Getting to Know the 4 Magic Letters of Compliance: GDPR

September 26, 2017
Written by
Sheila Jambekar
Contributor
Opinions expressed by Twilio contributors are their own

The 4 magic letters of compliance: GDPR

Compliance is often a topic of discussion for many of our customers, but one compliance item that hasn’t quite made it onto everyone’s radar just yet is the General Data Protection Regulation (GDPR)—a major piece of legislation coming out of the European Union (EU) that could severely impact your business whether your organization is based in the U.S. or abroad. This legislation replaces the original EU Data Protection Directive (Directive).

The GDPR will take effect on May 25, 2018, and Twilio is committed to ensuring our platform is compliant by then.

Now you may be wondering…

Does GDPR apply to you or your business?

If you process personal data of EU individuals, then the answer is most likely yes. If your business is established in the EU, the GDPR applies. Even if your business is established outside the EU, you are required to comply with the GDPR if your data processing activities relate to offering goods or services (even free ones) to people in the EU or the monitoring of their behavior.

What’s the intent of GDPR?

The GDPR ensures appropriate protection of personal data in a digital society. And, like the Directive before it, the GDPR is founded on the idea that “everyone has the right to protection of personal data concerning him or her.”  The foundation of data protection law is that personal data is an asset, which belongs to the individual, hence the individual has rights regarding its use.

According to the GDPR principles, personal data of individuals should be:

  1. Processed lawfully, fairly, and transparently to the individual
  2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
  3. Adequate, relevant, and limited to what is necessary for achieving those purposes
  4. Accurate and kept up to date
  5. Stored no longer than necessary to achieve the purposes for which it was collected
  6. Properly secured against accidental loss, destruction or damage

What happens if you don’t comply?

The fines for violating the GDPR are nothing to sneeze at. They can be up to € 20 million or 4% of global revenue, whichever is higher.

For a glimpse into how Twilio is working on being GDPR-compliant, check out “GDPR and Beyond: Data Protection at Twilio” session from SIGNAL London.

In a nutshell, the GDPR is, perhaps, the most expansive data protection legislation to date. It significantly enhances data privacy rights for individuals in the EU, while placing obligations of transparency, accountability, and fairness on almost every company in every industry that relies on the use of personal data for conducting business.

To help you stay ahead of the GDPR game, we’ve put together a GDPR FAQ.

The countdown has begun – so let’s get it done! Onward!

 

DISCLAIMER: The above information is Twilio’s interpretation of GDPR requirements as of the date of publication. Please note that not all interpretations or requirements of the GDPR are well-settled and its application is fact and context specific. This information below should not be relied upon as legal advice or to determine how the GDPR applies to your business or organization. We encourage you to seek the guidance of your legal counsel with regard to how the GDPR applies specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. You may copy and use this posting for your internal, reference purposes only.