For Acquia’s General Data Protection Regulation (GDPR) resources, see Acquia & GDPR Compliance. The following article appends but does not supersede the information provided therein.

GDPR Requirements: How Customer Data Platform (CDP) meets the GDPR

Prior to the enforcement of GDPR, most GDPR requirements were already fulfilled by existing best practices:

  • Lawfulness of Processing - since CDP is a data processor, the controller (CDP’s client) is in charge of obtaining a lawful reason to process personal data and maintaining that relationship with the end user. CDP assumes that all personal data it receives has a lawful reason for processing. Data that does not have a lawful reason for processing should not be sent to CDP.
  • Security - CDP is already a secure system by design and default, as certified by our SOC2 Type II compliance.
  • Data Access - CDP already allows our clients to access an end user’s personal data through the 360 API and UI. CDP client’s can leverage CDP’s 360 API or UI to share relevant personal data with the end user.
  • Data Rectification - CDP is committed to keeping customer data accurate and up to date as part of our normal data processing pipeline.

You can complete data erasure requests through the CDP user interface. For more information, see Data Erasure Requests. For any additional queries on data erasure requests, contact Support. For queries on GDPR, contact

How CDP can help you find data relevant to the GDPR

Personal data is regulated by the GDPR in three general cases:

  • Businesses, or data processing, that reside in the EU
  • End users that reside in the EU
  • Behavior performed in the EU, irregardless of where the end user resides

Since CDP aggregates data across all of our client’s source systems, CDP can be an extremely helpful tool for determining which individuals the client deems relevant under conditions #2 and #3 above. Whether through Actions & 360, Template Reports, or Interactive Queries CDP can be easily leveraged to determine which natural persons and events are relevant to our client’s enforcement of the GDPR, and in which source systems this data resides.

Contact your CDP Customer Success Manager (CSM) for assistance on how to identify this data. Specifically you may be interested in your CSM helping by:

  • Providing all customer metrics necessary so that you can proactively define the criteria to identify no longer necessary customers on a periodic basis.
  • Drafting a template report or interactive query to periodically retrieve these natural persons whose data is no longer necessary for your business interests.

Reasons for requesting Personal Data Erasure

Generally, there are two main reasons why lawful processing of an end user’s personal data may lapse:

  • An individual requests erasure - EU natural persons maintain the right to be forgotten and therefore can remove their consent from CDP’s clients to continue to store and process their data. If an end user opts-out of CDP’s client storing and processing their personal data, and the client has no other lawful reason for processing (e.g. ongoing contract with the customer), CDP’s client should inform CDP to purge or anonymize all of this individual’s personal data. Generally these requests are expected to be low volume.
  • The CDP client determines that an end user’s personal data is no longer necessary for legitimate interests pursued by the client or third parties - the GDPR text states that business should store data no longer than is necessary, but the GDPR also leaves it up to the data controller to decide whether the data fulfills purposes of legitimate interests pursued by the controller. CDP’s clients may decide that some customers are no longer necessary. Contact your CSM to work on a template report or interactive query that can be leveraged to identify data that is no longer necessary.