- How to make sure you are GDPR-compliant as a Twilio customer.
- Steps to take right now for each of the most relevant areas of the GDPR.
- Data protection practices you need to consider for the future.
What Twilio is doing
In a previous blog post, I looked at what we’re doing inside of Twilio to make us GDPR-compliant. As a product manager, I look at what we’re doing as the start of what you’ll need to do to ensure you’re compliant in time for the deadline. As a company that powers millions of conversations, part of our job is to help you be compliant when using Twilio as your platform.
So as we work on the features, documentation, and processes, what can you do to make sure you’re compliant? And how will you prove it?
Whether your customers include EU businesses or EU residents (and keep in mind, you may not know who is/was/will be an EU resident), or you just want to make sure that you’re doing the work you need to keep people’s data safe, this post is for you.
GDPR and You
The General Data Protection Regulation (GDPR) covers five major areas that apply to your products if you’re using Twilio. They are:
- Access control – access to personal data must be restricted to people and machines that need to use the data.
- Historical data – you must have the ability to delete personal data and let users download their provided personal data.
- Encryption – personal data should be secured through encryption so it can’t be seen.
- Store and Process – you must have a valid reason for storing and processing personal data.
- Audit and logging – all access to personal data must be logged.
There is another area that’s relevant to your products, and this is one that Twilio can’t take care of for you because it has to do with how you manage the relationship with your customers:
- The consent or “other lawful basis” to do what you need to do to make your business run.
To manage these requirements, you’ll need to do some work. First of all, you need to ensure that only people who are supposed to see your customer communications have access to the Twilio credentials. Next, make sure you’re tracking when people ask to no longer be your customers, who asks you to delete their data, and what you send to whom. In other words, keep track of everything. Also, be sure that you (and by extension Twilio) have consent or “other lawful basis” to store and process phone numbers, messenger handles, and other personal data. Lastly, we’d recommend you always use the SSL for safe encryption.
Then the big task for you is to track who you’re interacting with and make sure you have a lawful basis to interact with them. This may include getting explicit affirmative consent to allow marketing communication as different from transactional messaging, such as sending someone a promotional offer as opposed to updating them on their order status.
What you can do now
1. Work on the legal framework
As a Twilio customer, you can already start to work on the legal agreements related to GDPR. You can download Twilio’s Data Processing Addendum (DPA), which will help you form the contracts that prove your compliance. You might need to use Twilio’s Privacy Shield statement if you are in the EU, to prove that the data that goes to Twilio’s infrastructure in the US adheres to GDPR requirements. You can also ask your Twilio rep for a copy of the GDPR changes to our DPA. We’re here to help.
2. Access control
If you have more than a few people accessing Twilio, or who have credentials, we’ve designed a set of new features to help you restrict access to personal data on the Twilio platform. You can read all about those features here. Taking these steps will help you ensure users of the console can’t see data they don’t need. You might also want to look at Access Tokens, which are way of letting apps get access to Twilio without embedding your credentials.
3. History – Deletion and Download
When it comes to personal data history, there are two parts you need to consider:
- You have to be able to remove records related to a person when they aren’t your customer anymore, or when they ask to be removed.
- You need to be able to give people their data if they request it, so they can port it somewhere else.
Every time you communicate using Twilio, you’re generating data on those communications. For instance, when you use Twilio to make a phone call, you’re generating data that there was a call, it started at a particular time, the phone rang, the call was answered by a machine, and you left a message.
Each time Twilio responds to a request to do something, it will generate a SID (security identifier). You’re going to have to store these SIDs and the dates you’ve generated the communications that they’re associated with, and link each one to its relevant account. An account might be held by a single person if you’re a B2C business, or a company if you’re a B2B enterprise. Or it might be both. If you’re using different Twilio accounts, you’ll also have to know which account did the operation. If you ask for a SID from a different account, we’ll tell you it doesn’t exist. Once your SIDs are stored in the right place, you can delete the SIDs involved for a specific person if you need to remove the data associated with that person.
One of the requirements of GDPR is that your customer should be able to port their data away from you. If part of that data is the customer’s communications, there are a few things you can do with Twilio. One option is to use Message Vault to get the message data for the days that people are in communication with you. If the conversation you are having with the customer is part of their personal data, then you should already have the list of communications you’ve sent to them on file. That way, if your customer requests it, you can fetch the data from Twilio and deliver it to your customer.
You should already be following Twilio’s guidelines for how to connect securely to Twilio. If you aren’t using it yet, you can also get access to the Call Recording Encryption feature, which limits access to recordings to only the holder of the corresponding private key—You.
5. Store and Process
You have to make sure you have a lawful basis, such as consent, to do the things Twilio needs to do with personal data on your behalf. And you will likely need to provide notice of those things to your users, such as through a privacy notice or in your contracts. You can get the list of things we do with personal data from Twilio’s legal documentation.
6. Audit and logging
Since GDPR requires you to be able to prove your compliance, you may want to consider logging all access to personal data. In which case, the Monitor Event Log will be a great resource for you. You can find the Monitor Event Log within the Monitor section of the portal. You can filter the log by the event SID, date, resource SID, actor SID, IP address, and event type. Monitor Event Log can track changes to message bodies that have been sent, see additions of new users, and log times that communications were deleted. This can help you understand any changes that happened to resources within your Twilio infrastructure, and spot any unauthorized access.
What you need to be ready for the future
Your big task as it pertains to GDPR is knowing what you’ve sent to each customer. Then you can ask us to delete it, or fetch it from us, or give it back to your customer if they’re asking for their data export. For Twilio messages, you can store the ID of the message. You can also store the date. Today, the Message Vault feature lets you get all the message activity for a given date.
For example, let’s say you run a web service that helps plumbers run their businesses. You might ask us to close an account for one of your customers, and you might also want to shut down their sub-account, which will delete all of the data associated with that customer. If your customers are individuals, then if they leave you, you’ll have to remove their communications from Twilio by using their IDs, just like you’ll be deleting the other important data about them that you hold.
Twilio is working hard to make GDPR-compliance on our platform easy for developers, while making it safe for businesses. Since we’re an extension of how you talk to your customers, and the data we hold is like an extension of your databases, we take our role in ensuring GDPR-compliance very seriously. Likewise, now is the time for you to do some tidying up so you can ensure you always know who is accessing your data, that the data is the right data, and that all personal data remains secure.
The countdown to May 25, 2018, is on – so let’s get it done! Onward!