Dirora
Back to blog
Guides

GDPR for Small Online Shops: The Plain-English Version

Dirora Team3 July 20268 min read

If you run a small online shop in the UK, you are almost certainly a data controller under UK GDPR, and the practical job is simpler than it sounds: know what personal data you hold, have a lawful reason to hold it, tell customers what you do with it, keep it secure, and honour their rights when they ask. That's the whole thing in one sentence. The rest of this guide unpacks each part in plain English, using the terminology GOV.UK and the Information Commissioner's Office (ICO) actually use, so you can get compliant without wading through legislation.

A quick, important note before we start: this is general information, not legal advice. Data protection is regulated and the details of your obligations depend on your specific business. When you need certainty, check the ICO's guidance at ico.org.uk or speak to a professional. With that said, let's demystify it.

What "GDPR" actually means in the UK now

Since Brexit, the UK runs its own version called UK GDPR, which sits alongside the Data Protection Act 2018. For a small shop the practical rules are broadly the same as the EU regime you may have heard about. Two roles matter:

  • Data controller — you decide why and how personal data is used. If you run the shop, that's you. You carry the legal responsibility.

  • Data processor — a company that handles data on your behalf under your instructions, such as your payment provider, your email tool, or your shop platform. They have their own duties, but they don't remove yours.

This distinction matters for how you talk about your tools. Your ecommerce platform, your Stripe account, your newsletter service — they are processors acting for you. They provide secure infrastructure, but you remain the controller who has to have a privacy policy, answer customer requests, and make the judgement calls. No platform "handles GDPR for you" end to end, and you should be sceptical of any that claims to.

Step one: know what personal data you hold

Personal data is any information that identifies a living person. In a typical online shop that's more than you'd think:

  • Names, delivery and billing addresses, email addresses and phone numbers

  • Order history and what someone bought

  • Account passwords (hashed, hopefully) and login records

  • IP addresses, cookie IDs and analytics data

  • Customer service emails and any notes you keep about people

  • Newsletter subscribers and marketing preferences

Card numbers are a special case: if you take payments through Stripe or PayPal, the sensitive card data is handled by them, not stored in your shop, which keeps you out of the riskiest part of payment data entirely. That's a genuine benefit of using an established processor rather than rolling your own checkout.

The practical exercise is to spend twenty minutes writing down every place customer data lives: your store database, your email inbox, your marketing tool, your spreadsheet of wholesale contacts. You can't protect or manage data you've forgotten you have.

Step two: have a lawful basis for using it

UK GDPR says you need a valid reason — a "lawful basis" — for each thing you do with personal data. There are six, but small shops mostly rely on three:

  • Contract — you need someone's name and address to fulfil the order they placed. No separate consent required; you can't post a parcel to nowhere.

  • Legal obligation — you must keep certain transaction records for HMRC and tax purposes, so you're allowed to retain order data for as long as the law requires.

  • Consent — for things the customer hasn't asked for, chiefly marketing emails. Consent must be a clear, opt-in action (a pre-ticked box doesn't count), and it must be as easy to withdraw as it was to give.

The mistake to avoid is bundling everything under "consent." You don't need consent to send an order confirmation — that's part of the contract. You do need it, in most cases, to add a buyer to your newsletter. Keeping those separate is both more compliant and more honest.

Step three: write a privacy policy that's actually readable

Every shop needs a privacy policy, and it should be plain enough that a customer could understand it. At minimum it explains:

  • Who you are and how to contact you

  • What personal data you collect and why

  • Your lawful basis for each use

  • Who you share it with (payment provider, courier, email tool)

  • How long you keep it

  • The customer's rights and how to exercise them

  • That they can complain to the ICO

The ICO publishes a free template and a small-business checklist that most shops can adapt in an afternoon. Link the policy in your footer and at checkout. Data protection lives next door to consumer transparency generally — the same instinct that makes you clear about returns and delivery under UK consumer rights law and the distance selling regulations is exactly the instinct you want here.

Step four: get cookie consent right

Cookies are governed by PECR (the Privacy and Electronic Communications Regulations) working alongside UK GDPR, and they trip up a lot of shops. The rule of thumb:

  • Strictly necessary cookies — the basket, login, security — can run without consent because the site literally won't work without them.

  • Everything else — analytics, advertising pixels, marketing trackers — needs the visitor's consent before it fires. That means a banner that lets people accept or reject non-essential cookies, with reject being as easy as accept.

If you've bolted a Facebook pixel and Google Analytics onto your store, those need consent. A banner that only says "by using this site you accept cookies" is not valid consent under current ICO guidance. Use a proper consent tool that blocks non-essential scripts until the visitor agrees.

Step five: keep only what you need

Two principles do a lot of heavy lifting: data minimisation (only collect what you actually need) and storage limitation (don't keep it forever). You don't need a customer's date of birth to sell them a candle. You don't need to keep a dormant account's data for a decade. Set sensible retention periods — for example, keep order records as long as tax law requires, then delete or anonymise the rest. Less data held is less data to secure, less to leak, and less to hand over when someone asks for a copy.

Step six: honour customer rights

Customers have rights over their data, and small shops must respond, usually within one month and usually free of charge. The ones you'll actually see:

  • Right of access — someone can ask for a copy of the data you hold about them (a "subject access request").

  • Right to erasure — the "right to be forgotten." You must delete their data unless you have a legal reason to keep it, such as tax records tied to a real order.

  • Right to rectification — correcting inaccurate details.

  • Right to object — chiefly, unsubscribing from marketing, which you must honour immediately.

You don't need a fancy system for this. You need to know where the data is (see step one) so that when a request lands, you can find, export, or delete it without a two-week panic.

Step seven: keep the data secure

UK GDPR requires "appropriate" security, scaled to your size and risk. For a small shop that means the sensible basics: HTTPS across the whole site, strong unique passwords and two-factor authentication on your admin accounts, limiting who on your team can see customer data, and using reputable processors rather than dodgy plugins. This is where your platform choice genuinely helps. A hosted store gives you SSL, managed hosting, and a payment flow where card data never touches your servers — infrastructure you'd otherwise have to build and maintain yourself. That reduces your risk surface, but it doesn't replace your own good habits like not emailing spreadsheets of customer data around.

Breaches: what to do if it goes wrong

A personal data breach is any security incident that exposes personal data — a hacked account, a misdirected export, a lost laptop. If a breach is likely to risk people's rights and freedoms, you must report it to the ICO within 72 hours of becoming aware of it, and tell affected customers if the risk is high. Not every minor slip needs reporting, but you must record every breach internally regardless. The practical prep is simple: know who decides, know the 72-hour clock exists, and keep the ICO's breach-reporting page bookmarked.

The ICO registration and fee

Most businesses that process personal data must register with the ICO and pay the annual data protection fee. For the vast majority of small shops this sits in the lowest tier — a modest annual amount rather than a scary one — and paying it is a legal requirement, not an optional extra. Check the current fee and your tier directly on the ICO website, since the figures are set by the ICO and can change. Registering also signals to customers that you take their data seriously.

Where your platform fits (and where it doesn't)

Here's the honest boundary. A modern platform like Dirora gives you the tools to run a shop responsibly: secure payments through Stripe and PayPal so card data stays with the processor, SSL and custom domains out of the box, and your own customer data under your control rather than scattered across bolt-on apps. What it does not do is make the legal judgement calls for you — you are the data controller, you decide your lawful bases, you write the privacy policy, you answer subject access requests, and you register with the ICO. Any tool is only ever a processor helping you meet obligations that remain yours.

Good data practice is also good business. The trust you build by handling data carefully is the same trust that turns first-time buyers into repeat ones — which is exactly the theme of our customer retention strategies guide. Compliance and loyalty pull in the same direction: treat people's information with respect and they come back.

Frequently asked questions

Does GDPR apply to a tiny one-person online shop?

Yes. UK GDPR applies to any business that processes personal data, regardless of size. There's no exemption for being small or new. For a small shop, compliance is mostly a handful of sensible habits rather than a huge project.

Do I need to register with the ICO and pay a fee?

Most online shops that handle customer data must register with the ICO and pay the annual data protection fee, which for small businesses is in the lowest tier. Check your exact tier and the current amount on the ICO website, as the fees are set by the ICO.

Do I need cookie consent if I only use Google Analytics?

Yes. Analytics cookies are non-essential, so they need consent before they run. You need a cookie banner that lets visitors reject non-essential cookies as easily as they can accept them, and it should block those scripts until the visitor agrees.

What's the difference between a data controller and a processor?

You, the shop owner, are the data controller — you decide why and how customer data is used and carry the legal responsibility. Your tools, such as your payment provider and shop platform, are processors acting on your instructions. Using them doesn't remove your obligations.

What should I do if I have a data breach?

Record it internally, and if it's likely to risk people's rights, report it to the ICO within 72 hours of becoming aware. Tell affected customers if the risk to them is high. Not every minor incident needs reporting, but you must document every breach either way.


Ready to build your store?

Start for free — no credit card required.

Get started