GDPR-Compliant Contextual & Behavioral Targeting

“Behave!” we’ve all heard from our moms when we were kids. And we did – sometimes well, sometimes not really. However, apart from childhood mischievous adventures, how we behave online has a huge impact on what we see on the Internet.

In this article, we’ll talk about Behavioral Targeting and how can be a solution for GDPR-bound advertising efforts.

In just a few months, General Data Protection Regulation (GDPR) had managed to sweep over ragged digital landscape riddled with questionable data mining hooks and made it a safer and cleaner place.

Whether it is an intimidating prospect of getting fined or natural desire for avoiding trouble, GDPR made many companies in advertising and ad tech industry reconsider they ways. The majority of ad tech operations are built around personal data collection to use it for the benefit of an advertiser in one way or another.

The adoption of GDPR had turned attention to different retargeting approaches that are partially or wholly avoid the use of personal data as it is – Behavioral Targeting and Contextual Targeting.

Let’s look at both of them.

What is Behavioral Targeting? GDPR-Friendly Solution

Basic Retargeting Operation consists of gathering certain user data and using it to deliver relevant ad content. The difference between regular retargeting and behavioral retargeting boils down to the use of personal data.

Behavioral targeting concentrates more on the web-browsing behavior of the users (the stuff that happens on the website) instead of holding onto their personal data as a basis for selecting relevant content.

From the technical standpoint, both types of retargeting operate similarly. There is user information and it is matched with an ad content to cause a reaction. But where one attempts to get as much information as possible, the other focuses on the part of user data that is the most relevant for the retargeting cause with no excess. Basically, you go from explicit demographic data to implicit impersonal attributive kind of data.

Coincidentally, it is a safer and more effective way of enabling Retargeting operation under the GDPR.

It should be noted that Behavioral Targeting still involves cookies. This means you need to add a disclaimer describing goals of data use and consent agreement. However, due to the limited extent of data use and reliance on non-personally identifiable information, it is less problematic and based strictly on what occurs on your website. This makes gaining consent more of a question of UX writing than anything else.

In the case of behavioral targeting, the nature of the collected information is not directly linked to a particular user. Sure, it is gathered from a demonstrated behavior of the user, but it is not directly linked to him/her.

Instead, it is an abstract set of patterns that, if recognized, trigger an ad behavioral targeting operation. Mostly, it’s adjusted to the content user reacted to previously. As such it may or may not resemble a behavior of a particular user. This information forms the basis for further developments.

Overall, web-browsing behavior data includes:

  • Pages visited by the user;
  • Overall Session History;
  • Content preferences;
  • Referral sites;
  • Search requests, other types of input;
  • If involves registered users – user login information (needs consent)
  • On-site actions (clicks, scrolls, etc)
  • interactions with the specific elements of the site (ads, subscription, contact forms, etc)
  • Time of visit

After being collected, web-browsing behavior data is then analyzed and compiled into user profiles that enable further ad content delivery.

In addition to that, analyzed information can be segmented according to set requirements. Based on content-related user information an algorithm can assume approximate age and gender group and some other preference of the users and sort them into specific categories which can be later targeted by advertisers.

How does behavioral targeting work?

Content customization and ad targeting are based on user’s expressed preferences i.e. demonstrated web-behavior. Just as with regular retargeting the information is aggregated with the assistance of the Data Management Platform.

The information is gathered from the pages of the advertiser’s or publisher’s website. This information allows constructing detailed profiles that enable precise and relevant content delivery.

For ad delivery, it provides a solid foundation for defining the initial ad placements.

On the other hand, this approach is very useful in eCommerce where such things as purchase intent, product search requests, interests in a particular category, comments, ratings can form a distinct portrait of the user without involving much of personal data.

Contextual Targeting – GDPR-free Targeting

The fact of the matter is – behavioral targeting is borderline GDPR compliant practice. It doesn’t involve the use of personal data at the same scope as regular retargeting, but it still uses several types of personal information such as IP address in order to enable its operation. This means, there is a need to include a detailed description of the data use and user consent form.

However, there is a way to avoid GDPR and retain effective ad tech operation completely – I’m talking about contextual targeting.

What is Contextual targeting?

It is a type of targeting that takes an opposite approach to behavioral targeting. Instead of focusing on the user, his available information and demonstrated behavior – CT bases its content delivery on the context of the particular page.

In essence, this is pretty much the same way ads were presented back in the print era.  

How does it work?

Instead of monitoring user activity, the pages of the website are scanned and categorized so that there will be a direct connection between the contents of the page, and the content of an ad. Then, when a user visits a particular page, there is a request to the ad server that matches data accordingly.

As a result, we get relevant ad content delivered to a target audience, but with an even lesser reliance on personal data and user monitoring.

This technique is currently widely practiced by question-and-answer / review/recommendation sites like Quora, whose targeting is based on specific topics and relevant questions.

Contextual / Behavioral Retargeting Benefits

GDPR Compliance

Questionable or undisclosed use of personal data had been an issue in the advertising industry for a long time.

Now, with the legislation getting stricter and public concern at its all-time high – wild west-styled ways of doing digital advertising are gone, and there is a need to figure out cleaner, more transparent, and more effective ways of delivering advertisements without walking on eggshells and breaking the rules.

Implementation of either Behavioral or Contextual Targeting can be one of the solutions that can be instrumental in keeping an ad tech as effective as it was while staying within the legal field.

While there are challenges in the case of Behavioral Targeting regarding gaining user consent for storing cookies and gathering selected types of personal data (such as IP address) – it is still less problematic than full-on old-school retargeting.

On the other hand, Contextual Targeting completely avoids GDPR and does its job the other way around – by concentrating on the content of the page instead of the user.

Superior Ad Content Delivery Precision

The most significant benefit of implementing Behavioral Targeting & Contextual Targeting is not the GDPR compliance (while that’s a great addition), it’s the streamlining ad tech operation. 

The use of personal data held the technology back due to the adoption of the GDPR and growing public backlash against digital advertising playing dirty with the personal data – winds of changes are blowing harder than ever. Both Behavioral Targeting and Contextual Targeting are reasonable alternatives that can do the same job only better.

While behavioral targeting involves user monitoring to a certain degree, it avoids involving user data for advertising purposes. Instead, it gathers information on user’s behavior on-site and based on its specific elements delivers relevant ad content.

How to make your IT project secured?

Download Secure Coding Guide 


It is interesting to observe how GDPR forces changes in the Ad Tech landscape. Its adoption presents an exquisite challenge for the industry – how to study the target audiences effectively overstepping and bluntly watching them and grasping as much data out of them as possible?

Overall, GDPR is pushing digital advertisement into a more matter-of-fact direction when its operation is based strictly on actual actions and not unsolicited surveillance.

Behavioral & Contextual targeting are two viable solutions to the challenges presented by the new GDPR-induced Status Quo. Both offer less is more approach. They show that it is possible to study and segment the audience and subsequently deliver relevant ad content without blatantly profiling users.

Need a behavioral targeting solution for your business?

Write to us

Why Data Security and Privacy Matters?

 Data security and privacy are getting a much-needed spotlight right now, as they probably should. Given the fact that companies gather a lot of sensitive user data to enable their services,  it is fair to say that security must be one of the top priorities.

But judging from the list of recent breaches like:

Data security in the enterprise sector is more of an afterthought than a top priority for many companies. 

Since companies are responsible for the safety and confidentiality of the user’s data and held accountable for everything that happens with it, it’s better to be in the know on this topic. 

In this article, we will explain why maintaining data security and privacy is more important than ever. 

Why data security and privacy is more important than ever?

Data Security and Privacy are two foundational elements of building trust between the company and the user. Proper data security can be considered a significant differentiating factor for many consumers, in light of breaches and violations. 

What is usually at risk?

  • Personally identifiable information (addresses, phone numbers, passport data),
  • Personal health information and medical records,
  • Payment card and banking information, 
  • Intellectual property, 
  • Social Security numbers, insurance information.

These are the types of information that require privacy and high-security standards.

According to an IBM cybersecurity study, 75% of customers won’t even consider buying a product if they have doubts that the company will keep their personal data safe and private.

This is reasonable behavior since the consequences of careless database maintenance (Equifax) go far beyond ominous finger-wagging,  into $1,4 billion in losses, coupled with the loss of customer trust. Or let’s remember that time when Facebook stored user passwords in plaintext. That wasn’t very nice. And these are just a few of the many examples. 

But these things don’t come out of anywhere. A breach, or any other security or privacy compromise, is simply the boiling point of a situation that was building up for some time. 

There are several reasons why data security has become an issue. 

How to make your IT project secured?

Download Free Project Security Checklist

Data Security Issues

Keeping up with explosive big data growth

It is a well-known fact that for the last couple of years we’ve produced more data than for the previous millennia. It is growing at an exponential rate, and it will keep growing.  

One of the reasons for this is due to the never-ending, and often winding quest, for gaining more insights into the market situation or the target audience than the competition. This process includes storing user data, including personal information, and also such things as behavioral data and all sorts of activity logs. This is a lot of data. Facebook alone has around 2,5 billion accounts, and who knows how much data one user produces throughout a single session from an analytical point of view.

Data growth is a big challenge. Keeping up with it,  whilst keeping it all together, is extremely hard. Companies need to maintain the entire infrastructure and keep it scalable, while data sources keep expanding, and the scope of the data follows suit exponentially due to various forecasting and predictions. And you need to keep all this data to understand the big picture and identify future opportunities. 

This factor slowly but surely turns data infrastructure into an absolute mess. And because of this, data security suffers. Security practices and tools become obsolete, blind spots occur, negligence happens, and voila – “you’ve got a breach.”

Growing operational complexity

The other side of constant data growth is the increasing complexity of the data processing operation. There are way too many moving parts to keep an eye on. 

Due to the enormous scope of the data processing operation, and multiple moving parts involved, the process oversight often becomes lax, and compliance with security standards often becomes obsolete or even worse – completely non-existent. The standard rule is “if it isn’t broken, it doesn’t need fixing” And so it goes. 

The reason why Facebook kept user passwords in plaintext is an excellent example of this mindset. Little issues pile up here and there and when the part breaks there is no place to go. 

The factors for growing operational complexity are as follows:

  • Transition to cloud computing and storages;
  • Use of big data applications and databases;
  • Disparate tools from multiple vendors that process sensitive data.

While the first two factors are under relative control due to being inside the organization, the plot thickens when it comes to applications from outside vendors. 

  • What if one of those tools is compromised? Like that time when Paypal had a data breach.
  • What if a third-party vendor is using your business data for its own purposes? Like Amazon, which uses vendor data in addition to customer data to perfect their service. 

However, these serious concerns are often ignored in favor of getting more results, faster. Guess what happens next? 

New privacy regulations (GDPR, CCPA, et al)

2018 was a landmark year in terms of data security regulations. After years of hesitation and stalling (for example, the last time the EU upgraded their data security legislation was in 1995, which is prehistory), the legislation finally caught up with technological progress, and now companies have to take responsibility to user’s personal data, privacy, and security.

  • In May of that year, the European Union  adopted the General Data Protection Regulation (GDPR) (you can read more about it right here);
  • Later in June, the State of California passed the California Consumer Privacy Act (CCPA).

Both GDPR and CCPA provide ground rules regarding what is acceptable and unacceptable with personal data and also clarifies what happens with those who want to play fast and loose with someone else’s sensitive data. They also describe a course of action in the event of a data breach or other security compromises.

One of the most significant innovations of this legislation is the Data Protection Officer, a person whose entire purpose is to keep an eye on the security and privacy practices within the company and impose high-security standards throughout the organization.

The other significant innovation of GDPR is fines and penalties for violating the compliance guidelines. For example, non-compliance with GDPR, in some cases, may result in a €20 million or 4% of global turnover, fine, which is no laughing matter. 

In conclusion

Whether we want it or not, we live under the constant threat of data breaches. Every week there is a news piece about some big company having a security issue that resulted in a massive amount of user’s personal data being exposed and sold on the black market. Reputations are blemished, trust is nil, and money lost. 

It is essential to understand the reason why these things are allowed to happen and realize how much is at stake when it comes to personal data and other sensitive information. 

Want to receive reading suggestions once a month?

Subscribe to our newsletters

What Is GDPR and Why You Should Not Ignore This EU Data Protection Regulation

May 25th, 2018 is going down in history as the day when things have changed on The Internet. It is the day when the General Data Protection Regulation (GDPR) is finally coming into effect across the entirety of the European Union.

Even less than a month before this great event – it is absolutely obvious that GDPR’s full implementation is a game-changing moment in the long and winding issue of internet privacy that was dwindling out of control in recent years.

What is GDPR?

General Data Protection Regulation aka GDPR is the result of six and half year quest to make sense and justice to the basic principles of data protection.

GDPR is a set of rules designed to give users more control over their personal information and impose transparency and accountability on the companies who gather it.

For years attempts to update data protection laws had struggled with lack of awareness and demand of the public, the unwillingness of the companies to abide by, and relentless static of the politicians.

The most recent GDPR predecessor – Data Protection Directive, was implemented way back in 1995 and it is fair to say that it didn’t age well. The problem was that its instruments of influence became outdated and ineffective at the current time.

However, it served as a fine foundation. DPD clearly stated the basic thing – the individuals have ownership rights over their personal information after they’ve shared it with the third party company in exchange for certain services. But the biggest flaw of the DPD was that it was merely a directive and as such, it was interpreted differently by various members of The Union. On the other hand, GDPR is a regulation. That means it is a unified set of rules implemented by the supervisory authority among all the members of the European Union.

In essence – the General Data Protection Regulation was designed to make sense and bring some form of an order to the user-service provider relationship. It is all about bringing transparency, responsibility, and trust in the relationship between the users and various companies who collect their data in exchange for seemingly free services.

For the users, new data privacy laws give control over their personal data and provide them with legal instruments to demand its removal, correction, or simply an explanation of the purposes of its use.

On the other hand, GDPR makes companies accountable for their actions and responsible for the safety of information from malicious intent or leakage.

Another important thing is that GDPR introduces rather a harsh system of penalties designed to humble those who don’t want to play by the rules or act careless enough to expose their systems for malicious intent or data breaches. 

Why is GDPR implemented and why now?

The motivation behind the adoption of GDPR is rather obvious – European Union badly needed legislation that would reflect and regulate how people’s personal data is used by various companies, especially those who offer their services for free in exchange for some gathering data from its users (such usual suspects as Google, Facebook, Twitter, Amazon, etc).

For a while the problem with privacy and information security regulation was pitifully dependent on “the kindness of strangers” – there were no solidly defined rules regarding terms of personal data usage. Basically, companies could do whatever they wanted with the gathered data and there were no legal instruments to deal with stretching the boundaries of data privacy.

However, recent data breaches and illicit user gathering scandals (such as Equifax Leak or still ongoing Cambridge Analytica scandal) raised the awareness on the subject considerably up to the point it became painfully obvious that current legislation simply can’t handle such problems.

To put it bluntly, 1995’s Data Protection Directive was absolutely inadequate for the current state of things and it was like that for a long time. In fact, DPD was way past its selling date by the early 2000’s – it was in dire need of either a significant update or complete replacement. Years of pretending that nothing is happening combined with the blatant ignoring of taking action on the burning issue resulted in awkward playing catch-up with reality.  

Among the things that were updated and reiterated was the expansion of the definition of personal information and further elaboration on the rights and responsibilities of the parties involved in the data processing.

Back in January of 2012, the European Commission had announced their intentions to substantially update data protection policies across the European Union. GDPR was designed as the centerpiece of the reform. It took four years to get it right and finally in April 2016 it was adopted with a two-year period of transition and preparation for its coming into effect this May.

How to make your IT project secured?

Download Secure Coding Guide

What’s next?

While GDPR is far from the best solution – it is already something and it is a “better late than never” kind of situation. At least now we have something. The timing couldn’t have been any better because of increased awareness of the importance of privacy and security.

It is a big achievement considering the turbulent history of previous attempts of developing privacy regulations and absolute uncertainty with the future of privacy on the internet.

Stay tuned – we have prepared a series of posts on GDPR and what companies and users should do and expect from this law (and, as a bonus, it’s explained in simpler-than-law-terms language.)

* * *

This blog post is a part of the series. Click to read the other chapters:

See also: app development for law firms

Want to receive reading suggestions once a month?

Subscribe to our newsletters

How GDPR Works?

You know the drill: those who control the information rule the world. And as we are getting further entangled into the nets of various third-party applications – we are giving away more and more of our personal information for nondescript third-parties who use it as they see fit for their own good.

Even more so – most of the time we do it willfully on our own not fully comprehending the possible consequences of such nonchalant and careless giveaways.

To make matters worse, until recently, there was no actual regulation regarding the use of personal information. That is why GDPR is so important.

Previously, we have covered why GDPR was implemented. This time we gonna explain how it works.

GDPR Overview

We live in a tumultuous time. At the current moment, information is probably the most valuable resource and it seems like there is some kind of a gold rush regarding getting bits and pieces of this precious matter. Everyone is digging for information in one way or another. Why? Because that is how companies make money these days.

And because of that – this is something that must be thoroughly regulated in order to prevent even the slightest possibility of abuse and misuse of personal information by any means – intentional or not. Users should know their rights and companies should know their responsibilities.

In GDPR, personal information is defined as a set of the following characteristics:

  • Identity information
    • Name
    • Address
    • ID numbers
  • Web data
    • Geolocation
    • IP Address
    • Cookie Data
    • RFID tags
  • Health and genetic data / Biometric data
  • Racial/ethnic data
  • IP Addresses
  • Identity specification
    • Psychological
    • Cultural
    • Social
    • Political opinions
    • Sexual orientation
  • Economic Status

DPD stated that the users have ownership rights over personal data after sharing it with the third party company in exchange for their services. GDPR elaborates on that and brings it to the solid grounds. It is designed to bring balance to the relationship between companies and users. Basically, it brings the principles of “fair game” to the data operations and installs a clearly defined “code of conduct” regarding users and companies – something that was barely regulated by the GDPR predecessor DPD.

GDPR principles of Data protection include:

  • Lawfulness, fairness, and transparency
  • Limitation of purpose
  • Minimization of data
  • Accuracy
  • Limitation of storage
  • Integrity and confidentiality
  • Accountability

For the companies, GDPR outlines the rules of gathering and usage of the user’s information. It’s the biggest innovation is making user’s consent an absolute must. It is a requirement ignoring which can lead to significant fines. Any kind of data gathering is illicit unless there is the user’s official consent.

GDPR stresses the importance of accountability in the process of building and maintaining trust between users and the company. It urges every company to follow its guidelines and demonstrate compliance with the updated regulation.

GDPR Rights & Responsibilities

One of the major goals of implementing GDPR was to clearly define who does what and how and why in the data processing operation. While it might seem really simple – the legal peculiarities are no joke and it all needed precise clarification.

The entire set of rights and responsibilities regarding data processing is divided between several parties:

  • Data Subject aka User – a natural person who provides personal data for processing;
  • Data Controller – an organization or company which determines the purposes and means of the processing of personal data;
  • Data Processor – an organization or company that processes personal data on behalf of the controller. (Controller and Processor may be represented by one company)

Every involved party has a distinct set of rules and requirements. The document specifically describes procedures that should be undertaken in cases of system failures, hacks, or data breaches.

GDPR requirements for the companies are the following:

  • Perform data processing in a law-abiding, fair, and transparent way with valid consent from the subjected user that can be revoked at any time.
  • Thoroughly explain the purpose of the data usage;
  • Provide evidence of consent in a form of a signifying document;
  • Limited data gathering to what is necessary for the specific purpose;
  • Set time constraints over data storing to a period when certain data is necessary for correct operation;
  • Maintain the accurateness of the data (by cooperating with the user’s AKA data subjects)
  • Adoption of the “privacy by default” principle. Basically, data protection must be considered for every new process or system at the design stage;
  • Store records of data processing that could be reviewed by regulators;
  • Provide foolproof, sealed off data storing;
  • Inform the authorities about data breaches within the 72-hour time frame;
  • Inform user (AKA data subjects) about data breaches;
  • Implement technical and organizational measures to ensure the protection of the user’s data rights;
  • Conduct regular privacy risk assessments;
  • Explain how and why personal data is going to be processed;
  • Appoint a Data Protection Officer for overseeing the data processing activities;

Aside from that GDPR introduces a system of rather harsh fines for violating the guidelines. The way of imposing the fines is considered on a case by case basis and dependent on the level of the perpetration and the amount of damage done by the violation. Overall, fines are ranging up to €10 or €20 million or 2% and 4% of the company’s global annual turnover of the previous financial year depending on the severity of the case.

On the other hand, GDPR gives users (AKA data subjects) an elaborate set of privacy rights that gives them tools to control the use of their personal information. Believe it or not, but while these rights seem obvious, until the adoption of GDPR they were not legally imposing.

Want to Learn More About The APP Solutions Approaches In Project Development?

Download Free Ebook

Here they are:

  • Right to be forgotten – i.e. erasure of gathered data;
  • Right to object to automatic data processing;
  • Right to restrict data gathering, processing, or storing;
  • Right to be informed of the means of the gathering of the personal data;
  • Right to get a copy of the gathered information in its entirety;
  • Right to revoke given consent;
  • Right to have the personal record corrected at request.

The most important innovation for the users is giving the right to be forgotten which enables requests for the deletion of the personal data from the companies databases unless there is legal ground that justifies keeping the information. GDPR also regulates the conduct of automated decision-making routines and gives users the instruments to object or rectify certain elements.

What’s Next?

While it is hard to say how successful it will turn out, but judging from the documents, it seems like GDPR is going to force certain overachieving companies to pay their dues.

On the other hand, it finally gives the user distinct instruments to control their personal data and counter any possibility of its unlawful use.

* * *

This blog post is a part of the series. Click to read the other chapters:

Want to receive reading suggestions once a month?

Subscribe to our newsletters

GDPR Implementation for Business: Challenges and Opportunities

Believe it or not, up until late 2017 the majority of the companies seemed to be blissfully unaware of the impending “doom” of the GDPR full implementation.

If you look at Google Trends — you will notice a rapid growth of interest by January 2018. For the record, GDPR was adopted in May 2016.

In many ways, no one was really ready for the coming of the GDPR. While it was adopted way back in 2016 and there was a lot of time to prepare yourself — the majority of the companies didn’t bother up until the heat was around the corner.

While it can be written off to a general careless attitude that prevails in many technology-oriented companies — it is also absolutely mystifying why it took so long to realize that GDPR is the real and it is here to stay and you either adjust to it or go away with a somber solemn look on your face.

The entire process of implementation of the GDPR principles is a considerable challenge both for the companies and the users. Not only there is a lot to do in order to follow the guidelines, but there is a need to adopt certain practices that will ensure the exclusion of any possibility of a violation.

In this article, we will break down all the major challenges that come with the adoption of GDPR and describe its possible benefits for the companies and the users.

GDPR Challenges for Business

An overarching GDPR challenge for any company that uses personal data is the sheer scope of the work to be done in order to be fitting according to the updated guidelines. It is humongous and it needs a very delicate and thorough approach.

Overall, the challenges of implementing GDPR for the companies can be divided into technical and organizational.

Let’s break it one by one.  

Adapting to many-many new requirements

The imposing number of requirements that constitute GDPR compliance is designed to increase the accountability of those who process personal data. This is made specifically for means of making the whole process as transparent and trustworthy as possible.

You have to ensure that the policies for personal data usage, consent, rectification, access, deletion are composed according to the regulations.

Also, cooperation with the third parties under GDPR is considered a key risk and as such it must be reassessed and adapted accordingly.

You can read about the requirements in detail in our previous article.

The challenge lies in the fact that the entire GDPR thing is extremely process-driven. While it is designed to improve such practices as decision-making and risk assessment — GDPR also adds another layer to them and thus complicated the already complicated process.

[Source: GDPRToons]

System Audit & Assessment

One of the major challenges regarding the implementation of GDPR can be considered an initial audit of the system. It may be an easy task if the company’s data is stored in one place. But that is not always a fact. The whole process is conducted through a stack of tools that helps to centralize data from different sources and subsequently monitor its use. Basically, it is a separate data management platform dedicated solely to security issues.

There are several key elements to determine during this operation:

  • What data is collected?
  • What are the sources of the data gathering?
  • Where is the data stored?
  • How is it used?
  • Who has access to what data? For how long?

Next, you need to audit the way the company process in order to see which of them will be affected by GDPR. This will give you a picture of which elements should be changed in order to maintain a steady workflow.

Basically, it boils down to three key elements:

  • How is data encrypted?
  • Is access to data sufficiently restricted?
  • Is data trackable?

Team Compliance and Training

Preparing the team for GDPR might be a tricky thing. While the technical aspect is dependent on the clarity of the methods — it is way harder to teach people to follow the guidelines, especially such tangled ones as are in GDPR. It takes time and requires patience.

Your team needs to understand what it means and how it works and how it affects their working process. There must be clarity on the following issues:

  • Data subjects AKA User rights;
  • What information can be divulged under which circumstances?
  • What kind of activity is permitted and what is not?
  • What constitutes consent?
  • What constitutes non-compliance?

Aside from that, GDPR compliance recommends the appointment of a Data Protection Officer (DPO) — whose responsibility will be to ensure that the company is operating according to the regulations. However, there is a question about the place of DPO in the company’s organization. DPO must report to the highest management of the company and must be absolutely independent in its judgment in order to maintain a balanced view of the state of things regarding Data Privacy.

User Requests

GDPR significantly expands the user’s rights over their personal data. One of the primary user’s instruments of influence over the use of personal data by the companies is a request. Because of the muddled nature of the data gathering — there will be a lot of questions from the users regarding the processing of their personal information. And it is better to know what to say in such cases (alternative for it is paying a fine which a little bit counterproductive for business).

The company must be ready to provide information on the following matters:

  • Purposes of the processing;
  • Categories of the gathered data;
  • Involved parties to whom the user’s personal data will be disclosed;
  • The approximate time frame over which personal data will be stored;
  • Compliance with requests for correction, erasure, or restriction of processing of personal data;

Rethinking Budget Planning

Anything regarding money spending is challenging. The coming of GDPR means that there must be a significant rethinking of the budget in order to include provide adequate maintenance of the data privacy and security operations.

The problem is that even though an audit can help get the picture — there are still too many unknowns in the equation that can significantly inflate the budget over time.

Basically, the additional spending is aimed primarily at three elements:

  • technology research;
  • its subsequent implementation;
  • human resources to do the job.

Challenges For Users

But companies are not the only ones who are going to be affected by the coming of GDPR. Users are going to get a significant kick of it too. The thing is — GDPR is the latest in the long line of privacy-related EU initiatives. In fact, the European Union has always maintained a “consumer-first” approach regarding privacy.

However, this dedication to privacy and all-round consent can be overwhelming and downright challenging for the users.

Knowing your rights

While knowing your rights may seem like a relatively simple task (wink-wink) — it is not exactly like that. In fact, it is a tough thing to do. Take a quick look at Chapter 3 of the GDPR document and read into what constitutes the rights of the Data Subject AKA user.

That’s a lot. Whole lotta rights to know. The challenging part of it is that the user needs to know under which circumstances he can exercise his rights and what are the limits of data subject rights.

Also, it is important to understand the possible consequences of abusing these rights.

Anyway, misunderstanding of the rights will probably lead to many-many ugly situations where users unwittingly gave away their information and later were trying to get some justice even though it is their own fault.

Giving Consent

Consent is the key concept of GDPR. It means a clear affirmative indication of giving permission to use one’s personal information for further processing. It is absolutely mandatory for every company. They need to ask the user’s permission to use personal information. Otherwise, they will be unable to operate legally under GDPR.

Now think about how many of the various applications you are currently using. Most of them require some form of personal data processing. They use your e-mail, geolocation, IP Address, and so on in order to enable their services. All this goodness needs a clear affirmative indication of consent.

Do you remember the terms of use agreements? Think about how many times have you studied the content of such an agreement before clicking “I agree”. I guess the answer is “not much”. Now imagine all the applications you are currently using will send you notifications requesting consent for processing your personal data. That’s a lot of requests.

Given the fact that there is no chance they will be written in any semblance of Homosapienese language — chances are the common user will click it off without giving it much of thought only later to realize and attempt to backtrack his decision.

Dealing with data breaches

In many ways, GDPR means the coming of the New World Order regarding the relationship between users and the companies. Since users are in control of their personal data — they are also subjected to informing about what is happening with their data. That, unfortunately, also includes instances when their personal data was breached.

Because of mandatory informing of the data breaches — users need to learn how to react to such situations.

The thing is extremely complicated due to the fact that every instance of a data breach is unique and requires close assessment in order to provide an adequate reaction. Another complication is that every case allows a varying level of user involvement. That is something beyond the user’s or companies control and determined solely by the court.

Benefits of GDPR

If there are so many challenges, are there ANY benefits to this data protection regulation?

In many ways, GDPR is a blessing. It is well-intentioned and rather well-mannered (especially if you compare it with DPD which is just sad). There are many benefits of clearly defined rules of engagements for both sides. Its implementation is a chance to improve the vital elements of your company and make it overall a much better functioning entity.

Legal Clarification

GDPR’s biggest achievement is a clarification of the key terms regarding user/company relation in terms of personal data use.

A direct result of this clarification is basic definitions of rights and responsibilities of the involved parties. This gives a proper map of what is permitted and what it is banned. Which in turn provides a set of tools to react in a variety of situations.


The most obvious benefit of GDPR is trust. By implementation of diverse data security practices and appointing of DPO whose job is to keep data privacy intact — companies can significantly increase their trustworthiness in the eyes of the users.

Alignment with GDPR will serve as a seal of approval for the users that the company services of which they are using will not mess with them by any means.

This, in turn, will increase customer loyalty which will directly result in positive developments of brand recognition.

Better Decision Making

Another direct benefit is the improvement and refinement of decision-making practices. GDPR adds a couple of new factors for consideration that significantly change the perception of the state of things.

To put it simply — the stakes are higher and the possible consequences of the failure to comply are severely uninspiring.

Under the weight of increased responsibility and imposing punishment, GDPR will indirectly lead to a more calculated and cautious approach to decision-making.

Better Risk Assessment

Risk assessment is probably the biggest winner of GDPR adoption. While it is considered to be a part of the standard operation — chances are it receives less attention and care than it probably deserves.

GDPR shifts the tables in favor of a more thorough and responsible approach to risk assessment. For one simple reason — the notion that slight oversight and risk underestimation may result in significant monetary and reputation damages for the company.

Security Framework Improvement

GDPR guidelines stress the importance of a well organized, impenetrable, and highly regulated security framework. While it seems to be an obvious reasonable requirement for any company — the fact the data breaches are common these days state the opposite.  

However, GDPR provides clear and realistic guidelines on how to make the security system better and how to maintain it.

A combination of regular system audits, monitoring and cautious employee culture is the key to effective improvement.

How to make your IT project secured?

Download Secure Coding Guide


Along with the improvement of the practices comes increased alignment with cutting-edge technologies.

Since you never know what kind of unfortunate event can happen to your system — the company will need to constantly evolve its data security stack in order to stay current and prepared for any possible danger.

If anything, that will probably cause the rapid development of new technologies.

What’s next?

GDPR is a game-changing document the influence of which is hard to underestimate. To put it simply, it will cause seismic shifts over the world — no less. There is no doubt that in the long term perspective GDPR will cause a drastic transformation in the business landscape of not only the European Union but also the entire world.

The way it reiterates the definition of personal information and rearranged the balance of power in the realm of data processing is nothing short of revolutionary. It is challenging in many ways but as you can see — there are also considerable benefits of GDPR compliance.


* * *

This blog post is a part of the series. Click to read the other chapters:

Want to receive reading suggestions once a month?

Subscribe to our newsletters

Tackling GDPR Compliance with The App Solutions

With the day of GDPR coming into effect getting closer and closer and tension of impending “doom” that it “might be” getting higher than ever — it seems reasonable for all involved to get ready for it on all fronts possible before it is too late and the fines will come in full swing.

Cue numerous think-pieces that describe “what you need to know” or “what you need to know” and more of the same all over again in other words with a sacred anchor “GDPR compliance”.

However, none of those raving and drooling pieces are actually telling anything about particular approaches the companies are using in order to get ready for GDPR implementation.

Because of that, we thought it would be a great idea to share a thing or two about a way of adapting to GDPR that we have figured out for ourselves.

It is not as much bragging as a well-mannered sign of confidence in the face of coming changes.

Previously, we have covered different aspects of GDPR, such as what is GDPR, how GDPR works, and its challenges and benefits. Now it is time to tell our side of the story.

The APP Solutions is a kind of company that favors getting ready beforehand and not on the fly. Because of that, we have spent a considerable amount of time studying every existing possibility of improving and evolving our data protection and privacy policies.

What We Did for GDPR Compliance

Data Audit

First things first — we needed to know what is coming where and to what extent.

Regarding “what”, our first step was to analyze the sources of incoming data. The main purpose of the operation was to determine which of the elements are coming from the European Union and thus are covered by GDPR.

Regarding “where”, we have conducted the general assessment of services that we were using for personal data managing purposes, i.e gathering, processing, and storing.

In order to get a clearer picture and determine the exact scope and depth of state of things, we have performed a complete and thorough audit of all the personal information our company was storing. We’ve studied its strong and weak points and considered a variety of options for improvement or replacement.

This operation was divided into several steps:

  • Assessment of information stored on third-party service beyond the company’s control (for example, personal Dropbox or Google Drive);
  • Determining circumstances upon which sensitive information was going to the third-party services beyond the company’s control.
  • Determining the physical location of data storage
  • Develop tools for preventing unsanctioned access to personal information. In order to realize that we defined types of information and based upon that determined several levels of access for sensitive information.

Risk Assessment

During risk assessment, we’ve determined several risk types of information that require reporting in cases of breaches.

We studied possible threats for every industry we are working in. We determined types of threats, ways they can affect our products and also possible consequences of their outbreaks.

We also developed a code of conduct and standard operating procedures in cases of data breaches and other dangerous situations.

Privacy Policy and User Rights

Our next step was reviewing and improving our legal documents regarding terms of use of personal data and privacy policies in accordance with GDPR guidelines.

This included expanding Users AKA Data Subjects rights to those defined by GDPR and adapting the documenting procedures of data storing accordingly.

Our primary goal was to redefine and reassert legal grounds upon which we are using certain personal information and reiterate respective documents. In order to do that we have determined several levels of sensitivity for personal information.

Also, we developed guidelines for maintaining User Consent.

  • Statement of consent must be clear and specific
  • It must be written in plain, easy to understand the language
  • All parties involved in operation relying on user consent are named
  • Nature of data and purpose of its use must be specified

In order to keep User Content intact we are running the following procedures:

  • record of when and how user consent was obtained
  • record of the exact agreement
  • User Consent review over certain time intervals
  • Processes of updating user consent over certain time intervals

GDPR Compliance Services for Clients

Regarding our project, we have defined several types of data protection services that we can provide.

These are divided into two sections — standard and those that can be implemented for an additional fee.

Standard options that are always adhered to (even before GDPR became a popular thing to do):

  • Documenting the process of data storing
  • Tools for age verification (child-oriented)
  • Data encryption
  • General network security

For additional fees, we can also provide the following automated tools:

  • Tools for user consent management with optimal user experience low
  • Tools for managing user requests for erasure, rectification or download of personal data;
  • Automatization of data gathering and segmentation processes
  • Data Loss Prevention and Backup tools
  • Hack attempts monitoring and intrusion detection tools
  • Data anonymization (complete or partial)
  • Data export at User Request
  • Suspicious activity determining and monitoring
  • Monitoring of super administrator activity

In conclusion

This is how we do it. GDPR is not as imposingly scary as it seems. In fact — it is actually beneficial for the companies because GDPR compliance serves as a guarantee of maintaining certain rules. This, in turn, makes the companies more trustworthy which is always good for business.

* * *

This blog post is a part of the series. Click to read the other chapters:

Want to receive reading suggestions once a month?

Subscribe to our newsletters