GDPR and your business.

GDPR is a great opportunity to further focus on customer experience.

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. We believe this presents a new opportunity for companies to strengthen their brand loyalty by focusing on consumer privacy while delivering amazing experiences. Think of it as experiential privacy — having privacy be a key part of the customer experience, through relevant privacy notices presented in context and choices that are on brand.

Alisa Bergman, Chief Privacy Officer, Adobe


“Adobe is leading the charge in helping brands transform into experience businesses, and GDPR presents the perfect opportunity for companies to lean in to customer centricity, build trust through transparency, and improve the customer experience with privacy in mind.”


Alisa Bergman

Chief privacy officer, Adobe


What is GDPR and how does it affect your business?


GDPR is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data and a wide reach, affecting any company that collects personal information of individuals in the EU. As your trusted data processor, we’re committed to compliance and to helping you on your GDPR compliance journey.

What is Adobe doing toward GDPR readiness?

Adobe either already meets or is implementing our obligations as a data processor. We have a strong foundation of certified security and privacy controls by design and will continue to make product enhancements. Enterprise customers will have the responsibility to implement these enhancements, as well as update any necessary policies and procedures.

A strong foundation of security and privacy compliance

A strong foundation of security and privacy compliance

We’ve implemented a set of certified security processes and controls to help protect the data entrusted to us through the Adobe Common Controls Framework. This helps us comply with several security and privacy certifications, standards, and regulations, including SOC-2, ISO 27001, and the EU-U.S. Privacy Shield.

Privacy by design

Privacy by design

Our mission is to help you responsibly unlock the power of data. Adobe has a long-standing practice of incorporating a proactive product development effort, also known as “privacy by design.”  For example, many of our services have the ability to obfuscate IP addresses and allow individual-level opt-outs. 

Data transfer

Data transfer

We’ve certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related data. This provides our customers with the option of relying on these frameworks or entering into Standard Contractual Clauses (also known as EU Model Clauses) for the transfer of data from the EU to the U.S. You can find more information on this in our Privacy Center, along with information on how to request Standard Contractual Clauses.

Contract terms

Contract terms

We’ve updated Adobe’s Data Processing Agreement to account for GDPR requirements.

Records of processing

Records of processing

We’re working to more formally document the privacy practices we have in place to comply with the enhanced record-keeping requirements.

Data protection officer

Data protection team

We currently have a chief privacy officer, a data protection officer for our EU corporate office in Ireland, and a dedicated privacy team, and will continue to evaluate whether we need to take any additional steps in light of the new requirements.

Product & process innovation

Product and process innovation

We are constantly listening to our customers and looking for ways to simplify and further automate our product and service offerings to better support their GDPR needs.

GDPR readiness: A shared responsibility.

GDPR is a shared compliance journey between brands and technology providers. The example below from Adobe Experience Cloud sets out the roles for brands (“data controllers”) and technology providers (“data processors”) and shows where the processor may need to help or partner with the controller either through tools, processes, or documentation.

GDPR workflow
GDPR workflow
Your customers’ rights as data subjects.


Your customers’ rights as data subjects.

A key part of GDPR is letting individuals choose what happens to their personal data. Individuals can ask companies to:

• Access and correct errors
• Delete personal data
• Object to its processing
• Export it

Your role as a data controller.

As the data controller, you will determine the personal data we process and store on your behalf. If you use Adobe cloud solutions, we may process personal data for you depending on the products and solutions you use and the information you choose to send to your Adobe account or service. As a controller, you will provide privacy notices to individuals who engage with your brands detailing how you collect and use information, and obtain consents, if needed. If those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will respond to those requests.

Your role as a data controller.
Our role as a data processor.


Our role as a data processor.

When we provide software and services to an enterprise, we’re acting as a data processor for the personal data you ask us to process and store as part of providing the services to you. As a data processor, we will only process personal data in accordance with your company’s permission and instructions — for example, as set out in your agreement with us. Where your data is in one of Adobe’s cloud solutions and you need our assistance with any individual consumer requests, we will partner with you through processes, products, services, and tools to help you respond.  

It’s time for an assessment.

GDPR puts increased emphasis on data collection best practices, data controller transparency, and consumer choice — all of which play a meaningful role in the customer experience. With an eye toward improving customer experience, you may want to think about how the following GDPR principles affect your business efforts.


Reduce unnecessary data collection
Take stock of the data you’re collecting. Gather only the data you need to be effective.

Obtain appropriate consent
When will consent be required and what form will it take? How will you provide delightful customer experiences with consent and without unwanted surprises? Consider the value proposition for consumer privacy, which can help drive conversion and loyalty.

Provide the required notice for data collection
Review and update your current privacy notices, policies, and any information provided at data collection points.

Remove unique identifiers
Consider when to make some data anonymous or pseudonymous (by replacing obviously personal details with another unique identifier, typically generated through hashing, encryption, or tokens) to help minimize compliance obligations and the risk of data and privacy breaches and claims.

Fulfill data access and deletion requests
Understand how your customer will reach out to you to make data access or deletion requests. Know how to define internal data retention and deletion policies and procedures.

Get started.

Here are five steps you can take to help prepare for GDPR readiness.


Inventory your digital properties

Inventory your digital properties, including mobile apps and websites, to assess which cookies, tags, or other data are necessary.


Map your customer journey

Map your customer journey and tell your privacy story through meaningful notices and choices.


Develop a consent management

Develop a consent management strategy with an eye toward customer experience.


Authenticate user identity

Think about how you will authenticate user identity to address data subject access requests.


Capitalize on existing processes

Identify or capitalize on existing processes to help respond to data subject access requests, including appointing a privacy point of contact.


Take the long view on privacy.

Think and design today with tomorrow’s privacy in mind. With the new European law now in effect, GDPR-inspired privacy regulations are cascading into other regions and countries as well. Putting in the work necessary to comply with GDPR will position you well for future privacy compliance efforts in Asia and other parts of the world.

Make experience your business.


Adobe’s cloud technologies give you access to an integrated set of solutions to create content and documents, build campaigns, manage your advertising, and gain deep intelligence about your business. We also give you the tools to become GDPR ready.

Adobe Advertising Cloud

Learn more ›

Adobe Analytics

Learn more ›

Adobe Audience Manager

Learn more ›

Adobe Campaign

Learn more ›

Adobe Document Cloud

Learn more ›

Magento Commerce Cloud

Learn more ›