Complying with the GDPR
In keeping with our ongoing commitment to privacy and security, Segment updated its practices to be GDPR compliant before the May 25, 2018, enforcement date. But that’s not all. As the central record for your customer data, we are also committed to making it easier for you to comply with the GDPR.
Specifically, here is how we support our customers:
An updated Data Processing Agreement (DPA) to reflect the requirements of the GDPR and to ensure compliant data transfer with storage outside the EU. Existing customers can enter into the updated Data Processing Agreement using the opt-in process described here.
New product capabilities to help you be compliant when users request you delete or suppress their data.
Check out our blog to learn about our plan for GDPR readiness.
How does the GDPR impact your business?
The GDPR has different requirements depending on how your business interacts with personal data. Companies can be data controllers, data processors, or in some cases, both a controller and a processor. Data controllers are businesses that collect their end users’ data and decide why and how that data is processed. On our marketing website, for example, Segment is considered a data controller. As a vendor, however, the more meaningful way Segment is impacted by the GDPR is as a data processor, as we are a company that helps our customers with the processing of their customer data.
In addition to damaging your customers’ trust, failure to comply with the GDPR can result in fines of €20 million or 4% of global annual turnover for the previous year (whichever is greater).
What are your responsibilities as a data controller?
If you collect data about EU residents and decide why and how those data are collected and processed, you may be considered a data controller under the GDPR. Data controllers are responsible for implementing adequate technical, organizational, and operational measures to ensure and demonstrate that all data collection and processing is performed in accordance with the GDPR, including entering into a relevant data processing agreement. Moreover, you must fulfill data subjects’ rights with respect to their data along the following principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
We recommend reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR. You can also check out publications by data privacy associations such as the International Association of Privacy Professionals (IAPP) for the latest news.
Things you can do to address GDPR
In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:
Educate yourself on the provisions of the GDPR to understand how they may differ from your existing data protection obligations and practices.
If you don’t have dedicated data privacy or security personnel in-house, consider appointing a directly responsible individual (DRI) or small team to manage your company’s GDPR compliance efforts.
Create an up-to-date inventory of personal data that you collect and manage. -
For data flowing through Segment, you can start with the Overview page in your workspace to understand where you are collecting (Sources) and routing (Destinations) customer data. Next, visit the Schema page within each of your Sources to understand the type of data you’re sending to Segment.
Be sure to consider the data that is not flowing through Segment. You’ll need to make sure the same bar for compliance is met across your organization.
Create a list of vendors who you send data to (analytics tools, CRMs, email tools, etc.), and understand whether they are a controller or a processor. Then, determine what their obligations are, and make sure they have a plan to be ready for the GDPR.
Develop a plan for obtaining and managing consent in accordance with the GDPR or establish other lawful grounds for using personal data.
Determine if your company needs to appoint a Data Protection Officer (DPO). If you will be appointing a DPO, begin searching for the best person for the role.
Becoming GDPR compliant takes time, and will require you to rethink how you collect and manage customer data. If you have any questions about the GDPR or want to learn how Segment can help you prepare, let us know!
Opting into the Data Processing Agreement and Standard Contractual Clauses
Segment offers a Data Processing Agreement (DPA) and Standard Contractual (SCCs) as a means of meeting contractual requirements of applicable data privacy laws and regulations, such as GDPR, and to address international data transfers. Segment’s online Data Protection Addendum (DPA) is already part of and incorporated into the Terms of Service. If you have a separate written agreement with Segment that does not include a Data Protection Addendum (DPA) or you would like to replace the existing Data Protection Addendum (DPA) that is attached to your separate written agreement with Segment’s latest Data Protection Addendum (DPA), please contact us at email@example.com.
Segment offers a Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) as a means of meeting the regulatory contractual requirements of GDPR in our role as processor and also to address international data transfers.
Note on Schrems II: Despite the CJEU’s July 2020 ruling invalidating Privacy Shield as a means of validly transferring data to the USA from the EU, these developments are not expected to disrupt Segment’s ability to provide services to its EU customers as the European Court of Justice has reaffirmed that the Standard Contractual Clauses (SCC) remain valid as a method of transfer. Our standard Data Processing Agreement includes a provision whereby should Privacy Shield ever be invalidated (as is the case now) then the SCCs will automatically apply.
This page was last modified: 26 Apr 2022
Questions? Problems? Need more info? Contact Segment Support for assistance!