This website works best with JavaScript enabled. Learn how to enable JavaScript.

VWO and the GDPR

What Is the GDPR?

The General Data Protection Regulation (GDPR) is one of the biggest legislative changes made since 1975. To be effective from May 25, 2018, the primary goal of these changes is protection of personal data and rights of EU residents.

Our Commitment toward GDPR

We are fully committed to upholding the privacy and rights of our customers and their customers. The essence of the GDPR is in direct alignment with our core values of customer trust and data privacy. With that in mind, we are actively working toward defining our roadmap for GDPR to overhaul our systems and processes in accordance with the standards. We are committed to achieving GDPR compliance well before the May 25, 2018 deadline.

How Are We Preparing for GDPR?

Over the last couple of months, we have made steady progress toward understanding and analyzing how GDPR will impact our customers. This was made possible with the help of a focused group comprising experts on Corporate Security and Compliance and members from our senior leadership. Here’s a glimpse of our analysis and the steps we are taking to ensure compliance:

Establishing the Governance Structure

  1. Start the GDPR compliance initiative with a dedicated focus group. - Completed
  2. Create a comprehensive Privacy Management Framework that incorporates 130+ best practices and organizational measures, divided into 13 data privacy management categories. - Completed
  3. Appoint a Data Protection Officer/Official (DPO) in an independent role. - In Progress
  4. Conduct an assessment on product and business impact. - In Progress
  5. Initiate the internal Privacy and Security Awareness program. - In Progress
  6. Conduct Data Protection Impact Assessment (DPIA) (Internal). - Completed
  7. Conduct Data Protection Impact Assessment (External). - In Progress

Implementing Policies and Procedures

  1. Data Protection Policy - Completed
  2. Change Privacy Policy - Completed, to be published soon
  3. Information Security and Governance Policy - In Progress
  4. Data Breach and Incident Response Plan - In Progress
  5. Risk management framework to assess and manage threats across the organization and real-time personal data - Planned
  6. Embedding of personal data protection requirements within contracts and agreements with third-party service providers - Planned

Embedding and Implementing Data Privacy into Operations

  1. Prepare a detailed inventory of data and data-flows within our systems - Completed
  2. Establish procedures and policies to restrict processing of personal data - In Progress
  3. Set up mechanisms to automatically track flow of all data within and outside our systems - Planned

Existing Product Features Geared toward GDPR Compliance

We take utmost care to ensure that our customer data is secure and easily accessible. While we are constantly working toward enhancing our security parameters under the GDPR guidelines, VWO includes the following out-of-the-box capabilities geared toward protecting personal data and privacy:

  • Anonymize IP address: By default, VWO never captures the full IP address of any visitor on your website. We anonymize the IP addresses completely. Read more.
  • Anonymize key presses in a recording: VWO session recordings by default anonymizes keystrokes on any input field. It means that the data entered by your website visitors never trickles down to our servers and the recorded playback can never be used to decipher the inputs. Read more.
  • Anonymize sensitive content in recordings: In addition to anonymizing input fields, VWO also provides an additional capability to mask any sensitive content from being captured and stored in our databases. Read more.

As we evaluate further changes that we need to incorporate into our product, we will also be improving the above capabilities to provide easier and more flexible ways of anonymizing the content collected by VWO and to help our customers become GDPR-compliant. We will be updating this page early next year with a roadmap of our changes and how you can leverage these to become GDPR-compliant.


When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by the government; meaning it will be effective from May 25, 2018.

Whom does the GDPR affect?

The GDPR applies not only to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the location of the companies.

What is the difference between a data processor and a data controller?

A controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while a processor is an entity that processes personal data on behalf of the controller.

Where can I know more about the GDPR?

You can refer to the following links for more information on the GDPR and how you can prepare for it.

Last updated: Dec 21, 2017

Contact Us / Login

Resources Home