR since 2018?

Under GDPR, companies have been facing potential fines of up to €20 million or 4% of global revenues, depending on what’s greater. While all companies are vulnerable, those with poor data-protection practices or those that incur data breaches due to their own negligence are particularly exposed. GDPR Enforcement Tracker has been tracking these fines and so far through September 2021, there have been 778 fines levied totaling €1,277,329,802. Below are the top 5 as reported by the site, recognize any of the brands?

  1. July 16, 2021, Amazon Europe was fined €746,000,000 for non-compliance with general data processing principles
  2. September 2, 2021, WhatsApp Ireland was fined €225,000,000 for insufficient fulfilment of information obligations
  3. January 21, 2019, Google LLC was fined €50,000,000 for insufficient legal basis for data processing
  4. October 1, 2020, H&M was fined €35,258,708 for insufficient legal basis for data processing
  5. September 15, 2020, Telecom Italia was fined €27,800,000 for insufficient legal basis for data processing

GDPR is having sweeping implications around the world, and Europe isn’t the only geography bolstering data protection laws. While we could not find exact figures on how much has been invested to date, IIAP and EY reported that GDPR is costing companies an estimated $9 Billion to stay compliant.

Image Credit: Forbes

With draconian fines a real possibility, this investment looks almost economical. However fines are only part of the potential damage done by failure to comply. Loss of consumer trust and loyalty can be even more devastating even for companies that do not need to be GDPR compliant. According to a survey by OnePoll, “86% of 2,000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details.”

Are data and privacy investments worth it?

So why does this cost so much? Think of the GDPR as a kind of consumer bill of rights governing data use. Under it, consumers have a variety of rights:

  • They must be able to access their personal data, know what is being collected and used by companies, and why.
  • Consumers “own” their information. Data accumulated on a consumer cannot be sold to third parties.
  • Companies must protect an individual’s IP address or cookie data with the same rigor as a name, address, and Social Security number.
  • Consumers have the right to request that their data be transferred to another business.
  • They may demand that any personal data be erased at any time from companies and third parties.
  • Companies must create new systems that put privacy first – not as an afterthought. Companies will be allowed to collect, store, and process information only if it is verifiable necessary.
  • Mandatory data breach notifications must be sent to individuals within 72 hours, including any event that risks the rights and freedoms of individuals.

To fulfill on the above obligations, companies needed to invest in centralizing and securing data from likely hundreds of systems and data sources, not to mention needing to hire highly skilled professionals to deploy, manage and be accountable for the data, systems, protocols, and communications needed to prove compliance and create buyer trust.

For context, when consulting for a Fortune 500 client back on 2010, pre-GDPR, and focusing on just marketing and sales technologies to drive a Customer360 data project, we found over 250 independent databases with over 10 million records we wanted to use for just direct communication strategies using email at the time.

Due to budgets, we focused on less than 10 data sources to get an MVP POC off the ground and that alone scope alone cost over $1 Million in budget.

It's not all about compliance, it is more about trust and loyalty

Investing in better customer data and security practice is not just to avoid government fines. As the post-pandemic global economy continues to expand digitally, gaining trust online is going to be one of the most important competitive differentiators companies can invest in. Companies that prove they are trustworthy and responsive to customer concerns about their data will rise above the fray and make it easier for customers to transact online.

This trust will also have a knock-on effect as it will limit the inquiries by anxious customers, leading to the investigations and fines being levied by governments around the world.

According to Deloitte’s 2019 US retail privacy study, when consumers trust a retailer and are satisfied with their privacy policies, consumers are more likely to be open or neutral about sharing personal data (73 percent) compared to those who are dissatisfied or unaware (57 percent). That difference in trust can have a huge impact on generating online revenue from eCommerce.

The study went on to highlight a gap in customer perception of what their data is used for and what sellers are doing with data and why they gather it. The study reported that most consumers still believe the main purpose of data gathering by retailers is to share data with third parties or sell it to outside buyers.

However, retail executives in the survey “indicated the top three uses of consumer data is for increasing efficiencies in operations, improving product selection, and enhancing in-store services or experiences.” While the sellers are focused on better buying experiences, it won’t matter if the customer thinks it is all just a trick to resell and profit from their personal information.

This means the onus is on the seller to earn buyer trust through better communications, information, and experiences that show they can be trusted.

Ask yourself, is your current eCommerce solution helping you do that?

How to stay up to date

More information about the requirements and the impact of GDPR can be found by visiting To learn more about Elastic Path’s trust program focused on Security, Stability and Scalability, visit our trust page at

In the case of the GDPR, ignorance is anything but bliss.