Preparing for the GDPR

On May 25, 2018 your business will face the greatest regulatory change in data privacy policy since the 1995 EU Data Protection Directive was enacted: the EU General Data Protection Regulation (GDPR). The European Union will begin enforcing the GDPR from May 25, 2018 in an effort to strengthen the security and protection of personal data of EU residents.

In keeping with our ongoing commitment to privacy and security, Segment will be ready for the GDPR before May 25, 2018, when the law goes into effect. But that’s not all. As the central record for your customer data, we are also committed to making it easier for you to comply with the GDPR.

Specifically, here is how we’ll support our customers:

  • An updated Data Processing Agreement (DPA) to reflect the requirements of the GDPR and to ensure compliant data transfer with storage outside the EU.

  • New product capabilities to help you be compliant when users request you delete or suppress their data.

Check out our blog to learn about our plan for GDPR readiness.

How will the GDPR impact your business?

The GDPR has different requirements depending on how your business interacts with personal data. Companies can be data controllers, data processors, or in some cases, both a controller and a processor. Data controllers are businesses that collect their end users’ data and decide why and how that data is processed. On our marketing website, for example, Segment is considered a data controller. As a vendor, however, the more meaningful way Segment is impacted by the GDPR is as a data processor, as we are a company that helps our customers with the processing of their customer data.

In addition to damaging your customers’ trust, failure to comply with the GDPR can result in fines of 20 million or 4% of global annual turnover for the previous year (whichever is greater).

What are your responsibilities as a data controller?

If you collect data about EU residents and decide why and how those data are collected and processed, you may be considered a data controller under the GDPR. Data controllers are responsible for implementing adequate technical, organizational, and operational measures to ensure and demonstrate that all data collection and processing is performed in accordance with the GDPR. Moreover, you must fulfill data subjects’ rights with respect to their data along the following principles:

  • Consent

  • Accuracy

  • Fairness

  • Transparency

  • Security

  • Limitation and minimization of processing based on purpose

We recommend reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR.

How can you prepare for the GDPR?

In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:

  1. Educate yourself on the provisions of the GDPR to understand how they may differ from your existing data protection obligations and practices.

  2. If you don’t have dedicated data privacy or security personnel in-house, consider appointing a directly responsible individual (DRI) or small team to manage your company’s GDPR compliance efforts.

  3. Create an up-to-date inventory of personal data that you collect and manage.

    • For data flowing through Segment, you can start with the Overview page in your workspace to understand where you are collecting (Sources) and routing (Destinations) customer data. Next, visit the Schema page within each of your Sources to understand the type of data you’re sending to Segment.

    • Be sure to consider the data that is not flowing through Segment. You’ll need to make sure the same bar for compliance is met across your organization.

  4. Create a list of vendors who you send data to (analytics tools, CRMs, email tools, etc.), and understand whether they are a controller or a processor. Then, determine what their obligations are, and make sure they have a plan to be ready for the GDPR.

  5. Develop a plan for obtaining and managing consent in accordance with the GDPR or establish other lawful grounds for using personal data.

  6. Determine if your company needs to appoint a Data Protection Officer (DPO). If you will be appointing a DPO, begin searching for the best person for the role.

  7. Start preparing today! Becoming GDPR compliant takes time, and will require you to rethink how you collect and manage customer data. If you have any questions about the GDPR or want to learn how Segment can help you prepare, please let us know!

Over the coming weeks and months, we’ll be sharing details on our new product capabilities and our best practices to help you prepare for the GDPR. Check back here for updates.


If you have any questions or see anywhere we can improve our documentation, please let us know or kick off a conversation in the Segment Community!