Amigo and GDPR

3rd Nov 2017

What is GDPR?

The General Data Protection Regulation (GDPR) is a European legal framework that protects the rights of individuals “with regard to the processing of personal data.” It also ensures the free movement of personal data within the European Union.

The GDPR applies in the United Kingdom as of 25 May 2018. It has a global effect because it centres not on regulating EU businesses or other organisations but protecting the rights of EU individuals. This means that anyone processing the data of people within the EU or moving personal data in, out, and around the EU, can be liable under the GDPR.

What is the point of GDPR?

The European Union is committed to ensuring certain fundamental rights and freedoms of individuals. One of these is the right to the protection of personal data. The GDPR also protects individuals from having their personal data used to their unfair detriment, particularly in cases of automated decision-making or where the individual might not be aware of how their personal information is being used.

As Recital 6 of the regulation itself states:

“Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.”

How does Amigo comply with GDPR?

Amigo’s contracts and practices have been reviewed by our lawyers to ensure compliance with the GDPR. If you are a client, prospective client, or any other reasonably interested party, we are of course happy to furnish you with more specific information addressing your particular concerns. The paragraphs below explain how Amigo’s data infrastructure has been built on many of the same principles as those exhibited by the GDPR.

We have always taken the position that the processing of personal data by any organisation should always have a specific, transparent and legitimate purpose, and that the processing should always be limited to only what is necessary for this purpose. We have therefore built data minimisation, pseudonymisation, transparency, and security into our system from the start.


We do not see the conflict between good marketing and good data protection regulation that many seem to assume. In our experience, most marketers have access to more personal data than they know what to do with. Our Managing Director, Frederic Kalinke has written before about the fallacy that simply accruing more data improves marketing.

For data to be useful for marketing it has to be collected and analysed for a specific purpose, rather than for its own sake. The Amigo model of working is to iterate through discrete experiments, rather than to attempt to accrue “big data.” That all our data exists for a specified and transparent purpose strengthens our clients’ cases that their marketing efforts constitute the pursuit of a “legitimate interest.” Marketers should not forget that Recital 47 of the GDPR states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”


Pseudonymisation is an important corollary to our data minimisation. This means that while on occasion the nature of an Amigo experiment requires us to process identifying data such as names, our default position is to avoid collecting this data and to use pseudonyms wherever possible.

Amigo tokens for example allow marketers to run targeting and personalisation without creating large data files that can easily be attributed to a person. Marketers can find out about their customers’ preferences and process that data in a safe way when the data is assigned to a pseudonym, such as a random six digit alphanumeric string.


Amigo practices absolute data transparency with our clients. Any data we process on your behalf remains your data. We provide you with access to all of it, in weekly reports and also whenever you require, in a range of the most widely-used formats. We will only process your data in the ways explicitly required for each experiment you run with us.


We treat data security as of paramount importance. In our view, Cory Doctorow was broadly correct when he wrote, in 2008, that we need to handle personal data like we are handling toxic waste. If it gets out, it is incredibly dangerous and almost impossible to get back.

We use encryption and limited permissions by default. For example, when transferring back to you any of the data that we collect on your behalf we use encrypted cloud storage (provided by Amazon Web Services), with two-factor authentication.

This is not a legal document or official policy, but an explanation of why Amigo supports the principles of the GDPR and, consequently, how we are aligned with much of the regulation by default. Continue reading our blog for more information on exactly what we do with data.

Further reading

020 3940 4650