Three examples of GDPR compliance

Three examples of GDPR compliance

default avatar
Thought byTassos Koutlas
April 23, 2018
Header for GDPR ebook

In a month, GDPR will be automatically enforced as a law in all EU member states. Though many organizations have yet to kick start a compliance project, any entity that is seriously interested in conducting business in the EU should focus on making ready.

In this review, I’ll share how Google, Audi, and Hotjar embrace best practices in addressing GDPR challenges.

How Google deals with user rights

Google was one of the first entities to experience the change of mindset with regards to personal data in the EU. In the famous 2015 case European Union vs. Google, the initial thinking of “the right to be forgotten” began to take shape. Since the ruling, Google has created the necessary infrastructure to handle and process requests to delete data from the search index.

To comply with the EU’s mandates around personal data, Google is creating a personal privacy center that is available online to all their users. Through that privacy center, users have the ability to exercise their rights: they can see what information is available to Google, amend that information, delete it, or export it.

Google GDPR

Of course, there are still things missing, such as a centralized way to provide consent and the ability to opt-out in a granular way. The centralized setup, however, has several advantages for users, such as: informing them on the available options, allowing them to explore their privacy, and set the privacy experience (PX) that they see fit.

How Audi seeks user consent

Each processing activity of personal data needs to have a clear lawful basis. Most marketing activities rely on user consent, and GDPR introduces some profound changes on managing user consent. Audi recently launched a marketing campaign to inform their audience and request consent for future campaigns.


The campaign feels remarkably fresh and manages to stir away from fear mongering and negatively charged words creating a positive experience which would allude user to offer their consent.

This is an example of how an organization can receive renewed consent from users. Every organization should keep records of what an individual has consented to, including what the organization told them, and when and how they consented. Even after a user opts-in, an organization should continue to review consent as part of their ongoing relationship with individuals. Under GDPR, consent is not a one-off compliance box to tick and file away.

How Hotjar complies as a data processor

By the laws of GDPR, when an organization uses a data processor, there must be a written contract involved so that both parties understand their responsibilities and liabilities. GDPR sets out what needs to be included in the contract, which includes:

  1. Organizations are liable with their processor’s compliance with the GDPR
  2. Organizations must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met
  3. There must also be guarantees that rights of data subjects  will be protected.

In the future, using a processor that adheres to an approved code of conduct or certification scheme may help organizations satisfy this requirement – though again, no such schemes are currently available. Processors must only act on your documented instructions. They will, however, have some direct responsibilities under the GDPR and may be subject to sanctions if they don’t comply.

For an example of how a data processor might prove to organizations that it complies with GDPR, look no further than Hotjar.

Screenshot of Hotjar's data processing statement

Hotjar, a company that allows you to see heatmaps and recordings of user activities in your website has been working hard with GDPR early on. They are offering an update on their terms and conditions as well as legal documentation required for their clients.

In conclusion

The May deadline is approaching fast, and many businesses may struggle to comply with GDPR. However, even if you aren’t working to comply with GDPR yet, it’s not too late to ensure that privacy and the privacy experience is painless for your users. Contact us to learn how we can help you create positive and helpful privacy experiences for your customers, and to learn how complying with GDPR will provide you with more opportunities to succeed and deliver your marketing message.