GDPR, Webgains and You – 14/03/18 


As you will very likely have seen by now, the General Data Protection Regulation (GDPR) will come into effect across Europe on May 25th.

This wide-ranging piece of legislation has one particular focus, to place control of personal data into the owner of the data, the user themselves. It will bring a stop to actions online where data is captured through invisible means, through less-than-obvious consents, through implied methods or anything else that the user may possibly be unclear about.

At Webgains, we take data management incredibly seriously, and have posted previously on GDPR, and our views, which you can read through here.

We are also co-signatory to a collective statement from the UK performance marketing industry, which you can also read here.

In summary however, we are ready, willing and able to handle the challenges of being GDPR-ready. In the following statement we’ll show how we are supporting clients, partners and users in continuing to operate safely and securely beyond May 25th.

Where Webgains stands 

     1. Data Handling 

Webgains operates a clear and uncluttered relationship structure with both Publishers and Advertisers. We handle data in a discrete and secure fashion, and collect very little personally identifiable data in the process. To ensure we maintain a clear way of working, and keep the user data in the hands of our clients, we are operating now and under GDPR as a Data Processor, on behalf of advertisers.

As a Data Processor we will guarantee to handle data only as directed and agreed in our contracted terms. We will not use data in any other way within Webgains, and we will not share data with any parties that are not made wholly clear in our sub-processor list. Our sub-processors will have the same contractual obligations to handle data in a single process, contractually stipulated by us.

We also have, as Data Processor, a responsibility to reliably secure our data storage and processing technologies, with a rigorous IT security protocol. As illustrated by our recent ISO 27001 Certification, this is something Webgains takes very seriously, and are constantly working on to outperform our obligations.

     2. Legal Basis 

We will work with our Advertisers, who in the eyes of GDPR are the ‘Data Controller’ for the data related to purchases in their own stores. This will ensure that any data Webgains handles is tracked and ‘Processed’ in line with GDPR, using both the Advertiser’s own GDPR compliant consent mechanisms and also the Publisher’s normal contractual terms of business (with appropriate GDPR reference clauses)

As Data Processor, Webgains establishes and maintains a legal relationship with the Data Controllers only, and not the end user directly. So, the legal basis for processing any data is secured via the Advertiser & Network relationships we have, which will be mandated via an updated Data Processing Agreement in line with the new Regulation.

What this means for Publishers and Advertisers

For Webgains’ Publisher partners there will be an update to our contract Terms and Conditions. This will stipulate Webgains’ role as a Data Processor and will need to be signed by May 25th to ensure continuous service on our network.

That’s it. There will be no additional technical integrations, boxes, pages, consents, APIs or anything else for any Webgains Publisher partner to put in place.

Webgains will manage all of its tracking through the existing Advertiser consent workflows. This means no extra interruptions or complications to the user journey. No Publisher will have data compromised or shared in any way.

Note: It may be that, as a publisher, you plan to track users to your site using your own performance cookies. This means that you’ll need your visitor’s consent to do so, even though Webgains will not. Guidance on this can be found at: ICO GDPR Guidance link here

For Advertisers, there will be an updated data processing agreement along with the Terms and Conditions update, to also be signed by or soon after the end of May 2018.

As a Data Processor it’s important to clarify our relationship with our Advertisers as the Data Controller. We will only process data on your behalf, as the controller of your customer’s data, and the DPA will reflect that.

We will also be in contact, well beforehand, to explain how we will update our tracking, which involves minimal impact for you, and zero impact on your customers. Users will see no extra requirements at all, and you will continue to legally track users and sales as the Data Controller.

What happens next? 

We will share further communications over the coming weeks, on both technical and legal compliance, and how we’ll manage that for you. 

For both our Publisher and Advertiser partners we will have a straightforward signing process on the Webgains platform, to ensure everyone sees, is able to understand and update their DPA quickly and easily. 

Our Advertiser clients will be contacted with clear guidance on how to continue working with us, in a simple and, most importantly, GDPR-compliant way. This will include both the technical side, and an updated DPA, recognising Webgains as Data Processor, and themselves as the Data Controller. 


The GDPR is a great opportunity to demonstrate how secure and future-thinking a business can be. Webgains is a business that loves working with its clients and partners and, more than anything, we know that user confidence is the key to generating and growing business. We do this now and are already set to go through GDPR and make a huge success in the years to come. 

Feel free to contact us here with any questions at all, but we will be in touch further will all Publishers, Advertisers and Technology partners to make sure we all move on together.


We’ve collected together some key pieces of information you may find useful, when considering how GDPR will affect you. 

Webgains blog post 

ICO Definition of Consent

The GDPR Article 28 – Processor

IAB Guidance on Consent

ICO 12 Steps for GDPR Readiness