Customer data and the GDPR

Regulations like the GDPR give your customers new rights over how you collect and process their data. Make sure you’re prepared to respect your customers’ rights and their privacy.

On May 25, 2018, the European Union data regulator began enforcing the EU General Data Protection Regulation (GDPR) to strengthen the security and protection of EU residents' personal data. Companies that don't comply with the GDPR not only risk losing their customers' trust, but they could also face fines of €20 million or four percent of global annual revenue.

While we recommend reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR, this lesson will help you understand what the GDPR is and provide actionable steps you can take to prepare.

GDPR & customer data: How will the GDPR impact your customer data management

The impact of GDPR requirements on your customer data management will vary based on how your business uses customer data. Data controllers (businesses that collect and process end user data) must implement a range of measures to ensure compliance with the GDPR, including meeting the requirements of a data processing agreement. Data processors also must meet numerous technical & organizational requirements, though not quite as stringent as controllers since they do not determine what’s done with the data itself.

Companies can be data controllers, data processors, or in some cases, both a controller and a processor. Data controllers are businesses that collect their end users' data and decide why and how that data is processed. On our marketing website, for example, Segment is considered a data controller. As a vendor, however, the more meaningful way Segment is impacted by the GDPR is as a data processor, as we are a company that helps our customers with the processing of their customer data.

What are your responsibilities as a data controller?

If you collect data about EU residents and decide why and how that data is collected and processed, you may be considered a data controller under the GDPR. Data controllers are responsible for implementing adequate technical, organizational, and operational measures to ensure and demonstrate that all data collection and processing is performed in accordance with the GDPR, including entering into a relevant data processing agreement. Moreover, you must fulfill data subjects' rights with respect to their data along with the following principles:

• Consent
• Accuracy
• Fairness
• Transparency
• Security
• Limitation and minimization of processing based on purpose

How can you prepare for the GDPR?

In addition to seeking independent legal advice regarding your obligations under the GDPR, here are some tips to get you started:

• Educate yourself on the provisions of the GDPR to understand how they may differ from your existing data protection obligations and practices.
• If you don't have dedicated data privacy or security personnel in-house, consider appointing a directly responsible individual (DRI) or small team to manage your company's GDPR compliance efforts.
• Create an up-to-date inventory of personal data that you collect and manage.
• If you're using Segment, you can start with the Overview page in your workspace to understand where you are collecting (Sources) and routing (Destinations) customer data. From there, you can visit the Schema page within each of your Sources to understand the type of data you're sending to Segment.
• Be sure to consider the data that is not flowing through Segment. You'll need to make sure the same bar for compliance is met across your organization.
• Create a list of vendors to whom you send data (analytics tools, CRMs, email tools, etc.), and understand whether they are a controller or a processor. Then, determine what their obligations are, and make sure they have a plan to be ready for the GDPR.
• Determine if your company needs to appoint a Data Protection Officer (DPO). If you will be appointing a data protection officer, begin searching for the best person for the role.
• Develop a plan for obtaining and managing consent in accordance with the GDPR or establish other lawful grounds for using personal data.

Managing consent under the GDPR

The GDPR requires that companies have legal grounds to process and collect EU residents' personal data. At Segment, we built our own consent manager to help with one of the approved grounds for processing personal data: consent.

While building our consent manager, we learned how difficult it is to develop a tool that both meets the requirements of the GDPR and aligns with Segment's approach to privacy.

Through conversations with many of our customers, we learned that they had similar requirements and were also struggling to find an adequate solution. That's why we decided to open source our solution and make it available to the community.

If your company is using consent as the legal grounds for processing data check out our guide on how to build consent management into your site in one week using our open source solution.

It's important to note that there are a number of approved grounds, and businesses may have different grounds for processing different kinds of data.

Honoring end users' rights

At Segment, we believe regulations like the GDPR will raise the bar for honoring end users' rights, and we welcome the legislation. Not only will the GDPR make it easy for end users to exercise their rights, but we also predict the Regulation will diminish data controllers' reliance on third-party data sources for marketing and acquisition, as these data sources are often obtained and processed with questionable user consent. Instead, we expect that the GDPR will help businesses transition to activating first-party data in order to successfully provide a delightful user experience.