When enforcement of the General Data Protection Regulation (GDPR) begins next month, EU residents will be able to exercise a number of rights that give them more control over their personal data. They can request access to their data, object to the processing of their data, or even ask for their personal data to be deleted altogether. 

If your customers request that you delete their personal data, you have 30 days to comply. That’s 30 days to determine what data you have collected about them, where that data is stored, and which vendors are processing the data. Once you’ve identified these locations, you then have to actually delete the customer’s data from your own systems and ensure your data processors delete that customer’s data from their systems too. And, that’s just for one request for one customer for one right. We want to make this easier for you. 

To help you operationalize this aspect of GDPR compliance, we’re launching a new API and end-user privacy tools to fulfill and manage requests. 

Here’s what you can do with our new end-user privacy features:

  • Issue deletion requests to delete a specified user’s data from Segment

  • Forward user deletion requests to supported Destinations, including Amplitude, Braze (formerly Appboy), Intercom, and Iterable

  • Suppress data collection for specific users

  • Monitor deletion and suppression status from a user interface

These new features are available to all customers.

Manage user deletion across Segment and supported Destinations

You can now issue deletion requests from a simple interface in the Segment app or use our API to programmatically delete a specified user’s data from Segment. Issuing a user deletion request will delete that user’s data from all of Segment’s internal archives and environments within 30 days. 

mutation {
  createWorkspaceRegulation(
    workspaceSlug: "<workspace-slug>"
    type: SUPPRESS_AND_DELETE
    userId: "<user-id>"
  ) {
    id
  }
}

To be compliant, you’ll need to make sure the data is deleted from wherever it is stored or processed. While it is your responsibility as a data controller to work with all of your data processors (including Destination partners on the Segment platform), we’re simplifying this process for you. Here’s how:

  • Delete user data directly from Segment: Issue a deletion request to delete a specified user’s data from wherever it is stored by Segment, including our internal archives and staging environments.

  • Delete user data from supported raw data Destinations: Issuing a delete call will also delete a user’s data from all tables in Amazon Redshift, Google BigQuery, Postgres, Snowflake, and Amazon S3.

  • Forward deletion requests to supported Destinations: Segment automatically forwards deletion requests to supported Destinations, like Amplitude, Braze (formerly Appboy), Intercom, and Iterable, so you don’t have to. Supported Destinations should then process the deletion request, but we recommend double-checking with those tools to ensure the data is properly deleted.

  • Identify where you’ve sent a user’s data: See which other enabled Destinations have received the user’s data, so you know which tools you need to contact to request a deletion.

  • Keep track of rights requests to demonstrate compliance: To help you monitor and audit rights requests, all user deletions will be documented in the app. That way, if your customers or even regulators request confirmation that a request has been processed by Segment, you’ll be able to tell them exactly when it was honored.

Check out the API documentation to learn more.

Block data collection for specific users with one-click suppression

Under the GDPR, your customers have a right to object to having their personal data processed. When your customers withdraw consent, you can now add them to a suppression list to restrict their data from being sent to Segment and Cloud-based Destinations. Any user associated with a deletion request will automatically be placed on the suppression list.

You can also suppress user data collection programmatically through our API or from a new interface in the app. All you have to do is enter your customer’s userId, and they will be added to your suppression list. You can use the suppression list to easily add or remove users if their preferences change over time. 

Check out the docs to learn more about user suppression.

Our ongoing commitment to privacy and security

In November, we shared our commitment to helping you comply with the GDPR. We know that working with Segment is likely one part of a larger compliance roadmap you are working towards. That said, we want to help as much as we can. These new features, along with our existing functionality, enable you to facilitate the key end-user rights requests under the GDPR. 

While the GDPR does require some legwork, we welcome the Regulation and believe the legal requirements will raise the bar for protecting individuals’ rights and privacy. 

We also predict the Regulation will diminish data controllers’ reliance on third-party data sources for marketing and acquisition, as these data sources are often obtained and processed with questionable user consent. Ultimately, we expect that the GDPR will help businesses transition to activating first-party data to successfully provide a delightful user experience.

Check out the docs or visit the new “End-User Privacy” section of the app (accessible from your “Workspace Settings” page) to get started. Over the coming months, we plan to add support for more Destinations and share best practices for managing consent with Segment. 

If you have any questions about the GDPR or want to learn how Segment can help you be compliant, please get in touch or visit our new GDPR resource page.