The Implications of GDPR on Personalization

As many of our readers, customers, and partners are aware, major data protection changes are already in motion leading up to the official date of GDPR enforcement. A wide expansion of rights on behalf of data subjects, these new EU-wide privacy rules set to create a seismic shift in the way personal information is defined, processed, used, and transferred, the implications far extend beyond Europe’s borders.

As the Data Privacy Officer at Dynamic Yield (holding CIPP/E and CIPM accreditations from the International Association of Privacy Professionals), I wanted to share with you what we know about the latest advancements in privacy, what data protection success looks like, and the steps our organization is taking to ensure compliance.

What is GDPR?

GDPR, or the General Data Protection Regulation, is essentially a codification of privacy and data protection regulations. The aim of GDPR is to provide consistent guidance on privacy and data protection and respect for personal data of EU data subjects. GDPR replaces the previous EU privacy directive of 1995 and introduces some interesting concepts and changes to the preceding privacy and data protection regime.

Why is everyone suddenly so concerned about data privacy and protection?

GDPR, which is set to come into effect on May 25, 2018, has introduced many changes to the existing privacy regime. Let me discuss three of these changes:

1. The requirement to receive a data subject’s consent to collection and processing of their personal data has been greatly broadened to include many cases which had previously not required such consent. A concept of “explicit consent” has also been introduced for more extreme cases, such as the collection and processing of what we call “sensitive” data, like religious affiliation, sexual orientation, trade union membership, etc.

2. Another major change introduced by GDPR is the strict penalties levied upon violators of GDPR provisions, including fines which can reach upwards of $20 million and 4% of a company’s global revenue. This change alone would be enough to get everybody’s attention.

3. Most importantly, for companies like Dynamic Yield and its clients, GDPR introduced a major change by widening of the definition of “Personal Data” which is regulated by GDPR, to include what we call “persistent online identifiers” such as cookies, which are small text files storing tiny pieces of data on a user’s browser. What this essentially means is that all data collected by personalization platforms, and stored within these identifiers, is now regulated and requires special treatment.

What is the scope of GDPR?

GDPR applies to companies which operate in the EU but isn’t limited in scope to such companies. GDPR actually applies to any company handling personal data of EU data subjects, regardless of the location of such company.

The tentacles of GDPR are essentially extended globally to capture any website which stores information obtained from any EU site visitor, which, as you can imagine, probably includes every large website around the world. Whether you’re a European company, a North American Company, or a Japanese company, if you collect and process information of EU data subjects, you are subject to compliance with the provisions of GDPR.

What are “Controllers” and “Processors” and how does GDPR treat each of these?

A “Data Controller,” according to GDPR, is an individual or body which “alone or jointly with others, determines the purposes and means of processing of personal data.” As you can guess, GDPR largely deals with the legal obligations of controllers, including obtainment of consent, explicit consent, opt-in mechanisms, accountability, breach notifications, etc.

On the other hand, “Data Processors,” are those which “process personal data on behalf of the controller.” Processors are agents of the controllers and carry the technical processing on their behalf. Dynamic Yield and other personalization platforms serve as “processors” to its clients which serve as the “controllers” (naturally, Dynamic Yield may serve as a controller in other capacities such as marketing activities). However, Dynamic Yield is committed to not only complying with the processor related regulations but to assisting controllers in their own compliance when it comes to managing a personalization program with Dynamic Yield.

How does Dynamic Yield help controllers comply with GDPR?

At Dynamic Yield, we aim to provide our controller customers with the comfort knowing we’re doing everything in our power to make sure we, as processors, and our customers, as controllers, can operate jointly and freely while remaining compliant with GDPR.

• We are in the midst of establishing a brand new EU data center for customers who wish to store their users’ personal data within the confines of the EU.

• We are providing the ability to opt-out of DY services should any end user wish to do so, opting instead to receive unpersonalized experiences.

• We are strengthening our security measures for cross-border transfers, so we can continue to transfer personal data to our other processing locations without any risk of breach, all while remaining complaint under the adequacy decision fostered by the Privacy Shield framework.

• Lastly, as Data Privacy Officer, I have overseen the creation of a data subject complaint repository, and the flow for deleting, modifying, or transferring personal data upon request from a data subject. Essentially, any rights on the part of the data subject which requires controller adherence, Dynamic Yield will provide assistance where feasible.

Are cross-border transfers allowed under GDPR?

There’s a common misconception in the market about GDPR and cross-border transfers, particularly to the US. For those of you who’ve been following, in October of 2015, the European Court of Justice nullified the Safe Harbor framework. This was essentially an aggregation of guidelines which, if followed, rendered the measures undertaken by an American recipient of data as “adequate” under EU law. After this nullification, joint EU and US governmental authorities introduced the Privacy Shield framework which strengthened the requirements on US data recipients if they wanted their measures to be deemed as “adequate” by the EU authorities. GDPR doesn’t actually change this, and the Privacy Shield framework continues to serve as the agreed-upon framework for the transfer of personal data from the EU to the US.

As Dynamic Yield is “Privacy Shield” certified, our customers in the US and in the EU don’t have to concern themselves over whether their data is stored in the EU or in the US, as we and they would remain compliant under GDPR irrespective of the location in which the data is stored. However, we will provide the option of a brand new EU data center should a European controller require this explicitly.

Final words

As GDPR has introduced new concepts, especially in terms of its violation penalties, we expect to see website owners become much more selective about their choice of processing vendors, contracting only with those processors who take data protection seriously.

We at Dynamic Yield respect the data concerns of our customers and have committed to making sure they can use our personalization engine safely and compliantly. I would also like to invite any customer, partner or anyone contemplating working with Dynamic Yield to further discuss GDPR and other privacy matters directly with us over the next few months until GDPR kicks in.

If you have any additional questions about how Dynamic Yield is getting GDPR ready, please feel free to contact privacy@dynamicyield.com.