Opportunity Above Adherence: Dynamic Yield’s Path to GDPR Compliance

If you’re reading this post, we’ve made it past the GDPR deadline of May 25th. It was a long and winding road leading up to the enforcement of Europe’s new privacy legislation, which set out to better protect how its citizens’ personal data gets collected, processed and used. 

Inboxes were littered with emails regarding “privacy policy updates” and seemingly every site across the web started serving cookie notices to their users to ensure T’s were crossed and I’s were dotted (guilty as charged). Companies like Facebook and Google both rolled out changes to their platforms, removing certain data sharing capabilities in hopes of dodging data protection agencies but were the first to face complaints over ‘forced consent.’ For some, the massive investment necessary to achieve compliance and avoid the significant fines associated with violating GDPR provisions meant shuttering operations in the EU entirely.

As a global personalization platform that customizes experiences for more than 600 million users each month, the GDPR meant much of the data being collected and analyzed within Dynamic Yield on behalf of our customers would now require special treatment. An enormous undertaking, in this post, I’m going to outline the internal steps taken to ensure the various measures ordered under GDPR were met.

Respecting the Customer Experience

At Dynamic Yield, we are champions of the customer experience and believe any meaningful interaction with a brand is one built from the unique needs and preferences of the individual. Our platform was designed to collect and analyze things like a user’s attributes, past behavior, interests, affinities, browsing activity and more to guide experience creation and deliver relevance. For the individual by the individual, this sentiment largely influenced how our organization thought about GDPR as we set out on our path to compliance because without respect and consideration for the end user’s privacy, the ultimate customer experience can never truly be gained.

A core piece of our philosophy, the personalization and optimization services we provide have always been predicated on the highest standards of data integrity. Which is why we saw the GDPR as an opportunity and not just a new privacy legislation that required adherence solely to avoid penalties and fines. For Dynamic Yield, it’s what needed to be done in order to strengthen the trust between ourselves and our customers.

GDPR in Focus

With an unwavering commitment to data privacy and security, our organization worked tirelessly on tightening our data protection program, invested extensive resources in not only making sure Dynamic Yield complied with our processor related regulations but also assisted customers in their own compliance when it came to managing a personalization program with Dynamic Yield.

First and foremost, by providing the infrastructure and functionality necessary to allow our customer’s end users to exercise their new rights:

• Requesting to know what data is being collected on them.
• Requesting to no longer be tracked.
• Requesting to delete all historical data stored thus far.

As our newly appointed Data Privacy Officer (DPO), I worked closely with our Chief Information Security Officer, our customer success team, and various other internal stakeholders to make sure we tailored a program which employed airtight technical and organizational security measures, or “TOMS” as they’re commonly known. These TOMS which outline important information related to safeguarding, breach incidents, security assessments and audits, the use of sub-processors, international data transfers, data retention and destruction, liability and more were clearly listed in an updated Data Processing Agreement (or DPA) that was sent out to our entire customer base and signed. This agreement constituted an understanding between us and our customers as far as data privacy and protection are concerned.

We initiated and launched our EU based data center in Frankfurt. There, our EU customers may now store their data locally, without leaving the shores of Europe. And with Privacy Shield coming under scrutiny in the months following the enactment of GDPR, now rely on Standard Contractual Clauses (SCCs) when it comes to processing our customer’s data.

We made some pretty substantial changes to our workflows. For example, we solidified our commitment to only collecting data to analyze user behavior for the purpose of personalizing experiences. We won’t combine our customers’ data with data from other customers, we won’t share it with third parties, and we won’t use it for any unnecessary reasons. Additionally, we don’t onboard sensitive data from our customers, and no longer store IP addresses.

We also built internal flows for handling and customer data related requests should particular information need to be access or deleted, creating more transparency between the processor, controller, and end user.

A New Era of Data Protection

For us, while the GDPR deadline has come and gone, our commitment to data privacy and security remains. With California’s new privacy act already signed into law (for which we are fully compliant), as well as the Privacy Shield scrutiny previously discussed), we believe the new concepts and rules introduced by the GDPR mark only the beginning of an entirely new era in data protection.

As lawmakers, businesses, and individuals become more critical of how personal data is collected and used, we expect to see website owners become much more selective about their choice of processing vendors, contracting only with those processors who take data protection seriously. And at Dynamic Yield, we’re determined to be viewed as a trusted partner, mindful of our customers’ data concerns, and also advocates for the larger movement to protect the individual data rights across the globe.

For a detailed list of all of the requirements addressed above, and to stay informed on the continuous improvements of our privacy program, please visit dynamicyield.com/GDPR.