HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

GDPR guidelines

Describes general guidelines on GDPR, and what to think about when collecting PII, deleting data and so on.



This section contains general information and recommendations on General Data Protection Regulation (GDPR). It is NOT legal advice, nor comprehensive. You should always confer with your own legal experts based on your own website, market, needs, and internal requirements.

General Data Protection Regulation (GDPR) is a regulation in the European Union that is immediately applicable and binding for member states. It took effect on May 25, 2018.

The purpose of GDPR is to protect the privacy and personal data of the individual. To do this, the regulation gives more power to the data protection authorities in the member states to take action against businesses that do not follow the laws. The penalties for not following GDPR can be severe, up to €20 million or 4% of the company's annual global turnover, whichever is greater.

GDPR does not mean that you cannot keep personal data in the future. Still, it does mean that you will have to think carefully before storing any personal data, have a clear motivation to do so, and have a strict plan on how to handle this data.

The GDPR "rule of thumb" is that you must be able to account for the user data that you store, including why and how.

Roles and responsibilities

  • Data subject – The individual that is protected according to GDPR. The data subject has the right to their own personally identifiable information (PII) data; that is, they must consent to the storage of their data, and they have the right to recall their consent, view their data, and ask for their data to be updated or deleted.

  • Data controller – The company asking for and owning the private data; for example, a website owner or you as an Optimizely partner. The data controller is responsible for ensuring that the data subject gives consent for storing PII and that the data subject is aware of the purpose of the PII data collection. This purpose might be that the data controller has a legal contract with the data subject to comply with legal obligations or for a legitimate reason. Note that even if the data controller has a legitimate reason, it can still not override the data subject's interest.



    The data controller is only allowed to collect data, with consent, for a specific purpose and for a specific time period. It is not allowed to store more PII data than necessary.

  • Data processor – The company, database, or tool controlling the data, such as the Optimizely Digital Experience Platform (DXP). In Optimizely's case, Optimizely only processed data using instructions from the data controller. Optimizely ensures that the appropriate technical and physical levels of security protect the data. As a data processor, Optimizely is also legally responsible for helping the data controller with procedures for managing the collected data.

  • Regulators – Each EU member state has a data protection authority that oversees data protection in each member state and coordinates the work across member states.

GDPR concepts

  • Personally Identifiable Information (PII) – PII is any data that can, directly or indirectly, identify a data subject; that is, an individual (data related to organizations are not PII). This data includes data such as name, address, and phone number, but it can also include job title, IP address, and sensitive data such as race, religion, or political orientation. Encrypted or pseudonymized data is also viewed as PII because it could be decrypted or de-pseudonymized. See Collect data.



    Anonymized data is not PII.

  • The right to consent – You are not allowed to collect PII data without the data subject's clear, unambiguous, and affirmative consent. See Ask for consent.

  • Processing of data – You can process data only in the manner and to the extent and purpose you stated when receiving the consent. See Store data.

  • The right to access data – The data subject has a non-negotiable right to their data. If you collect PII data, you must be able to extract it and present it to the subject within 30 days. See Fetch and update data.

  • The right to be forgotten – The data subject has a right to ask you to delete their PII data. See Delete data.

  • Data portability – The data subject has the right to ask you for all their PII data in a format that can be transferred to another company, vendor, system, and so on, such as if an insurance customer wants to move their insurance policies to another company. GDPR does not specify the format for this. See Fetch and update data.

  • Data rectification – A data subject has the right to ask you to update their PII data, and you have to comply within 30 days.

  • The right to object – The data subject has the right to withdraw their previously given consent at any point in time.

How does GDPR affect you?

If you run or work for an EU-based company, GDPR directly applies to your business, and you must follow it. Even if your company is not based in the EU, GDPR may affect your company. If you process personal data related to individuals based in the EU, GDPR is also applicable to your company.

What do you have to do?

With a GDPR expert, perform a GDPR audit of your organization, internal IT systems, products, and websites. You must have your entire organization onboard for this work. The audit should result in an action plan with the steps needed to be GDPR-compliant because all departments are affected by GDPR. You should have procedures in place so that everyone knows how their work is affected, the GDPR procedures, and how breaches are handled.

See Optimizely Privacy Policy.

If you work for a company that processes large amounts of PII data, you must have a dedicated Data Protection Officer (DPO). You should also have an Information Security Officer.

If the data protection authorities want to perform an audit at your company, you must be able to show them your GDPR guidelines, which should include the following information:

  • What type of data is collected? Is it PII data?
  • Who is collecting and using it?
  • Where is the data collected, used, stored, and transmitted?
  • How long is the data collected, used, stored, and transmitted?
  • When is the data collected, used, stored, and transmitted?
  • How is the data collected, used, stored, and transmitted?
  • Why is the data collected, used, stored, and transmitted?
  • And how do you handle requests from data subjects that want to view, update, or delete their PII data?



GDPR compliance is not something you set up once and then it is all set for the future. GDPR compliance is something that you need to keep in mind and work with every day in the future. You need to fine-tune and update procedures, align and adhere tp the procedures, and train employees, partners, and suppliers.

What should you have in place?

  • Privacy policy
  • Data protection officer (at least if you process a large amount of PII data)
  • Consent notification process and template
  • Process for accessing PII data, also known as Subject Access Request (SAR) procedure
  • Process for updating PII data
  • Process for porting PII data
  • Process for deleting PII data
  • Process for cooperating with third-party companies, partners, and vendors around GDPR issues
  • Data breach policy

For more product-specific guidelines, see Product-specific guidelines.

Related topics