Twilio Segment and the GDPR

In less than six months, your business will face the greatest regulatory change in data privacy policy in the last 20 years: the EU General Data Protection Regulation (GDPR). The European Union will begin enforcing the GDPR starting on May 25, 2018 in an effort to strengthen the security and protection of the personal data of EU residents. 

In keeping with our ongoing commitment to privacy and security, Segment will be ready for the GDPR before May 25, 2018, when the law goes into effect. But that’s not all. As the central record for your user data, we are also committed to making it easier for you to comply with the GDPR.

Respect for our customers, and the end users they seek to understand, has always been central to Segment’s values. We recognize that protecting privacy requires a holistic security program. Whether it’s encrypting data or securing data in transit and at rest, we want you to have confidence in how your user data is being collected, transported, and stored. Preparing for the GDPR is just one of the ways we’ll be supporting our customers with secure data management.

Specifically, here is how we’ll support our customers with GDPR readiness:

• An updated Data Processing Agreement (DPA) that reflects the requirements of the GDPR and ensures compliant data transfer with storage outside the EU.

• New product capabilities to help you be compliant when users request you delete or suppress their data.

Our commitments as a data controller and processor 

The GDPR has different requirements depending on how your business interacts with personally identifiable user data.

Data controllers are companies that supply goods or services to EU residents, or that track or monitor EU residents and decide why and how data is collected and processed. As one of our customers, you are likely a data controller under the GDPR. One of your requirements as a data controller is to only work with compliant data processors.

Data processors are vendors or businesses that process data on behalf of data controllers. As a customer data platform, Segment is considered a data processor. We will be ready for the GDPR as both a data controller and when acting as a data processor on your behalf. 

Here are initiatives Segment is committed to as one of your data processors:

• Updated Data Processing Agreement: Our previous Data Processing Agreement (DPA) conveyed our commitment to protecting customer data. Our updated DPA reflects the additional requirements of the GDPR.

• Secure data transfer and storage outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted as long as certain safeguards apply. Our customer DPA contains the EU Model Clauses, which are industry standard for data safety. This means that Segment agrees to protect any data originating from the EEA in line with European data protection standards. 

• Technical and organizational security measures: Segment takes a holistic, risk-based approach to security. This means the platform secures your data in transit and at rest, restricts and secures data access, and provides continuous incident monitoring.

• Processing according to controller instructions: As has always been the case, we only process personal data according to instructions from the controller (our customers). 

• Prompt breach notifications: In line with our current policies, Segment will promptly inform you of any incidents involving your users’ personal data. 

Helping you achieve compliance

If you collect data about EU residents, you are likely considered a data controller under the GDPR. One of the biggest challenges you will face as a controller will be managing individuals’ requests to exercise their rights as defined by the Regulation. 

Upcoming Product Capabilities

To help you comply with user requests related to the right to erasure (the right to be forgotten), the right to object (the various rights to halt certain processing), and the right to restrict processing (the right to restriction), we are developing new capabilities that will be available to all Segment customers in early 2018:

• Support for deletion requests: We are making it easy for you to honor requests related to the right to be forgotten by adding a new, secure endpoint to our existing HTTP API: /delete. Issuing a /delete call for a given userId via this endpoint will ensure all personal data related to that userId is deleted from Segment's archives and your connected warehouses. 

• Automatic suppression: To help you comply with requests related to the right to object or restrict, any userId associated with a /delete call will automatically be placed on a suppression list. For any userId on the suppression list, we will block all incoming personal data pertaining to that userId from being tracked by Segment and sent to connected Destinations.

Existing Product Capabilities

With regards to the additional rights defined in the GDPR, including the rights to access, data portability, and rectification, Segment already enables you to be compliant: 

• Honor the rights to access and portability: Under the GDPR, EU residents have a right to access their personal data and are entitled to obtain their personal data in a commonly used format, such as a CSV file. Segment’s raw data integrations and warehouses enable you to build a complete picture of all data you’ve ever sent to Segment about a given end user to then share with them in a structured format. 

• Rectify user data: The GDPR also empowers individuals to correct any personal data that is deemed inaccurate or incomplete. When you fire an identify call, Segment will create or update a user and their traits in our platform and in downstream tools. As such, rectification of data in a given profile inside of Segment and in downstream Destinations is a simple identify call away. You can use a tool like Postman to send an updated identify call for any userId.

What’s next

As a company, we believe the new legal requirements will raise the bar for honoring end users’ rights, and we welcome the legislation. Not only will the GDPR make it easy for end users to exercise their rights, but we also predict the Regulation will diminish data controllers’ reliance on third-party data sources for marketing and acquisition, as these data sources are often obtained and processed with questionable user consent. Instead, we expect that the GDPR will help businesses transition to activating first-party data in order to successfully provide a delightful user experience.

For the latest updates and for more information on the GDPR, check out our Preparing for the GDPR guide. If you have any questions about the GDPR or want to learn how Segment can help you be compliant, please let us know.