The Implications of GDPR on Personalization

Read the full transcript

Today I’m gonna talk a little bit about GDPR, Europe’s General Data Protection Regulation, which is set to come into effect on May 25 later this year. And specifically the implications it has on personalization, the practice of using information about a user to create more individualized experiences. With this brand new set of privacy and data protection laws, has come serious concerns and confusion among businesses, especially around how they can continue to collect and process their website’s personal data to deploy personalization campaigns without fear of violating GDPR. So, here is some stuff to keep in mind about staying compliant in order to continue safely running your personalization campaigns. Number one, any data stored within what GDPR calls online identifiers is now considered personal data. Personal data is the main topic of GDPR, leading to a very broad scope of data owned by website owners, used for personalization, that’s governed by GDPR. Number two, any business which determines, jointly or with others, the purposes and means of the processing of personal data is now considered a data controller. Therefore, website owners who are running personalization campaigns based on collected user data, are to be considered as data controllers, and are subject to the requirements laid out in the GDPR. Number three, any business that processes personal data on behalf of a data controller, now serves as a data processor. A personalization vendor, such as Dynamic Yield, is operating as a data processor on behalf of its customers, who are the data controllers, and is subject as such to the rules governing the processing of personal data. Now, it’s important to note that while the data controller bears most of the new burdens placed by GDPR, including obtainment of consent, explicit consent in some cases, provision of opt-in and opt-out mechanisms, and breach notifications to end users and supervisory authorities. A data processor can and should assist in the controller’s compliance. For example, as a data processor, we allow for our customers’ users to request the erasure, the transfer, or modification of their personal data from our servers. We also provide opt-in and opt-out mechanisms, as well as data portability functions. What we’re doing is essentially unburdening the data controller, and taking ownership of much of the compliance burden when it comes to managing personalization campaigns. Number four, when it comes to cross-border data transfers, such as from the EU to the US, any business operating under the privacy shield framework, which many businesses, including Dynamic Yield, already are, will remain compliant under GDPR, irrespective of the location in which the data is stored. However, for the particularly concerned controllers out there, Dynamic Yield is rolling out new EU-based data centers. So controllers wishing to store their data locally, can start doing so. Finally, another thing to keep in mind is that for those found in violation of GDPR rules, strict penalties may be imposed, with fines reaching upwards of 20 million Euros, or 4% of a company’s annual revenue. GDPR is really just too expensive to not be taken seriously. To summarize, as GDPR nears, it’s important to remember that website owners are facing quite a few new burdens they haven’t faced before, and the cost of non-compliance is simply too high to ignore. That’s why website owners need to be as selective as possible with their choice of data processors, and personalization vendors in particular. Controllers need to make sure they select vendors who are as enthusiastic and zealous as they are about privacy and data protection. We at Dynamic Yield respect the data concerns of our customers, and have committed to making sure they can use our personalization engine safely and compliantly. We invite all of our customers, and anyone interested in Dynamic Yield, to reach out to our privacy office at with any questions or concerns about our processing of end-user data. We’ll also be releasing some more GDPR-related content in the next few months leading up to the effective date of May 25th. Thank you.

With a brand new set of privacy and data protection laws, find out what you need to know about running your personalization campaigns safely and compliantly from the Data Privacy Officer at Dynamic Yield.