Complying with the GDPR

On May 25, 2018 businesses faced the greatest regulatory change in data privacy policy since the 1995 EU Data Protection Directive was enacted: the EU General Data Protection Regulation (GDPR). The European Union began enforcing the GDPR on May 25, 2018 in an effort to strengthen the security and protection of personal data of EU residents.

In keeping with Segment’s ongoing commitment to privacy and security, Segment updated its practices to be GDPR compliant before the May 25, 2018, enforcement date. But that’s not all. As the central record for your customer data, Segment is also committed to making it easier for you to comply with the GDPR.

Specifically, here is how Segment supports its customers:

• An updated Data Protection Addendum (DPA) to reflect the requirements of the GDPR and to ensure compliant data transfer with storage outside the EU. Existing customers can enter into the updated Data Protection Addendum using the opt-in process.

• New product capabilities to help you be compliant when users request you delete or suppress their data.

Check out Segment’s GDPR blog post to learn about Segment’s plan for GDPR readiness.

How does the GDPR impact your business?

The GDPR has different requirements depending on how your business interacts with personal data. Companies can be data controllers, data processors, or, in some cases, both a controller and a processor. Data controllers are businesses that collect their end users’ data and decide why and how that data is processed. On Segment’s marketing website, for example, Segment is considered a data controller. As a vendor, however, the more meaningful way Segment is impacted by the GDPR is as a data processor, as Segment is a company that helps its customers with the processing of their customer data.

In addition to damaging your customers’ trust, failure to comply with the GDPR can result in fines of €20 million or 4% of global annual turnover for the previous year (whichever is greater).

What are your responsibilities as a data controller?

If you collect data about EU residents and decide why and how those data are collected and processed, you may be considered a data controller under the GDPR. Data controllers are responsible for implementing adequate technical, organizational, and operational measures to ensure and demonstrate that all data collection and processing is performed in accordance with the GDPR, including entering into a relevant data processing agreement. Moreover, you must fulfill data subjects’ rights with respect to their data along the following principles:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Segment recommends reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR. You can also check out publications by data privacy associations such as the International Association of Privacy Professionals (IAPP) for the latest news. 

Things you can do to address GDPR

In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:

1. Educate yourself on the provisions of the GDPR to understand how they may differ from your existing data protection obligations and practices.

2. If you don’t have dedicated data privacy or security personnel in-house, consider appointing a directly responsible individual (DRI) or small team to manage your company’s GDPR compliance efforts.

3. Create an up-to-date inventory of personal data that you collect and manage. -

   • For data flowing through Segment, you can start with the Overview page in your workspace to understand where you are collecting (Sources) and routing (Destinations) customer data. Next, visit the Schema page within each of your Sources to understand the type of data you’re sending to Segment.

   • Be sure to consider the data that is not flowing through Segment. You’ll need to make sure the same bar for compliance is met across your organization.

4. Create a list of vendors who you send data to (analytics tools, CRMs, email tools, etc.), and understand whether they are a controller or a processor. Then, determine what their obligations are, and make sure they have a plan to be ready for the GDPR.

5. Develop a plan for obtaining and managing consent in accordance with the GDPR or establish other lawful grounds for using personal data.

6. Determine if your company needs to appoint a Data Protection Officer (DPO). If you will be appointing a DPO, begin searching for the best person for the role.

7. Becoming GDPR compliant takes time, and will require you to rethink how you collect and manage customer data. If you have any questions about the GDPR or want to learn how Segment can help you prepare, let us know!

Opting into the Data Protection Addendum and Standard Contractual Clauses

Segment offers a Data Protection Addendum (DPA) and Standard Contractual (SCCs) as a means of meeting contractual requirements of applicable data privacy laws and regulations, such as GDPR, and to address international data transfers. Segment’s online Data Protection Addendum (DPA) is already part of and incorporated into the Terms of Service. If you have a separate written agreement with Segment that does not include a Data Protection Addendum (DPA) or you would like to replace the existing Data Protection Addendum (DPA) that is attached to your separate written agreement with Segment’s latest Data Protection Addendum (DPA), please contact your account team or customer support.

Segment offers a Data Protection Addendum (DPA) and Standard Contractual Clauses (SCCs) as a means of meeting the regulatory contractual requirements of GDPR in its role as processor and also to address international data transfers.