Area: Optimizely Platform
Applies to versions: Not applicable

The Optimizely platform and GDPR

Recommended reading 

Note: This section contains general information and recommendations on GDPR. It is by no means legal advice, or a complete material. You should always confer with your own legal expertise based on your own website, market, needs, and internal requirements. The complete regulation can be found here: https://www.eugdpr.org/.

GDPR is an acronym for a new regulation in the European Union and stands for General Data Protection Regulation. As a regulation, it is immediately applicable and binding for all member states. It takes effect on 25 May 2018.

The purpose of GDPR is to protect the privacy and personal data for the individual. To do this, the regulation gives more power to the data protection authorities in the member states to take action against businesses who do not follow the new laws. The penalties for not following GDPR can be quite severe, up to €20 million or 4% of the company's annual global turnover, whichever is the greater.

You should keep in mind that GDPR does not mean that you are not allowed to keep personal data in the future. But it does mean that you will have to think carefully before storing any personal data, and that you will have to have a clear motivation to do so and have a strict plan on how to handle this data.

GDPR in short

The GDPR rule of thumb is that you must be able to account for what user data you are storing, and why and how.

In this topic

Roles and responsibilities


  • Data subject. The individual that is protected according to GDPR. The data subject has the right to their own PII data, that is, they must consent to the storage of their data and they have the right to recall their consent, view their data, and to ask for their data to be updated or deleted.
  • Data controller. The company asking for and owning the private data, for example, a website owner or you as an Optimizely partner. The data controller is responsible for making sure that the data subject gives his or her consent for storing PII and also that the data subject is aware of the purpose of the PII data collection. This purpose might be that the data controller has a legal contract with the data subject, or to comply with legal obligations, or for a legitimate reason. Note that even if the data controller has a legitimate reason, it is still not allowed to override the data subject's interest.

    Note: The data controller is only allowed to collect data, with consent, for a specific purpose and for a specific time period. It is not allowed to store more PII data than necessary.

  • Data processor. The company/database/tool controlling the data, for example, Optimizely Digital Experience Platform. In Optimizely's case, we have only process data on the instructions from the data controller. It is also our responsibility to make sure that we have the appropriate technical and physical levels of security to protect the collected data. As data processor, we are also legally responsible to help the data controller with procedures for managing the collected data.
  • Regulators. Each EU member state has a data protection authority which oversees data protection in each member state and coordinates the work across all member states.

GDPR concepts

  • Personally Identifiable Information (PII). PII is any type of data that can, directly or indirectly, identify a data subject, that is, an individual (data related to organizations are not PII). This is data such as name, address, and phone number, but it can also be job title, IP address and sensitive data such as race, religion or political orientation. Encrypted or pseudonymized data is also viewed as PII, since it is possible to decrypt or de-pseudonymize the data. See Collecting data.

    Note: Anonymized data is not PII.

  • The right to consent. It is not allowed to collect PII data without the data subject's clear, unambiguous and affirmative consent. See Asking for consent.
  • Processing of data. You can only process data in the manner, to the extent and to the purpose you stated when receiving the consent. See Using data.
  • The right to access data. The data subject has a non-negotiable right to their own data. If you collect PII data, you must be able to extract that data and present that to the data subject within 30 days. See Fetching & updating data.
  • The right to be forgotten. The data subject has a right to ask you to delete their PII data. See Deleting data.
  • Data portability. The data subject has the right to ask you for all their PII data in a format that can be transferred to another company, vendor, system, etc., for example, if an insurance customer wants to move their insurance policies to another company. GDPR does not specify the format for this. See Fetching & updating data.
  • Data rectification. A data subject has the right to ask you to update their PII data and you have to comply within 30 days.
  • The right to object. The data subject has, at any point in time, the right to withdraw their previously given consent.

How does GDPR affect you?

If you run or work for an EU-based company, GDPR is directly applicable to your business and you must follow it. But even if your company is not based in the EU, you might be affected by GDPR. If you process any kind of personal data related to individuals based in the EU, GDPR is also applicable to your company.

What do you have to do?

First and foremost, if you haven't already, you need to do a GDPR audit of your organization, internal IT systems, your products, and your websites, together with a GDPR expert. It is crucial that you have your entire organization onboard for this work. The audit should result in an action plan with the steps needed to be GDPR compliant. In the end, all departments are affected by GDPR, so it is important that you have procedures in place and that everyone knows how their work is affected, what the GDPR procedures are and how breaches are handled etc.
See Optimizely Privacy Policy.

If you work for company processing large amount of PII data, you must have a dedicated Data Protection Officer (DPO). You should also have an Information Security Officer.

If the data protection authorities want to perform an audit at your company, you must be able to show them your GDPR guidelines, and these should include:

  • What type of data is collected? Is it PII data?
  • Who is collecting and using it?
  • Where is the data collected, used, stored, and transmitted?
  • For how long is the data collected, used, stored, and transmitted?
  • When is the data collected, used, stored, and transmitted?
  • How is the data collected, used, stored, and transmitted?
  • Why is the data collected, used, stored, and transmitted?
  • And how do you handle requests from data subjects that want to view, update or delete their PII data?

Do not forget that GDPR compliance is not something you set up once and then it is all set for the future. GDPR compliance is something that you need to keep in mind and work with every day in the future. Procedures need to be finetuned and updated; procedures need to be aligned to and adhered to, and employees, partners, and suppliers, need to be trained.

What you should have in place

  • Privacy policy
  • Data protection officer (at least if you process large amount of PII data)
  • Consent notification process and template
  • Process for accessing PII data (also known as Subject Access Request (“SAR”) procedure)
  • Process for updating PII data
  • Process for porting data
  • Process for deleting PII data
  • Process for cooperating with third-party companies, partners and vendors around GDPR issues
  • Data breach policy

Related topics

Do you find this information helpful? Please log in to provide feedback.

Last updated: Jun 19, 2018

Recommended reading