If you’re reading this post, we’ve made it past the GDPR deadline of May 25th. It was a long and winding road leading up to the enforcement of Europe’s new privacy legislation, which set out to better protect how its citizens’ personal data gets collected, processed and used.
As a global personalization platform that customizes experiences for more than 600 million users each month, the GDPR meant much of the data being collected and analyzed within Dynamic Yield on behalf of our customers would now require special treatment. An enormous undertaking, in this post, I’m going to outline the internal steps taken to ensure the various measures ordered under GDPR were met.
Respecting the Customer Experience
At Dynamic Yield, we are champions of the customer experience and believe any meaningful interaction with a brand is one built from the unique needs and preferences of the individual. Our platform was designed to collect and analyze things like a user’s attributes, past behavior, interests, affinities, browsing activity and more to guide experience creation and deliver relevance. For the individual by the individual, this sentiment largely influenced how our organization thought about GDPR as we set out on our path to compliance because without respect and consideration for the end user’s privacy, the ultimate customer experience can never truly be gained.
A core piece of our philosophy, the personalization and optimization services we provide have always been predicated on the highest standards of data integrity. Which is why we saw the GDPR as an opportunity and not just a new privacy legislation that required adherence solely to avoid penalties and fines. For Dynamic Yield, it’s what needed to be done in order to strengthen the trust between ourselves and our customers.
GDPR in Focus
With an unwavering commitment to data privacy and security, our organization worked tirelessly on tightening our data protection program, invested extensive resources in not only making sure Dynamic Yield complied with our processor related regulations but also assisted customers in their own compliance when it came to managing a personalization program with Dynamic Yield.
First and foremost, by providing the infrastructure and functionality necessary to allow our customer’s end users to exercise their new rights:
- Requesting to know what data is being collected on them.
- Requesting to no longer be tracked.
- Requesting to delete all historical data stored thus far.
As our newly appointed Data Privacy Officer (DPO), I worked closely with our Chief Information Security Officer, our customer success team, and various other internal stakeholders to make sure we tailored a program which employed airtight technical and organizational security measures, or “TOMS” as they’re commonly known. These TOMS which outline important information related to safeguarding, breach incidents, security assessments and audits, the use of sub-processors, international data transfers, data retention and destruction, liability and more were clearly listed in an updated Data Processing Agreement (or DPA) that was sent out to our entire customer base and signed. This agreement constituted an understanding between us and our customers as far as data privacy and protection are concerned.
While our data center in Virginia continues to operate under the Privacy Shield Framework, an agreed-upon framework for the transfer of personal data from the EU to the US, we initiated and launched our EU based data center in Frankfurt. There, our EU customers may now store their data locally, without leaving the shores of Europe. With Privacy Shield coming under scrutiny in the months following the enactment of GDPR, we are making sure we are always updated on data privacy trends in the market and prepared to make any adjustments accordingly.
Discover how Dynamic Yield ensures customers, partners, and prospects can use our personalization engine safely and compliantly
We made some pretty substantial changes to our workflows. For example, we solidified our commitment to only collecting data to analyze user behavior for the purpose of personalizing experiences. We won’t combine our customers’ data with data from other customers, we won’t share it with third parties, and we won’t use it for any unnecessary reasons. Additionally, we don’t onboard sensitive data from our customers, and no longer store IP addresses.
We also built internal flows for handling and customer data related requests should particular information need to be access or deleted, creating more transparency between the processor, controller, and end user.
A New Era of Data Protection
For us, while the GDPR deadline has come and gone, our commitment to data privacy and security remains. On the heels of the Cambridge Analytica scandal and with California’s new privacy act already signed into law (as well as the Privacy Shield scrutiny previously discussed), we believe the new concepts and rules introduced by the GDPR mark only the beginning of an entirely new era in data protection.
As lawmakers, businesses, and individuals become more critical of how personal data is collected and used, we expect to see website owners become much more selective about their choice of processing vendors, contracting only with those processors who take data protection seriously. And at Dynamic Yield, we’re determined to be viewed as a trusted partner, mindful of our customers’ data concerns, and also advocates for the larger movement to protect the individual data rights across the globe.
For a detailed list of all of the requirements addressed above, and to stay informed on the continuous improvements of our privacy program, please visit dynamicyield.com/GDPR.