The Implications of GDPR on Personalization

The latest advancements in privacy, what data protection success looks like, and the steps our organization is taking to ensure GDPR compliance.

VP Operations, Dynamic Yield

Read the full transcript

Today I’m gonna talk a little bit about GDPR, Europe’s General Data Protection Regulation, which is set to come into effect on May 25 later this year. And specifically, the implications it has on personalization, the practice of using information about a user to create more individualized experiences.

With this brand new set of privacy and data protection laws, has come serious concerns and confusion among businesses, especially around how they can continue to collect and process their website’s personal data to deploy personalization campaigns without fear of violating GDPR.

So, here is some stuff to keep in mind about staying compliant in order to continue safely running your personalization campaigns.

Number one, any data stored within what GDPR calls online identifiers is now considered personal data. Personal data is the main topic of GDPR, leading to a very broad scope of data owned by website owners, used for personalization, that’s governed by GDPR.

Number two, any business which determines, jointly or with others, the purposes, and means of the processing of personal data is now considered a data controller.

Therefore, website owners who are running personalization campaigns based on collected user data, are to be considered as data controllers and are subject to the requirements laid out in the GDPR.

Number three, any business that processes personal data on behalf of a data controller, now serves as a data processor. A personalization vendor, such as Dynamic Yield, is operating as a data processor on behalf of its customers, who are the data controllers, and is subject as such to the rules governing the processing of personal data.

Now, it’s important to note that while the data controller bears most of the new burdens placed by GDPR, including obtainment of consent, explicit consent in some cases, provision of opt-in and opt-out mechanisms, and breach notifications to end users and supervisory authorities. A data processor can and should assist in the controller’s compliance.

For example, as a data processor, we allow for our customers’ users to request the erasure, the transfer, or modification of their personal data from our servers. We also provide opt-in and opt-out mechanisms, as well as data portability functions. What we’re doing is essentially unburdening the data controller, and taking ownership of much of the compliance burden when it comes to managing personalization campaigns.

Number four, when it comes to cross-border data transfers, such as from the EU to the US, any business operating under the privacy shield framework, which many businesses, including Dynamic Yield, already are, will remain compliant under GDPR, irrespective of the location in which the data is stored.

However, for the particularly concerned controllers out there, Dynamic Yield is rolling out new EU-based data centers. So, controllers wishing to store their data locally can start doing so.

Finally, another thing to keep in mind is that for those found in violation of GDPR rules, strict penalties may be imposed, with fines reaching upwards of 20 million Euros or 4% of a company’s annual revenue. GDPR is really just too expensive to not be taken seriously.

To summarize, as GDPR nears, it’s important to remember that website owners are facing quite a few new burdens they haven’t faced before, and the cost of non-compliance is simply too high to ignore. That’s why website owners need to be as selective as possible with their choice of data processors, and personalization vendors in particular. Controllers need to make sure they select vendors who are as enthusiastic and zealous as they are about privacy and data protection.

We at Dynamic Yield respect the data concerns of our customers and have committed to making sure they can use our personalization engine safely and compliantly.

We invite all of our customers, and anyone interested in Dynamic Yield, to reach out to our privacy office at with any questions or concerns about our processing of end-user data.

We’ll also be releasing some more GDPR-related content in the next few months leading up to the effective date of May 25th.

Thank you.

As many of our readers, customers, and partners are aware, major data protection changes are already in motion leading up to the official date of GDPR enforcement. A wide expansion of rights on behalf of data subjects, these new EU-wide privacy rules set to create a seismic shift in the way personal information is defined, processed, used, and transferred, the implications far extend beyond Europe’s borders.

As the Data Privacy Officer at Dynamic Yield (holding CIPP/E and CIPM accreditations from the International Association of Privacy Professionals), I wanted to share with you what we know about the latest advancements in privacy, what data protection success looks like, and the steps our organization is taking to ensure compliance.

What is GDPR?

GDPR, or the General Data Protection Regulation, is essentially a codification of privacy and data protection regulations. The aim of GDPR is to provide consistent guidance on privacy and data protection and respect for personal data of EU data subjects. GDPR replaces the previous EU privacy directive of 1995 and introduces some interesting concepts and changes to the preceding privacy and data protection regime.

Why is everyone suddenly so concerned about data privacy and protection?

GDPR, which is set to come into effect on May 25, 2018, has introduced many changes to the existing privacy regime. Let me discuss three of these changes:

  1. The requirement to receive a data subject’s consent to collection and processing of their personal data has been greatly broadened to include many cases which had previously not required such consent. A concept of “explicit consent” has also been introduced for more extreme cases, such as the collection and processing of what we call “sensitive” data, like religious affiliation, sexual orientation, trade union membership, etc.
  1. Another major change introduced by GDPR is the strict penalties levied upon violators of GDPR provisions, including fines which can reach upwards of $20 million and 4% of a company’s global revenue. This change alone would be enough to get everybody’s attention.
  1. Most importantly, for companies like Dynamic Yield and its clients, GDPR introduced a major change by widening of the definition of “Personal Data” which is regulated by GDPR, to include what we call “persistent online identifiers” such as cookies, which are small text files storing tiny pieces of data on a user’s browser. What this essentially means is that all data collected by personalization platforms, and stored within these identifiers, is now regulated and requires special treatment.

What is the scope of GDPR?

GDPR applies to companies which operate in the EU but isn’t limited in scope to such companies. GDPR actually applies to any company handling personal data of EU data subjects, regardless of the location of such company.

The tentacles of GDPR are essentially extended globally to capture any website which stores information obtained from any EU site visitor, which, as you can imagine, probably includes every large website around the world. Whether you’re a European company, a North American Company, or a Japanese company, if you collect and process information of EU data subjects, you are subject to compliance with the provisions of GDPR.

What are “Controllers” and “Processors” and how does GDPR treat each of these?

A “Data Controller,” according to GDPR, is an individual or body which “alone or jointly with others, determines the purposes and means of processing of personal data.” As you can guess, GDPR largely deals with the legal obligations of controllers, including obtainment of consent, explicit consent, opt-in mechanisms, accountability, breach notifications, etc.

On the other hand, “Data Processors,” are those which “process personal data on behalf of the controller.” Processors are agents of the controllers and carry the technical processing on their behalf. Dynamic Yield and other personalization platforms serve as “processors” to its clients which serve as the “controllers” (naturally, Dynamic Yield may serve as a controller in other capacities such as marketing activities). However, Dynamic Yield is committed to not only complying with the processor related regulations but to assisting controllers in their own compliance when it comes to managing a personalization program with Dynamic Yield.

How does Dynamic Yield help controllers comply with GDPR?

At Dynamic Yield, we aim to provide our controller customers with the comfort knowing we’re doing everything in our power to make sure we, as processors, and our customers, as controllers, can operate jointly and freely while remaining compliant with GDPR.

  • We are in the midst of establishing a brand new EU data center for customers who wish to store their users’ personal data within the confines of the EU.
  • We are providing the ability to opt-out of DY services should any end user wish to do so, opting instead to receive unpersonalized experiences.
  • We are strengthening our security measures for cross-border transfers, so we can continue to transfer personal data to our other processing locations without any risk of breach, all while remaining complaint under the adequacy decision fostered by the Privacy Shield framework.
  • Lastly, as Data Privacy Officer, I have overseen the creation of a data subject complaint repository, and the flow for deleting, modifying, or transferring personal data upon request from a data subject. Essentially, any rights on the part of the data subject which requires controller adherence, Dynamic Yield will provide assistance where feasible.

Are cross-border transfers allowed under GDPR?

There’s a common misconception in the market about GDPR and cross-border transfers, particularly to the US. For those of you who’ve been following, in October of 2015, the European Court of Justice nullified the Safe Harbor framework. This was essentially an aggregation of guidelines which, if followed, rendered the measures undertaken by an American recipient of data as “adequate” under EU law. After this nullification, joint EU and US governmental authorities introduced the Privacy Shield framework which strengthened the requirements on US data recipients if they wanted their measures to be deemed as “adequate” by the EU authorities. GDPR doesn’t actually change this, and the Privacy Shield framework continues to serve as the agreed-upon framework for the transfer of personal data from the EU to the US.

As Dynamic Yield is “Privacy Shield” certified, our customers in the US and in the EU don’t have to concern themselves over whether their data is stored in the EU or in the US, as we and they would remain compliant under GDPR irrespective of the location in which the data is stored. However, we will provide the option of a brand new EU data center should a European controller require this explicitly.

Final words

As GDPR has introduced new concepts, especially in terms of its violation penalties, we expect to see website owners become much more selective about their choice of processing vendors, contracting only with those processors who take data protection seriously.

We at Dynamic Yield respect the data concerns of our customers and have committed to making sure they can use our personalization engine safely and compliantly. I would also like to invite any customer, partner or anyone contemplating working with Dynamic Yield to further discuss GDPR and other privacy matters directly with us over the next few months until GDPR kicks in.

If you have any additional questions about how Dynamic Yield is getting GDPR ready, please feel free to contact