Regulations like the GDPR give your customers new rights over how you collect and process their data. Make sure you’re prepared to respect your customers’ rights and their privacy.
On May 25, 2018, the European Union data regulator began enforcing the EU General Data Protection Regulation (GDPR) to strengthen the security and protection of EU residents' personal data. Companies that don't comply with the GDPR not only risk losing their customers' trust, but they could also face fines of €20 million or four percent of global annual revenue.
While we recommend reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR, this lesson will help you understand what the GDPR is and provide actionable steps you can take to prepare.
The impact of GDPR requirements on your customer data management will vary based on how your business uses customer data. Data controllers (businesses that collect and process end user data) must implement a range of measures to ensure compliance with the GDPR, including meeting the requirements of a data processing agreement. Data processors also must meet numerous technical & organizational requirements, though not quite as stringent as controllers since they do not determine what’s done with the data itself.
Companies can be data controllers, data processors, or in some cases, both a controller and a processor. Data controllers are businesses that collect their end users' data and decide why and how that data is processed. On our marketing website, for example, Segment is considered a data controller. As a vendor, however, the more meaningful way Segment is impacted by the GDPR is as a data processor, as we are a company that helps our customers with the processing of their customer data.
If you collect data about EU residents and decide why and how that data is collected and processed, you may be considered a data controller under the GDPR. Data controllers are responsible for implementing adequate technical, organizational, and operational measures to ensure and demonstrate that all data collection and processing is performed in accordance with the GDPR, including entering into a relevant data processing agreement. Moreover, you must fulfill data subjects' rights with respect to their data along with the following principles:
In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:
The GDPR requires that companies have legal grounds to process and collect EU residents' personal data. At Segment, we built our own consent manager to help with one of the approved grounds for processing personal data: consent.
While building our consent manager, we learned how difficult it is to develop a tool that both meets the requirements of the GDPR and aligns with Segment's approach to privacy.
Through conversations with many of our customers, we learned that they had similar requirements and were also struggling to find an adequate solution. That's why we decided to open source our solution and make it available to the community.
If your company is using consent as the legal grounds for processing data check out our guide on how to build consent management into your site in one week using our open source solution.
It's important to note that there are a number of approved grounds, and businesses may have different grounds for processing different kinds of data.
At Segment, we believe regulations like the GDPR will raise the bar for honoring end users' rights, and we welcome the legislation. Not only will the GDPR make it easy for end users to exercise their rights, but we also predict the Regulation will diminish data controllers' reliance on third-party data sources for marketing and acquisition, as these data sources are often obtained and processed with questionable user consent. Instead, we expect that the GDPR will help businesses transition to activating first-party data in order to successfully provide a delightful user experience.