This website works best with JavaScript enabled. Learn how to enable JavaScript.

VWO and the GDPR

What Is the GDPR?

The General Data Protection Regulation (GDPR) is one of the biggest legislative changes made since 1975. To be effective from May 25, 2018, the primary goal of these changes is protection of personal data and rights of EU residents.

Data Privacy and Information Security Certifications

We have been certified for the following certification to ensure GDPR preparedness:

  1. BS 10012:2017 Personal Information Management System [PIMS] & GDPR Regulation Compliance: BS 10012 helps organizations in managing risks to the privacy of personal data and implementing necessary policies, procedures, and controls to help ensure compliance with data protection legislation. The BS 10012 standard is aligned with the principles and data subject rights at the core of GDPR.
  2. ISO 27001:2013 Information security management systems [ISMS]: ISMS ensures a systematic approach to managing sensitive company information so that it remains secure. ISMS includes people, processes, and IT systems by applying a risk management process.

VWO Embraces GDPR

VWO has put in place processes and procedures to comply with the various provisions of GDPR—data subject rights, GDPR core principles, data protection addendum, data deletion, data retention, and pseudonymisation, which align with our core values of customer trust and data privacy.

What steps did VWO take to become GDPR-compliant?

Over the last one year, we have covered a lot of ground toward understanding and analyzing how GDPR will impact our customers and making appropriate changes to our product and processes. This was made possible with the help of a focused group comprising experts on Corporate Security and Compliance and members from our senior leadership. Below is a glimpse of our analysis and the steps we took to ensure we are compliant well in time:

Establishing the Governance Structure

  1. Start the GDPR compliance initiative with a dedicated focus group. - Completed
  2. Create a comprehensive Privacy Management Framework that incorporates 130+ best practices and organizational measures, divided into 13 data privacy management categories. - Completed
  3. Appoint a Data Protection Officer/Official (DPO) in an independent role. - Completed
  4. Conduct an assessment on product and business impact. - Completed
  5. Initiate the internal Privacy and Security Awareness program. - Completed
  6. Conduct Data Protection Impact Assessment (DPIA) (Internal). - Completed
  7. Conduct Data Protection Impact Assessment (External). - Completed

Implementing Policies and Procedures

  1. Change Data Protection Policy - Completed
  2. Change Privacy Policy - Completed, available here
  3. Change Terms and Conditions - Completed, available here
  4. Change Data Protection and Information Security Policy - Completed, to be published soon
  5. Devise Data Breach and Incident Response Plan. - Completed
  6. Risk management framework to assess and manage threats across the organization and real-time personal data - Completed
  7. Develop a risk management framework to assess and manage threats across the organization and real-time personal data. - Completed
  8. Embed personal data protection requirements within contracts and agreements with third-party service providers. - Completed
  9. Create customer-facing Data Protection Addendum (DPA). - Completed, available here
  10. Create vendor-facing Data Protection Addendum (DPA). - Completed, to be published soon

Embedding and Implementing Data Privacy into Operations

  1. Prepare a detailed inventory of data and data-flows within our systems - Completed
  2. Establish procedures and policies to restrict processing of personal data - Completed
  3. Set up mechanisms to automatically track flow of all data within and outside our systems - In progress

How VWO is Helping Businesses Become GDPR-Compliant

At VWO, we take utmost care to ensure that our customer data is secure and easily accessible. While we are constantly working hard to ensure that our internal data practices are GDPR-compliant, an equally important part for us is to assist our customers and partners in their journey toward compliance. With that in mind, we have introduced the following updates to the VWO platform:

VWO FeaturesHow it Works
Storing and managing personal data for visitorsVisitor Recordings By default, VWO anonymizes all key presses to avoid storing or transmitting any personal or sensitive data on VWO servers. We've added new features to anonymize the following:
- Hide all text in the html body.
- Whitelist using CSS selector path: This option can be used to specifically anonymize or whitelist a input/non-input field or text labels.
- Anonymize a specific element by using the nls_protected class. Read More
Custom Dimensions We have updated the process of creating custom dimensions in VWO to include the following new features:
- VWO will filter all incoming data for a custom dimension for personal properties like email address, credit card number, and others.
- Users now have the flexibility to encrypt all incoming data and also delete all the collected data for a custom dimension. Read More
Location Information Customers now can customize what location information of visitors is stored or completely disable storing any location information. Read More IP Address - By default, VWO replaces the last octet of IP Address with 0 before saving it. Customers can now customize this setting and disable storing the IP address. Read More
Collecting ConsentOn-page Surveys We have added the option to display a consent message at the beginning of each survey. The message can also include links to policies and other information. Read More
Browser Privacy Settings Customers can configure their privacy settings in the VWO app to stop recording any information of the website visitors who have “Do Not Track” settings enabled on their browsers. Read More
Data Subject RightsSecurity Settings Customers can request data for their website or mobile app visitors through a visitor's UUID. A link will be generated by VWO that will collect all the data for a specific UUID or potential personal data such as URLs and visitor recordings for a defined time period. Read More
Security Settings Customers can request deletion of data for their website or mobile app visitors through their visitor's UUID. Read More


When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by the government; meaning it will be effective from May 25, 2018.

Whom does the GDPR affect?

The GDPR applies not only to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the location of the companies.

What is the difference between a data processor and a data controller?

A controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while a processor is an entity that processes personal data on behalf of the controller.

Where can I know more about the GDPR?

You can refer to the following links for more information on the GDPR and how you can prepare for it.

Last updated: May 25, 2018

Request a demo

Contact Us / Login